SCUR351 Simplifying User Administration in Heterogeneous ...

SAP TechEd ‘03 Basel, CH

SCUR351 Simplifying User Administration in Heterogeneous Landscapes Patrick Hildenbrand Kristian Lehment SAP AG

Learning Objectives As a result of this workshop, you will be able to: Explain and use Central User Administration (CUA) Set up and use LDAP directory synchronization Configure and use the User Management Engine (UME)

 SAP AG 2003, TechED_Basel / SCUR351, P. Hildenbrand u. K. Lehment / 2

© 2003 SAP AG

SCUR 351, Patrick Hildenbrand, Kristian Lehment

1


Agenda

Identity management overview CUA in detail LDAP directory integration in detail UME in detail Summary


Agenda



© 2003 SAP AG


2


Central User Administration Using ALE

Recommended >= 4.6c Users can be administered in central SAP system

Central system of CUA

Automatic distribution to client SAP systems ALE

Local administration still possible (redistribution)

ALE

No inconsistencies Central locks possible SAP 6.20 SAP 4.6 SAP 4.5 CUA client CUA client CUA client Client systems of CUA  SAP AG 2003, TechED_Basel / SCUR351, P. Hildenbrand u. K. Lehment / 5

Central User Administration & LDAP Synchronization SAP 6.10 CUA central system

ALE

Directory LDAP synchronization

ALE

SAP 6.10 SAP 4.6 CUA client CUA client

LDAP synchronization

SAP 4.5 CUA client

SAP 6.20

SAP 6.10


© 2003 SAP AG


3


Central User Administration, LDAP Synchronization & Enterprise Portal 5.0 Enterprise Portal 5.0

SAP 6.20 CUA central system

Directory


ALE

ALE

SAP 6.20 SAP 4.6 CUA client CUA client

SAP 4.5 CUA client


Central User Administration, LDAP Synchronization & Enterprise Portal 6.0 Directory


Central User Admin ALE

LDAP based user persistence layer

RDBMS based user

persistence layer User Management DB Engine

Authentication / Authorization

6.20 Enterprise Portal 6.0

ALE

4.6D


© 2003 SAP AG


4


UME 4.0 and SAP Web Application Server 6.30

Role Integration J2EE engine

UME

UME userstore assign

J2EE role

assign

Java Group assign (in J2EE engine or UME) ?

mapping

Actions

Java Users

SAP Users

UME role i.e. Administrator

i.e. administrators

i.e. Admin

i.e. UME.Manage_All

ABAP engine

assign

SAP Role


Agenda



© 2003 SAP AG


5


Set Up of System Infrastructure s: mean ways l a Steps to go through m em’ syst a syste at ‘ n h i t nt Note clie Setting Up an ALE communication user } USER

Define logical systems later on, systems are always referred to by their logical system ID

Define RFC destinations between central system and child systems

} ALE

Define ALE distribution model “Switch on” the Central User Administration Define field attributes

} CUA

Migrate users (if necessary)


CUA Configuration CUA CENTRAL CLIENT TT1 200

CHILD SYSTEM TT1 300

Since ALE is the heart of a CUA from a technical perspective: First: copy SAP supplied roles for the RFC users to the customer name versions Next: create administrative users in each client Always start with the central client for all relevant tasks during the configuration Set up logical systems Assign a logical system to each affected client

CHILD SYSTEM TT1 NNN


© 2003 SAP AG


6


Creating Roles for RFC User Access – Central System In the Central Client all RFC users will need to be created

CUA Central System


CLIENT TT1 200 Before creating the RFC users you will need to copy a number of SAP supplied roles for use in your implementation In the central client these roles are: SAP_BC_USR_CUA_SETUP_CENTRAL * SAP_BC_USR_CUA_CENTRAL SAP_BC_USR_CUA_CENTRAL_BDIST A NAMING CONVENTION CAN BE AS SIMPLE AS ADD A „Z_“ IN FRONT OF THE SAP SUPPLIED NAMES


*This role is only required during the setup of CUA and can be taken away from the TT1/200 user afterwards  SAP AG 2003, TechED_Basel / SCUR351, P. Hildenbrand u. K. Lehment / 13

