Post on 02-Oct-2021
Session ID: AGS351User Managementand Authorizations
The Details
SAP AG 2005, SAP TechEd ’05 / AGS351 / 2
Contributing Speakers
TechEd Vienna:Frank Buchholz
Security Product Manager, SAP AG
Jens KosterSecurity Product Manager, SAP AG
Oliver NoconRIG Specialist, SAP AG
TechEd Boston:Larry Justice
Platinum Security Consultant, SAP America
Jens KosterSecurity Product Manager, SAP AG
Gerlinde ZibulskiSecurity Product Manager, SAP Labs LLC
SAP AG 2005, SAP TechEd ’05 / AGS351 / 3
Learning Objectives
As a result of this workshop, you willbe able to:
Explain and use Central User Administration (CUA)Understand and use LDAP directory synchronizationConfigure and use the User Management Engine (UME)
User Management OverviewCentral User Administration (CUA)SAP LDAP ConnectorPortal User ManagementRole Integration ScenarioSummary
User Management OverviewCentral User Administration (CUA)SAP LDAP ConnectorPortal / Java User ManagementRole Integration ScenarioSummary
SAP AG 2005, SAP TechEd ’05 / AGS351 / 6
Decentralized User Maintenance
Each SAP System has its own user data store
Decentralized user maintenance
Inconsistencies can occur between address data
SAP R/3Enterprise
SAPEBP
SAPBW
SAPAPO
SAP…
SAP AG 2005, SAP TechEd ’05 / AGS351 / 7
CUA central systemSAP release as of 4.6C
ALE ALE
SAP 6.xCUA client
SAP 4.6CUA client
SAP 4.5CUA client
Central User Administration
Users can be administratedin central SAP system
Automatic distribution toclient SAP systems
Local administration stillpossible (back distribution)
No inconsistencies
Central locks possible
SAP AG 2005, SAP TechEd ’05 / AGS351 / 8
CUA central systemSAP release as of 6.10
ALE ALE
SAP 6.xCUA client
SAP 4.6CUA client
SAP 4.5CUA client
Directory
Central User Administration & LDAP Synchronization
LDAPsynchronization
SAP AG 2005, SAP TechEd ’05 / AGS351 / 9
Enterprise Portalwith User Management
Engine (UME)
LDAPsynchronization
CUA central systemSAP release as of 6.10
ALE ALE
SAP 4.6CUA client
SAP 4.5CUA client
Persistencestore
Directory
CUA & LDAP Synchronization & Enterprise Portal
SAP J2EE Engine
SAP ABAP +J2EE Engine
SAP NetWeaverCUA client
SAP AG 2005, SAP TechEd ’05 / AGS351 / 10
Enterprise Portalwith User Management
Engine (UME) CUA central systemSAP release as of 6.10
ALE ALE
SAP 4.6CUA client
SAP 4.5CUA client
Persistencestore
CUA & Enterprise Portal (No Directory)
SAPCUA client
ALE
Alternateconfiguration I
SAP J2EE Engine
SAP ABAP +J2EE Engine
SAP NetWeaverCUA client
SAP AG 2005, SAP TechEd ’05 / AGS351 / 11
Enterprise Portalwith User Management
Engine (UME)
LDAPsynchronization
CUA central systemSAP release as of 6.10
ALE ALE
SAP 4.6CUA client
SAP 4.5CUA client
optionalDirectory
CUA & LDAP Synchronization & Enterprise Portal I
SAPCUA client
ALE
Alternateconfiguration II
Persistencestore
SAP J2EE Engine
SAP ABAP +J2EE Engine
SAP NetWeaverCUA client
SAP AG 2005, SAP TechEd ’05 / AGS351 / 12
Enterprise Portal with UME andCUA central system
LDAPsynchronization
ALE ALE
SAP 4.6CUA client
SAP 4.5CUA client
optionalDirectory
CUA & LDAP Synchronization & Enterprise Portal II
SAPABAP +
J2EEEngine
SAP ABAP +J2EE Engine
SAP NetWeaverCUA client
Alternateconfiguration III
SAP AG 2005, SAP TechEd ’05 / AGS351 / 13
HRsystem 4.0 and higherwith PlugIn System (PI 2001.2)4.5 with PlugIn System (Pl 2001.2)
Data Retrieval in PersonnelManagement via Query or ABAPReport
SAP Web AS as of 6.10Directory
Replication
RFC
As of 4.70 HR can beconnected directly tothe LDAP directory
HR Data Replication from SAPin an LDAP Enabled Directory Service
SAP AG 2005, SAP TechEd ’05 / AGS351 / 14
mySAP Business Suite: FI, CO, MM, …CUA child systems
LDAP
synchronization
Enterprise Portal withUser ManagementEngine
PersistenceOption
EP6
Integrated User Management
Central UserAdministration
Directory
HR
Email
Operatingsystem
Otherapplications
MetaDirectory
ALE ALE
UME
EmployeeData
SAP AG 2005, SAP TechEd ’05 / AGS351 / 15
SAPHR
Email
Telephony
Operatingsystem
NonSAPapplications
Central UserAdministration
SAP Identity Management and Siemens Identity Management I
Enterprise Portalwith User Management
Engine (UME)
Provisioning incl.SPML integration*
Provisioning
load employeedata
*SPML integration available as of SAP NetWeaver NW 2004s SPS5 und NW 2004 SPS14
Prov
isio
ning
and
Syn
chro
niza
tion
Acco
unt a
nd g
roup
man
agem
ent,
valid
atio
n an
