Integration of User Management in Your System Landscape
In a system landscape containing a combination of ABAP and Java components, it makes sense to integrate your user management so that you can use the same user data across different systems and can administrate this data centrally. SAP NetWeaver provides both ABAP and Java-based user management solutions. The user management solution that you should use to administrate your user data depends on factors such as the type of systems that are running in your landscape and the number of users that you have. This section outlines some options on how to integrate user management across a system landscape and provides recommendations for when to use which option.
For an
introduction to the available user management tools, see SAP NetWeaver Security Guide ® User Administration and Authentication
® 
User
Management.
Option 1: Use ABAP User Management
If your focus is on integrating the user management of the SAP solutions only in your system landscape, we recommend that you use ABAP user management to centrally manage your user data. There are two scenarios:
A: User Management in Central User Administration (CUA) System
In this scenario you use Central User Administration (CUA) on a Web Application Server (Web AS) to administer your central user data. If there are any Web AS Java systems in the landscape running an application that integrates many backend systems, we recommend that you configure the User Management Engine (UME) of the Web AS Java to use the ABAP user management of your CUA system.
An example of such an application is a SAP Enterprise Portal that integrates SAP applications only.
The following figure illustrates an example scenario using a CUA system.
In the above figure, a system running CUA is used to administer user data from several SAP ABAP systems centrally and distributes user data to these systems. A UME on a standalone J2EE Engine with a portal running on it is configured against a dedicated CUA child system that only serves to provide user data for the UME. All users of this child system are displayed as users in the UMEand are able to log on to the SAP Enterprise Portal.
You assign users to the dedicated child system by entering the system assignment in their user master records in the CUA central system. For this you either use transaction SU10 (User Maintenance: Mass Changes). Or you assign the users a collective role that contains a system assignment for the dedicated system and then run a user master comparison.
If you run the UME with read/write access against the CUA central system then all users of the CUA system landscape are displayed as users in the UME. But unlike the CUA central system the UME does not distinguish between known users and users authorized to log on to this central system (due to their system assignment). Therefore, a UME administrator cannot tell authorized users apart from unauthorized ones and he or she cannot administer all users displayed in the UME.
B: User Management on a single Web Application Server ABAP
If you have a Java application running on a SAP Web Application Server (Web AS) Java that uses services of that Web AS ABAP and requires user data from that specific Web AS ABAP only, we recommend that you configure the User Management Engine of the Java application to use the ABAP user management of the Web AS ABAP.
The ABAP and Java part can either be part of a single Web AS installation or two separate installations.
If the Java application does not use any services of Web AS ABAP, then configure the User Management Engine of the Java application to use a database for user data (see option 3). Do not install a Web AS ABAP for the sole purpose of managing user data.
The following figure illustrates scenario B.
In this example, Employee Self-Service is a Web Dynpro application running on SAP Web AS Java that gets its user data from an ABAP system (SAP Human Resources). The UME of the Web AS Java is configured against the user management of the ABAP system.
In both scenarios A and B, if you have set up the UME to integrate roles from the Web AS ABAP (PFCG roles) as groups in the UME, this affects the performance of the system. If you have more than 5,000 users in your system, you should consider using a central LDAP directory for centralized user management instead of a CUA system (see also note 740829).
Scenarios A and B can be combined in one system landscape.
Administration for Scenarios A and B
If you are not using SAP Enterprise Portal in your system landscape, we recommend that you administrate user-related data as follows:
Object |
Recommended Tool (if not using SAP Enterprise Portal) |
Users |
Use transaction SU01 in the ABAP system(s). |
PFCG roles |
Use the Profile Generator (transaction PFCG) in the ABAP system(s). |
J2EE security roles and UME roles |
(Only applies to Java applications.) Use the UME administration console to manage UME roles and the Visual Administrator of the Web AS Java to manage J2EE security roles. Both of these tools are part of Web AS Java. To
integrate the Java-based authorizations supplied by J2EE security roles and
UME roles with PFCG roles, you can
integrate PFCG roles from the CUA system as groups in Web AS Java. In this
case you can assign groups in the UME administration console, that correspond to PFCG
roles, to the required J2EE security role(s) and UME role(s). Assign users to the PFCG roles in the ABAP
systems. See also |
If you are using SAP Enterprise Portal, we recommend that you handle roles differently. See the following table:
Object |
Recommended Tool (if using SAP Enterprise Portal) |
Users |
Use transaction SU01 in the ABAP system(s). |
PFCG roles |
You
generate these roles from portal roles. For more information, see |
Portal roles and user-role assignments |
Use
the portal tools to administrate portal roles and user-to-role assignments.