Creating Roles for RFC User Access – Client Systems

CUA Central System CLIENT TT1 200

Only the user needed for the particular child system needs to be created in these instances CHILD SYSTEM TT1 300

In the Child Systems/Clients these roles are: SAP_BC_USR_CUA_SETUP_CLIENT* SAP_BC_USR_CUA_CLIENT A NAMING CONVENTION CAN BE AS SIMPLE AS ADD A “Z_” IN FRONT OF THE SAP SUPPLIED NAMES. Once the roles are copied, and generated you are ready to create users and assign the new roles to them


*This role is only required during the setup of CUA and can be taken away from the ADM user afterwards.  SAP AG 2003, TechED_Basel / SCUR351, P. Hildenbrand u. K. Lehment / 14

© 2003 SAP AG


7


Create RFC Users

CUA Central System CLIENT TT1 200


The use of ALE requires to set-up RFC connections between the clients. In order to set up these connections, special RFC users are required These users will have very specific access granted to them and should be monitored over time to ensure that they do not gain additional unnecessary authorizations The naming convention should be something like: CUA_ for the central client and CUA__ for the child systems Once they are created assign the proper roles to each one of them



Create ALE Distribution Model

TT1CLNT200

TT1CLNT300

CUA Central System Via transaction SALE the distribution model can be created Use naming convention for the central system like CLNT, e.g. TT1CLNT200


This allows for the distribution of the user master data from the central system to the child systems


© 2003 SAP AG


8


Define Logical Systems In CUA, clients are referred to by logical system ID. To be able to do that we obviously first have to name logical systems. In a second step we then assign these logical systems to actual clients.


Define Logical Systems In the IMG-Activity: Name the Logical System, enter a logical system name and a clear description for that system.

In the IMG-Activity Assign Logical System to Client, make the connection between a logical system name and a client in the current R/3 System.  SAP AG 2003, TechED_Basel / SCUR351, P. Hildenbrand u. K. Lehment / 18

© 2003 SAP AG


9


Define Target Systems for RFC Calls If we look at the distribution model again, we see that we now have assigned a logical system name to all systems involved. In the next step we have to define which system communicates with which other system. Note that the central system communicates with all client systems. Every client system only needs to “know” the central system.


Define Target Systems for RFC Calls We already mentioned that Central User Administration uses ALE for communication between systems. ALE is based on Remote Function Calls (RFC) between systems. To specify communication in a system landscape we have to define RFC calls between systems. An RFC destination is always created from the client where you are currently logged on, to another client. From the distribution model you already know that we need bi-directional communication between central and client system.


© 2003 SAP AG


10


Define Target Systems for RFC Calls After starting the IMGActivity Define Target Systems for RFC Calls, choose Create to define a new connection.

Under RFC destination enter the desired logical system. Connection type 3 defines that it is a connection to another R/3 System. Under Logon enter the previously created ALE user.  SAP AG 2003, TechED_Basel / SCUR351, P. Hildenbrand u. K. Lehment / 21

Creating the ALE Distribution Model (Manually)

To be able to distribute data between the systems we now have to define what kind of data has to be distributed. This is done by defining an ALE distribution model The distribution model describes the ALE message flow between logical systems Two types of data are distributed by the ALE distribution model: User master data (including assigned roles and profiles) Company address


© 2003 SAP AG


11


Creating an ALE Distribution Model After starting the IMG-Activity: • Maintain Distribution Model and Distribute

Views • Choose Create Model View • Add BAPI to define a new distribution model

It specifies which logical systems are involved in the CUA landscape and which data has to be distributed


Creating an ALE Distribution Model The two BAPIs involved are called USER.Clone and UserCompany.Clone USER and UserCompany are the Object names, whereas Clone specifies the actual method.


© 2003 SAP AG


12


Generating Partner Profiles These partner profiles set the conditions for data exchange in an ALE environment The partner profiles are also generated from transaction BD64 -> Environment -> Generate Note that under Packet size you can select how many IDocs will be sent for each RFC process. This is used only if you specify 'Collect IDocs and transfer' Recommendations: Use Collect Idoc and transfer for both outbound processing in the central system and inbound processing in client systems and schedule reports RSOUT00 in central system and RBDAPP01 in client systems. Use packet size 50  SAP AG 2003, TechED_Basel / SCUR351, P. Hildenbrand u. K. Lehment / 25

Check Partner Profiles

Now you should check the generated partner profiles using -> Environment -> Change.