d re
conc
iliat
ion
DirX IdentityDirX Directory
ProvisioningPassword Management
SelfserviceMetadirectory
Audit
HiPath SIcurity DirXIdentity Management
SAP AG 2005, SAP TechEd ’05 / AGS351 / 16
Siemens HiPath SIcurity DirX and DirX Identity complement SAPNetWeaver with Identity Management for heterogeneous landscapes
The solution provides uniform identity provisioning for the SAPEnterprise Portal and all SAP applications as well as nonSAPapplications
SAP ships Siemens HiPath SIcurity DirX and HiPath SIcurity DirXIdentity demo license starting with NetWeaver 2004s rampup phase
Customer BenefitsSecure and centralized management of user identities and their accessrights for all enterprise applicationsRegulatory complianceIncreased operational efficiency and end user productivityReduced administration and helpdesk costs
SAP Identity Management and Siemens Identity Management II
Overview User ManagementCentral User Administration (CUA)SAP LDAP ConnectorPortal / Java User ManagementRole Integration ScenarioSummary
SAP AG 2005, SAP TechEd ’05 / AGS351 / 18
Note that
‘system’ alway
s means:
client in
a system
Set Up of System Infrastructure
Setting Up ALE communication users
Define logical systemslater on, systems are always referred to by theirlogical system ID
Define RFC destinations between central systemand child systems
Switch on the Central User Administration
Define field attributes
Migrate users
} USER
} ALE
} CUA
Steps to go through
SAP AG 2005, SAP TechEd ’05 / AGS351 / 19
TechEd: CUA System Landscape
CUA Master
Logical system name: NWSCLNT100
Used RFC Destinations:NWSCLNT001 with RFC user CUA_NWS_001NWSCLNT100 with RFC user CUA_NWSNWSCLNT200 with RFC user CUA_NWS_200
RFC User: CUA_NWSRoles of RFC user:SAP_BC_USR_CUA_CENTRALSAP_BC_USR_CUA_SETUP_CENTRAL
CUA ClientLogical system name: NWSCLNT001Used RFC Destinations:
NWSCLNT100 with RFC user CUA_NWSRFC User: CUA_NWS_001Roles of RFC user:
SAP_BC_USR_CUA_CLIENTSAP_BC_USR_CUA_SETUP_CLIENT
CUA ClientLogical system name: NWSCLNT200Used RFC Destinations:
NWSCLNT100 with RFC user CUA_NWSRFC User: CUA_NWS_200Roles of RFC user:
SAP_BC_USR_CUA_CLIENTSAP_BC_USR_CUA_SETUP_CLIENT
Central system to client system(used for user distribution)Client system to central system(used for user migration and status response)
RFC Destinations
RFC Users have user type ‘communication’and belong to the user group ‘SUPER’
SAP AG 2005, SAP TechEd ’05 / AGS351 / 20
Demo
DemoandExercise
SAP AG 2005, SAP TechEd ’05 / AGS351 / 21
CUA HandsOn
In the following exercise you will review the setup of theCentral User Administration:
1. Log on to the SAP System NWS client 100 (see next slide fordetailed connection data)
2. Review the definition of logical systems and the assignmentof logical systems to clients in Transaction SALE
3. Perform a connection test of RFC destination NWSCLNT2004. Review the CUA system landscape (Transaction SCUA)
Which system is the central system? Which are the client systems?5. Review the configuration for field distribution
(Transaction SCUM)6. Display Log Files for the Central User Administration
(Transaction SCUL)
SAP AG 2005, SAP TechEd ’05 / AGS351 / 22
System Information for this Exercise
SAP System Information
SAP System ID: NWS
IP Address: 10.22.80.213 (iwdfvm1027)
SAPRouter String: /H/sapgateb.wdf.sap.corp/S/3292/H/
System Number: 03
Client 100
User: AGS351<Group Number>(Group Number provided by speaker)
Password: demo123
SAP AG 2005, SAP TechEd ’05 / AGS351 / 23
Review the Logical Systems I
•Start transaction SALE
•Expand the node Sending and Receiving Systems
•Expand the node Logical Systems
•Click on Define Logical Systems
SAP AG 2005, SAP TechEd ’05 / AGS351 / 24
Review the Logical Systems II
You should find these entries
•Go back using the green arrow
SAP AG 2005, SAP TechEd ’05 / AGS351 / 25
Review the Logical Systems III
•Click on Assign Logical System to Client
SAP AG 2005, SAP TechEd ’05 / AGS351 / 26
Review the Logical Systems IV
•Display the entriesfor Client 100
SAP AG 2005, SAP TechEd ’05 / AGS351 / 27
Review the Logical Systems V
You should seethese entries
SAP AG 2005, SAP TechEd ’05 / AGS351 / 28
Review the RFC Connections I
•Start transaction SM59
•Expand the ABAP Connections node
•Double click on NWSCLNT200
SAP AG 2005, SAP TechEd ’05 / AGS351 / 29
Review the RFC Connections II
•Test this connection!