Distribute the portal roles and user-to-role assignments from the portal to
the ABAP systems using the role distribution tool of the portal. For more
information, see |
If you are using SAP Enterprise Portal in your system landscape, we do not recommend that you integrate PFCG roles as groups in the UME.
Option 2: Use a Central LDAP Directory
If you have a mixed system landscape including both SAP and non-SAP systems, we recommend using a corporate LDAP directory as a primary store for central user data. You should also use this option if you have a large number of users in your system landscape.
The following figure illustrates this option.
In the above figure, a system running CUA is used to administer user data from several SAP ABAP systems centrally. The user data from the CUA is synchronized with a corporate LDAP directory. The UMEs of any standalone J2EE Engines are configured to use the corporate LDAP directory as data source. Third-party systems can also access user data on the LDAP directory.
Systems based on SAP Web AS 6.10 or higher provide a directory interface that allows data from ABAP user management to be exported to a directory server and, if required, to be synchronized periodically.
Passwords are not synchronized from the SAP Web AS to the corporate LDAP directory. This means that you have to do one of the following:
· Enter passwords centrally on the LDAP server. Users must log on via the UME, are authenticated against the LDAP server, receive a logon ticket and can then access all systems using Single Sign-On. In this case, all systems must be set up to accept logon tickets.
· Enter passwords decentrally both in the CUA and in UME. In this case the systems connected to the CUA do not have to accept logon tickets.
Administration
We recommend that you administrate user-related data as follows:
Object |
Recommended Tool |
Users |
We recommend one of the following: · Use the UME administration console or Visual Administrator in one of the Web AS Java systems. · If you already have an LDAP administration tool in place to administrate users in the LDAP directory, you can continue to use this tool. · Use the CUA system. Keep in mind that when you synchronize user data from the CUA system to the LDAP directory, passwords are not synchronized. |
PFCG Roles |
Use the Profile Generator (transaction PFCG) in the ABAP system(s). |
J2EE security roles and UME roles |
(Only applies to Java applications.) Use the UME administration console to manage UME roles and the Visual Administrator of the Web AS Java to manage J2EE security roles. Both of these tools are part of Web AS Java. |
Again, if you are using SAP Enterprise Portal in your system landscape, we recommend that you administrate roles and user-to-role assignments in the portal and then distribute these to the ABAP systems. See Option 1 above.
Option 3: Java Applications Use a Database
If your Web AS system is running dedicated Java applications only that do not connect to ABAP systems or third-party systems, or do not require user data from an external system, we recommend that you configure UME to use a database as a data source. Examples are a Web AS Java that is used as a developer workplace for small desktop development, or a Java application that uses a small number of fixed service users to connect to SAP backend systems, but does not use the same user data as the SAP backend system.
Administration
Use the UME administration console or Visual Administrator to administrate all user-related data.
See Also
See also the following sections of SAP Library:
·
SAP NetWeaver ® Security ® Identity
Management ® Users and
Roles (BC-SEC-USR) ®
Central User
Administration
·
SAP NetWeaver ® Security ® Identity
Management ®
Directory Services
(BC-SEC-DIR) ® Synchronization of SAP
User Administration with an LDAP-Compatible Directory Service
·
SAP NetWeaver ® People
Integration ®
Portal ® Administration Guide
® Content
Administration ® Roles and
Worksets ® Portal
Roles and ABAP-based SAP-Systems ® Role and User
Distribution to the SAP System