Preconfigured Data Source Combinations 

User Management Engine (UME) provides data source configuration files that define a configuration for standard scenarios for dealing with user management data. These scenarios are described below along with the name of the corresponding configuration file.

You can find most of the configuration files using the Config Tool as described in Editing UME Configuration Files. For LDAP directories that have only recently been certified, you can get the configuration files from the LDAP directory vendor directly.

For more information on setting up user management in your system landscape, see Integration of User Management in Your System Landscape.

Scenario: All user management data is stored in one database

Description: All user, user account, role, and group data is stored in one database.

Use case: You can use this scenario if UME is only used by dedicated Java applications that do not need to connect to ABAP systems or third-party systems. An example is a Web Application Server Java that is used as a developer workplace for small desktop development

Configuration file: dataSourceConfiguration_database_only.xml

Scenario: User management data is stored in a combination of an LDAP server and a database

Description:

The following data is written to and read from the LDAP server:

·        Users (displayname, lastname, fax, email, title, department, description, mobile, telephone, streetaddress. uniquename, and group membership – and any other attributes defined through attribute mapping)

·        User accounts (logonid, password, ID of the assigned user)

·        Groups (displayname, description, uniquename, and the group members)

The following data is written to and read from the database:

·        Additional data (for example, information about when a user was last changed)

·        Other principal types (for example, roles)

·        Additional attributes (for example, attributes not covered by the standard object classes of the LDAP server)

Use case: You have a mixed system landscape including both SAP and non-SAP systems, or you have an existing corporate LDAP directory in your system landscape. You wish to store standard user data such as name, address, email address, and so on in the directory while you wish to store application-specific data in the database.

Configuration file:

·        If the LDAP directory has a flat hierarchy: dataSourceConfiguration_<LDAP_directory_vendor>_not_readonly_db.xml

·        If the LDAP directory has a deep hierarchy: dataSourceConfiguration_<LDAP_directory_vendor>_deep_not_readonly_db.xml

Scenario: User management data is stored in a combination of a read-only LDAP server and a database

Description: You cannot create, modify, or delete users or groups in the LDAP server. All newly created principals and additional data are stored in the database.

Use case: You have an existing corporate LDAP directory in your system landscape and have existing processes for administering user data on this directory. You are using UME with SAP Enterprise Portal and want all users that register themselves in the portal to be stored separately from the user data on the corporate directory.

Configuration file:

·        If the LDAP directory has a flat hierarchy: dataSourceConfiguration_<LDAP_directory_vendor>_readonly_db.xml

·        If the LDAP directory has a deep hierarchy: dataSourceConfiguration_<LDAP_directory_vendor>_deep_readonly_db.xml

Scenario: User management data is retrieved from the ABAP user management of a SAP Web Application Server, ABAP roles are displayed as groups in UME

Constraint: For performance reasons, this option should only be used for systems that do not contain a very large amount of users. For more details, see SAP Note 740829.

Description: By default UME has read-only access to the user management data in the ABAP engine. The users displayed in the J2EE Engine user administration tools are users that are created with transaction SU01 in the ABAP engine. The groups displayed in the J2EE Engine user administration tools are PFCG roles (created with transaction PFCG in the ABAP engine). Extended user data that cannot be stored in the standard SU01 user record is stored in the database of the J2EE Engine.

To provide read-write access to the ABAP user management, the communication user used to connect to the ABAP engine (by default SAPJSF or SAPJSF_<SID>) must obtain the corresponding authorizations. In this case, it is also possible to create users using the J2EE Engine tools. They are stored as SU01 users in the ABAP Engine.

For more information, see SAP Web AS ABAP User Management as Data Source.

Configuration file: dataSourceConfiguration_r3_roles_db.xml

This is the default configuration file used if at installation you chose to use ABAP user management.

Scenario: User management data is retrieved from the ABAP user management of a SAP Web Application Server, ABAP roles are not displayed as groups in UME

Description: The users displayed in the J2EE Engine user administration tools are users that are created with transaction SU01 in the ABAP engine. The PFCG roles (created with transaction PFCG) from the ABAP engine are not integrated as groups. Extended user data that cannot be stored in the standard SU01 user record is stored in the database of the J2EE Engine.

For more information, see SAP Web AS ABAP User Management as Data Source.

Configuration files:

·        dataSourceConfiguration_r3.xml (read only)

·        dataSourceConfiguration_r3_rw.xml (read-write): To have read-write access to the ABAP user management, the communication user used to connect to the ABAP engine (by default SAPJSF or SAPJSF_<SID>) must obtain the corresponding authorizations.