SAP AG 2005, SAP TechEd ’05 / AGS351 / 30
Review the RFC Connections III
Test was successful !!!
SAP AG 2005, SAP TechEd ’05 / AGS351 / 31
CUA Review I: What is the CUA Landscape?
•Start transaction SCUA and click on Display
SAP AG 2005, SAP TechEd ’05 / AGS351 / 32
•The CUA central system is client 100
•This CUA has two client systems: 001 and 200
CUA Review II: What is the CUA Landscape?
SAP AG 2005, SAP TechEd ’05 / AGS351 / 33
Look up the Configuration for Field Distribution in CUA
•Start transaction SCUM (Nice name, isn’t it?)
SAP AG 2005, SAP TechEd ’05 / AGS351 / 34
Look up Log Files for CUA I
•Start transaction SCUL•Additionally check “Successful”•Execute the report
SAP AG 2005, SAP TechEd ’05 / AGS351 / 35
Look up Log Files for CUA II
Messages relating todistributed objectsappear according tothe selection you made
Overview User ManagementCentral User Administration (CUA)SAP LDAP ConnectorPortal / Java User ManagementRole Integration ScenarioSummary
SAP AG 2005, SAP TechEd ’05 / AGS351 / 37
HR
Email
Telephony
Operatingsystem
Otherapplications
MetaDirectory
Central UserAdministration
User Management –Directory Integration
SAP AG 2005, SAP TechEd ’05 / AGS351 / 38
Directories serve as central repository for master data,which is used by several different applications
Every authorized application can modify this data
Access to this data is provided using the standardizedLightweight Directory Access Protocol (LDAP)
Hundreds of other application and hardware supplierssupport this protocol
SAP systems can be connected to such a directory to shareparts of their user data or database content (e.g. HR data)with other applications
Directory Benefits
SAP AG 2005, SAP TechEd ’05 / AGS351 / 39
/
C=GB C=DE
o=CompuNeto=SAP
DIT: Directory Information Tree
Information Model –Hierarchical Structure
SAP AG 2005, SAP TechEd ’05 / AGS351 / 40
ou=Security Consulting
cn=Anton Schmidt
ou=Sales
o=SAP AG
c=DE
cn=Anton Schmidt, ou=Security Consulting, o=SAP AG, c=DE
The way through the DIT defines the identification of an objectAbsolute and relative namesDistinguished names have to be uniqueRelative distinguished names are unique in their naming context
Information Model –Names in the Tree
cn=Xaver Huber cn=Norbert Hofer cn=Kurt Wagner
SAP AG 2005, SAP TechEd ’05 / AGS351 / 41
cn
givenName
sn
telephone
person
employeeID
title
department
function
orgPersoncn
givenName
sn
telephone
top
person
orgPerson
inetOrgPersonSAPaddonUM
object class hierarchy
orgUnit
(SAP schema extension)
Information Model –Object Class Hierarchy
SAP AG 2005, SAP TechEd ’05 / AGS351 / 42
operational attribute20010730175352ZmodifyTimestamp
ABC:000:sapDeveloperXYZ:100:sapAdministrator
MSMITH
Max.Smith@sap.com
+496227 747474
Smith
Max
inetOrgPersonsapAddOnUM
CN=D505050;O=SAPAG;C=DE
optional attributetelephoneNumber
Attribute (SAP)sapUserName
multivalue attribute (SAP)sapRoles
optional attributemail
naming attribute (DN)Uid
mandatory attributesn
singlevalue attributegivenName
special attributeobject class
Information Model –Entries in the DIT
SAP AG 2005, SAP TechEd ’05 / AGS351 / 43
Application Server
Call Function‘LDAP_XXX‘
Work Process LDAPConnector
Function‘LDAP_XXX‘
LDAP Client
LDAP Server
Directory
RFC
LDAP
