Naming special Principles

During AS Java installation, certain principles are created for special purposes while others are created subsequently by the administrator. In this section you will get to know some of these "default principles". In some cases, the default IDs of these principles depend on the employed data source.

The following table presents important default users:

The administration user has unrestricted access to AS Java and you should therefore assign this account to only very few people and assign a password that is very secure.

If you use a client of an ABAP system as the data source, the listed user master records are located on this ABAP client (and can be viewed in SU01): In the case of a remote ABAP system, the SID of the AS Java system is incorporated in the user name. This allows you to distinguish between users if multiple AS Java systems are connected to a single ABAP client.

Among other things, the guest user is used for anonymous access to AS Java, for example in order to construct the logon form in the Web browser. This user is normally locked. Do not delete this user.

In addition to the users that are listed above, application-specific default users also exist in a pure AS Java system. You must therefore take care of further default users depending on the installed product.

The following table presents important default groups:

All the users that you assign to the Administrator group are given extensive system authorizations (in respect of the administrator role assigned to this group (see next section)). Initially, the default administration user is entered here.

Initially, the default guest user and the default guest role are assigned to the guest group.

In addition, the UME possesses a built-in groups adapter which is responsible for the following three special groups:

• Everyone: Every (!) user is always a member of this group. If you assign roles/actions to this group then every user (including those that you may create in the future) has the corresponding authorizations.

• Authenticated Users: You assign all the users who - in whatever way - have to log onto AS Java to this group.

• Anonymous Users: You assign all the users who are able to log on anonymously to this group (configured by means of the UME property ume.login.guest_user.uniqueids).

The following therefore applies: Authenticated Users + Anonymous Users = Everyone.

In addition to these default groups, there are also application-specific groups depending on the installed product.

The following table presents important default roles:

Although by default no users are directly assigned to these two roles, the Administrator role is linked to the Administrators group. The role Everyone is assigned to the group Everyone; therefore, it is assigned to all users.

You need to activate an emergency user for the UME if the user management has been incorrectly configured and no one can log on to an application, or all administration users are locked. This emergency user is called SAP* and can log on to any application and to the configuration tools. The SAP* user has full administration authorizations and, for security reasons, does not have a default password. You set the password as part of emergency user activation.

Software only available in English

Proceed as follows to make a correction with the SAP* user:

1. Activate the SAP* user.

   1. Stop the Java cluster.

   2. In the Config Tool, open the Configuration Editor mode.

   3. Navigate to cluster_config→system→custom_global→cfg→services→com.sap.security.core.ume.service→Propertysheet properties..

   4. Switch to change mode.

   5. Set ume.superadmin.activated to the value true.

      Set ume.superadmin.password to any password.

   6. Start the Java cluster.

2. Change the configuration.

   1. Log on with the user SAP* and the password that you have just set.

      Note

      While the SAP* user is active, all other users are deactivated.

   2. Correct the problem; for example, unlock the administration user.

3. Deactivate the SAP* user.

   1. Stop the Java cluster.

   2. In the Config Tool, open the Configuration Editor mode.

   3. Navigate to cluster_config→system→custom_global→cfg→services→com.sap.security.core.ume.service→Propertysheet properties.

   4. Switch to change mode.

   5. Set ume.superadmin.activated to the value false.

   6. Start the Java cluster.