Entering content frame

Background documentation SAP Web AS ABAP User Management as Data Source

Purpose

User Management Engine (UME) can use an SAP Web AS ABAP as its data source for user management data.

Prerequisites

The SAP Web AS ABAP must have release 6.20 SP25 or higher.

Features

By default, UME has read-only access to the user management data in the ABAP engine.

The users displayed in the J2EE Engine user administration tools are users that are created with transaction SU01 in the ABAP engine. They can only be displayed and searched with the J2EE Engine tools. To create or change the users, use transaction SU01 in the ABAP engine.

If your configuration is set up to integrate PFCG roles, the groups displayed in the J2EE Engine user administration tools are PFCG roles (created with transaction PFCG in the ABAP Engine). They cannot be changed or deleted in the J2EE Engine tools. The only possible action is to assign UME and security roles to them. To create or change the PFCG roles, use transaction PFCG in the ABAP engine.

Caution

User-role assignments in the ABAP system are synchronized with the Java system every 30 minutes. As a result, changes to user-role assignments in the ABAP system are not immediately visible in the UME tools.

Extended user data that cannot be stored in the standard SU01 user record is stored in the database of the J2EE Engine.

To provide read-write access to the user management data in the ABAP engine, the following must apply:

·        The communication user used to connect to the ABAP engine (by default SAPJSF or SAPJSF_<SID>) must be assigned to a role with the corresponding write authorizations (for example, the ABAP role SAP_BC_JSF_COMMUNICATION)

·        The data source configuration file used must allow read-write access to the ABAP engine (for example, dataSourceConfiguration_r3_roles_db.xml or dataSourceConfiguration_r3_rw.xml)

In this case, it is also possible to create users using the J2EE Engine tools. They are stored as SU01 users in the ABAP Engine.

Constraints

User Personalization

Due to the ABAP Engine’s security policy, users can change their passwords only once per day. The only exception is that if the administrator resets a user’s password, the user can and must change his password the next time he logs on.

User Administration

When you use the Structure linkuser administration tools of the J2EE Engine, certain limitations apply:

·        Searching for users

¡        You can only search for users with the following search criteria: user ID, last name, first name. As of SAP Web AS ABAP 6.20 SP38, you can also search for users by e-mail address, status (without set by option), position, and department.

¡        If you search for users by creation date, last logon date, or date of last password change, the search will only take into account actions performed using the J2EE tools. For example, if a user last logged on using a J2EE application such as SAP Enterprise Portal on 11/26/03 and using a SAP GUI on 11/28/03, the search will consider the 11/26/03 to be the user’s last logon date. This is because UME only stores data about user actions performed using J2EE tools.

¡        If you search for users by mobile, street, city, state/province, zip/postal code, the search will only take into account data stored in the UME tables of the J2EE Engine database. This data is different to the data stored in the SU01 user record.

¡        You cannot search for users using the following search criteria: form of address, language, telephone, fax, country, time zone.

·        Displaying locked users

As of SAP Web AS ABAP 6.20 SP38 and 6.40 SP2, you can display a list of locked users. In earlier versions, this is not possible.

·        Managing Groups

¡        You can display groups and check which users or groups are assigned to the groups. However, you cannot create, change or delete groups, and you cannot assign users or groups to groups, even if UME has read-write access to the ABAP engine. Instead, you must use the transaction PFCG on the ABAP engine.

¡        You can assign UME roles and J2EE Engine security roles to groups.

UME Configuration

In certain cases, you need to ensure that the UME configuration corresponds to settings in the ABAP Engine.

·        Length of passwords and user IDs

In UME, configure the maximum and minimum lengths of passwords and user IDs to be the same as the corresponding values in the ABAP Engine.

In the ABAP Engine, passwords have a maximum length of 8 and user IDs have a maximum length of 12.  For this reason, we recommend the following values for the corresponding UME properties:

Property

Recommended Value

ume.logon.security_policy.useridmaxlength

Less than or equal to 12.

ume.logon.security_policy.password_max_length

Less than or equal to 8.

For more information on setting the minimum length of passwords in the ABAP Engine, see Structure linkProfile Parameters for Logon and Password (Login Parameters).

·        The UME property ume.logon.security_policy.lock_after_invalid_attempts, which defines after how many unsuccessful logon attempts a user is locked, is ignored for users whose password is checked against the ABAP backend system. Instead, the locking policy of the ABAP backend system applies. This is defined by the profile parameter login/fails_to_user_lock.

Leaving content frame