Executable LDAP_RFC shipped since Release 4.6A
Loads LDAP library of operating system at runtime
LDAP Connector
SAP AG 2005, SAP TechEd ’05 / AGS351 / 44
Configure LDAP Connection
1. Configure LDAP Connector
2. Enter LDAP System User Data
3. Enter LDAP Server Connection Data
4. Configure Field Mapping
Later steps in TechEd Demo Scenario:
1. Create users using Portal UME
2. Synchronize data betweenDirectory and SAP
SAP AG 2005, SAP TechEd ’05 / AGS351 / 45
Demo
DemoandExercise
SAP AG 2005, SAP TechEd ’05 / AGS351 / 46
LDAP HandsOn
In this exercise you will prepare the LDAP connector and server, which youwill use later in the session to run a user synchronization
1. Create the RFC connection LDAPCONNECTOR_<Group Number> for the LDAPconnector (connection type: T, gateway host: iwdfvm1027, gateway service:3303). Enter the same name as the Program ID for the registered serverprogram
2. Configure the LDAP connector with your newly created RFC destination andactivate the connector (Transaction LDAP, Function: Connector)
3. Make sure that the LDAP admin user LDAPADMIN is already configured in thesystem (Transaction LDAP, Function: System Users)
4a. Create the LDAP server TECHED_LDAP_<Group Number> with the dataprovided on the next slide (Transaction LDAP, Function: Server Names)
4b. Import the Mapping Proposal for your server. Change the mapping for theattribute sapUsername into the attribute uid
4c. Set the synchronization options to IMPORT for the following attributes: uid,givenName, sn. Save your server settings
4d. Log on to your group’s LDAP server using your LDAP Connector (TransactionLDAP) and look up LDAP server entries for attributes uid and sn
SAP AG 2005, SAP TechEd ’05 / AGS351 / 47
System Information for this Exercise
SAP System Information: See Slide No. 22
LDAP Server:
LDAP Connector: LDAPConnector_<Group Number>
LDAP Server: TECHED_LDAP_<Group Number>
IPAddress: 10.22.80.215 (iwdfvm1029)
Port Number: 389
Product Name: Microsoft Windows 2003 Active Directory(Application Mode)
LDAP Version: LDAP Version 3
LDAP Application: User
Base Entry of LDAPserver: ou=users,o=sap,c=de
System Logon: LDAPADMIN
SAP AG 2005, SAP TechEd ’05 / AGS351 / 48
Create a New RFC Destination for Your LDAP Connector I
•Start transaction SM59 and click on Create
SAP AG 2005, SAP TechEd ’05 / AGS351 / 49
Create a New RFC Destination for Your LDAP Connector II
Choose the group number providedby the instructors:
LDAPCONNECTOR_<group number>
Choose the group number providedby the instructors:
LDAPCONNECTOR_<group number>
SAP AG 2005, SAP TechEd ’05 / AGS351 / 50
Configure the LDAP Connector I
•Start transaction LDAP
•Click on Connector
SAP AG 2005, SAP TechEd ’05 / AGS351 / 51
Configure the LDAP Connector II
Click on the Change Button
1
Confirm this popup2
SAP AG 2005, SAP TechEd ’05 / AGS351 / 52
Configure the LDAP Connector III
Click on New Entries
SAP AG 2005, SAP TechEd ’05 / AGS351 / 53
Configure the LDAP Connector IV
•Choose your group’s RFC destination and choose the values above
•Save your entries
•The lights should now turn green! (Otherwise click on the activate button)
SAP AG 2005, SAP TechEd ’05 / AGS351 / 54
Review the Data of the LDAP Admin User I
Click on System Users.
SAP AG 2005, SAP TechEd ’05 / AGS351 / 55
Review the Data of the LDAP Admin User II
You should see this result
•Go back with the green arrow twice
SAP AG 2005, SAP TechEd ’05 / AGS351 / 56
Create the LDAP Server I
Click on LDAP Servers
SAP AG 2005, SAP TechEd ’05 / AGS351 / 57
Create the LDAP Server II
Click on the Change Button
SAP AG 2005, SAP TechEd ’05 / AGS351 / 58
Create the LDAP Server III
Click on the New Entries Button
SAP AG 2005, SAP TechEd ’05 / AGS351 / 59
Create the LDAP Server IV
1. Enter the data shown above. As the groupnumber, choose the number provided bythe instructor
2. Save your entries3. Then double click on mapping
1
2
Choose the group number providedby the instructors:
TECHED_LDAP_<group number>
3
SAP AG 2005, SAP TechEd ’05 / AGS351 / 60
Create the LDAP Server V
1. Go via the menu Utilities and ImportProposals. This will import theappropriate LDAP server proposals
2. Accept the popup
1
2
SAP AG 2005, SAP TechEd ’05 / AGS351 / 61
Create the LDAP Server VI
Double click on sapUsername to changethe attribute name
SAP AG 2005, SAP TechEd ’05 / AGS351 / 62
Create the LDAP Server VII
Change the attribute name to the value ‘uid’and go back twice using the green arrow
1
2
SAP AG 2005, SAP TechEd ’05 / AGS351 / 63
Create the LDAP Server VIII
Double click on “Synchronization”
SAP AG 2005, SAP TechEd ’05 / AGS351 / 64
Create the LDAP Server IX
•Check the below fields to be imported from the directory
•Go back using the green arrow and save the data
1
2
SAP AG 2005, SAP TechEd ’05 / AGS351 / 65
Test the LDAP Connection I
1
2
•Select your group’s LDAP server and LDAP connector
•Choose “Log On”to log on to your LDAP server
SAP AG 2005, SAP TechEd ’05 / AGS351 / 66
Test the LDAP Connection II
Choose “Use System User”and continue with “Execute”
1
2
SAP AG 2005, SAP TechEd ’05 / AGS351 / 67
Test the LDAP Connection III
The push buttons should all be active now
•Press “Find”to search for objects in your LDAP server
SAP AG 2005, SAP TechEd ’05 / AGS351 / 68
Test the LDAP Connection IV
Enter the attributes “uid”and“sn”and continue your searchclicking on “Execute”
1
2
SAP AG 2005, SAP TechEd ’05 / AGS351 / 69
Test the LDAP Connection V
Congratulations!
The SAP system is successfullyconnected to the LDAP server!
Overview User ManagementCentral User Administration (CUA)SAP LDAP ConnectorPortal / Java User ManagementRole Integration ScenarioSummary
SAP AG 2005, SAP TechEd ’05 / AGS351 / 71
SAPEnterprise
Portal
ApplicationsAccessing UserManagement
User ManagementCore Layer
Persistence Manager
DatabaseLDAP
DirectorySAP
System
PersistenceAdapters
API for Users, Groups and Roles(for local Java Applications)
Architecture Overview –User Management Engine
User PersistenceStore
… otherJ2EE
Application
SPML
SPML = Service Provisioning Markup Language
SAP AG 2005, SAP TechEd ’05 / AGS351 / 72
Persistence Manager I
Central place for reading and writing userspecific dataUsersGroupsRole assignments
Uses Persistence Adapters to read/write data
Supports database, LDAP directory and SAP system asrepository
User ManagementCore Layer
Persistence Manager
DatabaseLDAP
DirectorySAP
System
PersistenceAdapters
User PersistenceStore
SAP AG 2005, SAP TechEd ’05 / AGS351 / 73
Persistence Manager II
User PartitioningSpecific user sets can be distributed across different repositories
Persistence Manager
DatabaseLDAP
DirectoriesSelfregistered,external users
Internal users
Example:
Persistence Manager
DatabaseLDAP
DirectoryRole assignments
(portalspecific data)General user data
(application independent)
Example:
Attribute PartitioningSpecific user attributes can be distributed across differentrepositories
SAP AG 2005, SAP TechEd ’05 / AGS351 / 74
Persistence Manager III
Type PartitioningSpecific data types can be distributed across different repositories
Persistence Manager
DatabaseSAP
SystemGroups Users
Example:
SAP AG 2005, SAP TechEd ’05 / AGS351 / 75
Enterprise Portal 6.0 –Identity Management
Webbased user administration
End user selfregistrationUser can create account in the portalWorkflow for approval of registration request by administrator
Password management & policiesConfigurable expiration datesInitial passwords and forced change at first logonLimit of failed logon attempts
Flexible user persistence layerLDAP directory, database or SAP system as user store
Delegated administration
SAP AG 2005, SAP TechEd ’05 / AGS351 / 76
UME User Administration I
WebDynprobased Administration GUI
User Administration Functions:
Create usersCopy usersModify usersSearch for usersAssign users andgroups to role(s)
SAP AG 2005, SAP TechEd ’05 / AGS351 / 77
UME User Administration II
User Administration Functions (cont.):
Set or autocreate passwordSet date & time for user accountactivationLock/unlock usersView user account historyApprove/deny selfregistered usersAdapt attributes contained inselfregistrationEMail notifications for specified events
Overview User ManagementCentral User Administration (CUA)SAP LDAP ConnectorPortal / Java User ManagementRole Integration ScenarioSummary
SAP AG 2005, SAP TechEd ’05 / AGS351 / 79
Overview SAP Roles
Portal RolesPortal Roles
ABAP
… define, what isdisplayed in the
Portal
ABAP RolesABAP Roles
Java
UME RolesUME Roles
J2EE Security RolesJ2EE Security Roles
… define, whatauthorizations the
user has in thebackend system
or
SAP AG 2005, SAP TechEd ’05 / AGS351 / 80
Main Role Concepts in SAP NetWeaver
Single roles inABAPbased
systems
Portal Roles
(= UME Roles)
SAP Enterprise Portal
Generate Authorization Roles in ABAP fromUser Interface Roles in the Portal
Roles in ABAPbased systems(roles in transaction PFCG)
SAP AG 2005, SAP TechEd ’05 / AGS351 / 81
ABAP Roles and Portal Roles: A Comparison
Portal Roles carry the user interfaceinformation but (almost) no authorizationinformation.
Authorizations must still be maintained inthe backend systems.
Roles (single roles) carryauthorization information.
The Profile Generator is part of therole administration in transactionPFCG.
The content of Authorization Rolescan be generated using the definitionof Portal Roles
Portal RolesABAP Authorization Roles
SAP AG 2005, SAP TechEd ’05 / AGS351 / 82
Scenarios for Role Integration
When using different SAP components, different scenarios for managingidentities are possible.
The following slides describe an example using the following components:
SAP Enterprise PortalABAP based SAP SystemsDirectory Server
Scenario A:The administrators use the UME to maintain users and portal role assignmentsPortal roles and related ABAP authorization roles are linked togetherThe system ensures that necessary ABAP authorization roles are assigned, too
Scenario B:The administrators use the CUA to maintain users and role assignmentsPortal roles and related ABAP roles are linked togetherThe system ensures that necessary Portal roles are assigned, too
SAP AG 2005, SAP TechEd ’05 / AGS351 / 83
Enterprise Portal
Enterprise Portal
SAP ABAP +J2EE Engine
Developmentsystems forcustomizing
Portal RoleMaintenance
1
TransferRole Information
2
Transfer RoleInformation toCUA
5
Transport toproductive systems
4
CUA
AuthorizationRole
Maintenance(using WP3R)
3
Scenario A: Role Maintenance
SAP AG 2005, SAP TechEd ’05 / AGS351 / 84
Enterprise Portal
CUA
Scenario A: User Management based on the CUA
SAP ABAP +J2EE Engine
UserMaintenance
1
Portal RoleAssignment
2
AuthorizationRole Assignmentusing transaction
WP3R
4
Publish RoleAssignment
3 ALE ALE
Variant IUsers get roles inbackend systems
6
Persistence Store
SAP AG 2005, SAP TechEd ’05 / AGS351 / 85
Enterprise Portal
CUA
Scenario A: User Management based on the CUA
SAP ABAP +J2EE Engine
UserMaintenance
1
Portal RoleAssignment
2
AuthorizationRole Assignmentusing transaction
WP3R
4
Publish RoleAssignment
3 ALE ALE
Persistence Store
BackVariant I
Users get roles inbackend systems
5
User iscreated in CUA
1
SAP AG 2005, SAP TechEd ’05 / AGS351 / 86
Enterprise Portal
CUA
SAP ABAP +J2EE Engine
DirectoryUser
Maintenance1
Portal RoleAssignment
2
AuthorizationRole Assignmentusing transaction
WP3R
5SynchronizeUser Data
3
Publish RoleAssignment
4
LDAPsynchronization
ALE ALE
Persistencestore
Variant II
Scenario A: User Management based on a Directory
Users get roles inbackend systems
6
SAP AG 2005, SAP TechEd ’05 / AGS351 / 87
Role GroupAssignment
5
SAP backend AuthorizationRole EQUALS Group in the
Enterprise Portal !
Enterprise Portal
Developmentsystems forcustomizing
SAP ABAP +J2EE Engine
CUA
AuthorizationRole
Maintenance(using PFCG)
3
Transport toproductive systems
4
Maintain auth.role templatesfor the Portal
2
Scenario B: Role Maintenance
Portal RoleMaintenance
1
Persistence Store
SAP AG 2005, SAP TechEd ’05 / AGS351 / 88
Enterprise Portal
SAP ABAP +J2EE Engine
CUA
Scenario B: User Management based on the CUA
UserMaintenance
1
RoleAssignment
2
ALE ALE
Users getauthorization roles
in the backendsystems
Users get groupsand indirect roles
in the Portal
3
SAP backend AuthorizationRole EQUALS Group in the
Enterprise Portal !
Persistence Store
SAP AG 2005, SAP TechEd ’05 / AGS351 / 89
Demo
DemoandExercise
SAP AG 2005, SAP TechEd ’05 / AGS351 / 90
Exercises
1. Create user “teched<Group Number>”in the portal using thePortal User Management toolFirst name: teched, last name: test, Email: test@sap.com andassign the Portal role “backend_admin”to the newly created user
2. Replicate this user into the CUA central system via LDAPsynchronization
3. Transfer the role assignment for Portal role “backend_admin”tothe central system of the CUA (System NWSCLNT100SR)
4. Generate role assignment in CUA for your created user (teched<Group Number>)
5. Verify the ABAP role assignment to the user using transactionSU01
6. Log on to the portal with user teched<Group Number> and verifythat you have access to the transactions
SAP AG 2005, SAP TechEd ’05 / AGS351 / 91
System Information for this Exercise
SAP System Information:See Slide No. 22
SAP Enterprise Portal
URL: http://iwdfvm1029.wdf.sap.corp:50000/irj
User for Logon: AGS351<Group Number>(Group Number is provided by instructor)
Password: demo123
User to be created: teched<Group Number>
SAP AG 2005, SAP TechEd ’05 / AGS351 / 92
Logon to the Portal
1
2
SAP AG 2005, SAP TechEd ’05 / AGS351 / 93
Step 1: Create Portal User and Assign Portal Role I
21
•Enter the new user IDhere: teched<groupnumber>
•Enter a new password (2x)and memorize it for lateruse!
•Enter first name and lastname
•Enter any email address•Set Language if you like
4
3
5
SAP AG 2005, SAP TechEd ’05 / AGS351 / 94
Step 1: Create Portal User and Assign Portal Role II
21
1. Enter “backend_admin”and click “Go”2. Mark the entry3. Click on „Add“4. Click on „Save“
4
3
SAP AG 2005, SAP TechEd ’05 / AGS351 / 95
Step 2: Create ABAP User with LDAP Sync I
1
1. Select „Sync Users into CUA“2. Enter “teched<group number>”3. Execute the transaction
2
3
SAP AG 2005, SAP TechEd ’05 / AGS351 / 96
Step 2: Create ABAP User with LDAP Sync II
You should see this result
SAP AG 2005, SAP TechEd ’05 / AGS351 / 97
Step 3: Verify User Creation I
1
2
• Logon to the NWS using the Windows Gui• Start transaction SU01• Enter user name teched<group number>• Click on „Display“
SAP AG 2005, SAP TechEd ’05 / AGS351 / 98
Step 3: Verify User Creation II
The user’s master data will be displayed
SAP AG 2005, SAP TechEd ’05 / AGS351 / 99
Step 4: Transfer User Assignment I
1
3
4
2
3. Select “NWSCLNT100”
4. Click “Next”
SAP AG 2005, SAP TechEd ’05 / AGS351 / 100
Step 4: Transfer User Assignment II
12
3
4
1. Enter “backend_admin”
2. Click “Search”
3. Select Role (check)
4. Click “Next”
SAP AG 2005, SAP TechEd ’05 / AGS351 / 101
Step 4: Transfer User Assignment III
1
SAP AG 2005, SAP TechEd ’05 / AGS351 / 102
Step 4: Transfer User Assignment IV
You should seethese messages
(Refresh, if you don’tsee all the messagesright away)
SAP AG 2005, SAP TechEd ’05 / AGS351 / 103
Step 5: Assign ABAP Roles to User I
1. Click “Assign Backend Roles”
2. Enter “teched<group number>”
3. Click Execute
1
2
3
SAP AG 2005, SAP TechEd ’05 / AGS351 / 104
Step 5: Assign ABAP Roles to User II
1 2
1. Expand Subtree
2. Click “Propose”
SAP AG 2005, SAP TechEd ’05 / AGS351 / 105
Step 5: Assign ABAP Roles to User III
1
SAP AG 2005, SAP TechEd ’05 / AGS351 / 106
Step 5: Assign ABAP Roles to User IV
1
SAP AG 2005, SAP TechEd ’05 / AGS351 / 107
Step 5: Assign ABAP Roles to User V
1
SAP AG 2005, SAP TechEd ’05 / AGS351 / 108
Step 6: Verify ABAP Role Assignment I
1
2
• Logon to the NWS using the Windows Gui• Start transaction SU01• Enter user name teched<group number>• Click “Display”
SAP AG 2005, SAP TechEd ’05 / AGS351 / 109
Step 6: Verify ABAP Role Assignment II
SAP AG 2005, SAP TechEd ’05 / AGS351 / 110
Step 7: Logon to Portal with Newly Created User I
1
2
SAP AG 2005, SAP TechEd ’05 / AGS351 / 111
Step 7: Logon to Portal with Newly Created User II
1
2
SAP AG 2005, SAP TechEd ’05 / AGS351 / 112
Step 7: Logon to Portal with Newly Created User III
Congratulations!!!
You have successfully created auser in your system landscape witha portal role and appropriatebackend authorizations
Overview User ManagementCentral User Administration (CUA)SAP LDAP ConnectorPortal /Java User ManagementRole Integration ScenarioSummary
SAP AG 2005, SAP TechEd ’05 / AGS351 / 114
SAP offers a stable and widely used CentralUser Administration for SAP systems
SAP offers LDAP directory integration
SAP offers a User Management Engine forthe Enterprise Portal
Summary
SAP AG 2005, SAP TechEd ’05 / AGS351 / 115
Further Information (Boston)
Related Workshops/Lectures at SAP TechEd 2005AGS101 An Overview of User Management and AuthorizationsAGS103 Identity Management –Streamlining the User Provisioning Process
Between HR, LDAP, and CUAAGS104 SAP MIC Tool –SAP NetWeaver in Support of SarbanesOxley
RequirementsAGS105 Security PrimerAGS201 SarbanesOxley Compliance –Challenges and BenefitsCD261 Using Authorizations in Java Application Development
Related SAP Education Training Opportunitieshttp://www.sap.com/education/ ADM940960
Public Web:www.sap.comNetWeaver Developer‘s Guide: www.sdn.sap.com/sdn/developersguide.sdnSAP Developer Network: www.sdn.sap.com SAP Netweaver Platform SecuritySAP Customer Services Network: www.sap.com/services/
SAP AG 2005, SAP TechEd ’05 / AGS351 / 116
Further Information (Vienna)
Public Web:www.sap.comNetWeaver Developer‘s Guide: www.sdn.sap.com/sdn/developersguide.sdnSAP Developer Network: www.sdn.sap.com SAP Netweaver Platform SecuritySAP Customer Services Network: www.sap.com/services/
Related Workshops/Lectures at SAP TechEd 2005AGS104 SAP MIC Tool –SAP NetWeaver in Support of SarbanesOxleyRequirementsFri, 9:15 a.m. – 10:15 a.m., L3
AGS106 Virus Scanning of Documents in SAP ApplicationsThu, 6:00 p.m. – 7:00 p.m., L3
AGS200 Increasing Infrastructure Security by using Application GatewaysFri, 10:45 a.m. – 12:45 p.m., L4
AGS202, Security in SAP Internet Transaction Server (ITS) LandscapesFri, 11:45 a.m. – 12:45 p.m., L3
AGS350, Configuring J2EE & SAP NetWeaver Portal UME AuthenticationThu, 2:15 p.m. – 4:15 p.m., H2
Related SAP Education Training Opportunitieshttp://www.sap.com/education/ ADM940960
SAP AG 2005, SAP TechEd ’05 / AGS351 / 117
Q&A
Questions?
security@sap.com
URL: http://service.sap.com/security
SAP AG 2005, SAP TechEd ’05 / AGS351 / 118
Please complete your session evaluation.
Be courteous — deposit your trash,and do not take the handouts for the following session.
Feedback
Thank You !
SAP AG 2005, SAP TechEd ’05 / AGS351 / 119
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The informationcontained herein may be changed without prior notice.Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP,Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation.Oracle is a registered trademark of Oracle Corporation.UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.Java is a registered trademark of Sun Microsystems, Inc.JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.MaxDB is a trademark of MySQL AB, Sweden.SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentionedare the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.
The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purposewithout the express prior written permission of SAP AG.This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intendedstrategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, productstrategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice.SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics,links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limitedto the implied warranties of merchantability, fitness for a particular purpose, or noninfringement.SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use ofthese materials. This limitation shall not apply in cases of intent or gross negligence.The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use ofhot links contained in these materials and does not endorse your use of thirdparty Web pages nor provide any warranty whatsoever relating to thirdparty Webpages.
Copyright 2005 SAP AG. All Rights Reserved