Use an Idoc Basic Type which both systems (central and client system) support. The Idoc Basic Type is release dependant.  SAP AG 2003, TechED_Basel / SCUR351, P. Hildenbrand u. K. Lehment / 26

© 2003 SAP AG


13


Distribute ALE Distribution Model

Save and Distribute the new ALE Model.


Activating the CUA Execute transaction SCUA in the central system New version of SCUA allows for automatic creation of the ALE distribution model and generation of partner profiles in central and client systems Enter the ALE model name and choose Create Enter the logical system names of all client systems and Save Go Back or restart SCUA, enter the ALE model name and choose Save Restart SCUA and choose Distribute Now, the creation of user accounts is controlled by the central system


© 2003 SAP AG


14


Field Selection

What is to be distributed? You decide...

...by setting attributes for each field  SAP AG 2003, TechED_Basel / SCUR351, P. Hildenbrand u. K. Lehment / 29

Transaction SCUM: Set Distribution Parameters Global – You can only maintain the data in the CUA central system and the changes are automatically distributed to the child systems Proposal – A default value is maintained in the CUA central system. This data is distributed once when a user is created, and then is maintained locally in the child system thereafter without further distribution from the central system. Redistribution – Data can be maintained both centrally and locally. If a change is made in the local child system it is redistributed first to the central system and then on to the other affected child systems. Local – Maintained locally only, with no further distribution Everywhere - Data can be maintained both centrally and locally. Only the changes made in the central system are distributed.


© 2003 SAP AG


15


Maintenance of Field Attributes Easy-to-use transaction for setting attributes quickly

Same tabs as in SU01

Field set to local: no maintenance in central system User maintenance (SU01) in central system  SAP AG 2003, TechED_Basel / SCUR351, P. Hildenbrand u. K. Lehment / 31

Use of Central User Administration

Users are created and maintained by executing transaction SU01 in the central system Maintenance of local fields via SU01 by local administrators in the client systems Maintenance of distribution parameters is only possible for the values chosen during the configuration of CUA This can represent a training issue for user administrators, since they will have to remember what client to log onto to perform their tasks


© 2003 SAP AG


16


User Maintenance in the Central System

SU01 in central system

Additional tab Systems: Define to which system the user will be distributed


User Maintenance in the Central System

SU01 in central system: Difference in Roles tab

:

Define roles per system

Same for profiles  SAP AG 2003, TechED_Basel / SCUR351, P. Hildenbrand u. K. Lehment / 34

© 2003 SAP AG


17


User Maintenance in a Child System Notice that you can no longer create users in this child system...


CUA Monitoring and Analysis

How can I be sure that my changes are processed correctly ?


© 2003 SAP AG


18


Logs Within Each System Must Be Monitored Change user data Client System

LOG Complete list of Errors Warnings Successes Messages

Central System

Each action in the client system sends a log back to the central system


Log Display Distribution log transaction SCUL in the central system

Various ways to display logs Ordered by system Ordered by error status Ordered by user name Ordered by user-defined selection criteria


© 2003 SAP AG


19


Change Documents, Last Modifier

Change documents in each system Modification in central system Distribution

Change document central system last modifier: Global Administrator Change document client system last modifier: ALE Transfer User

Change in client system

Modification in client system

Change document client system last modifier: Local Administrator


CUA and Role Maintenance

How will I maintain roles in CUA?


© 2003 SAP AG


20


CUA and Role Maintenance

CUA Central System

SAP Component System

Assign roles

Develop roles Dev Read (single / composite) roles You can transport single and composite roles from a DEV system to the CUA central instance, but this is not recommended

QS

PRD

Transport

SAP BW System Develop roles Dev

BW or HR systems for example, have authorizations that will not exist in the CUA! Roles may therefore not be transported

QS

PRD

Transport


Exercise

Exercise “1”


© 2003 SAP AG


21


Position-Based Security in HR-ORG and CUA

What is HR-Org? How might a system architecture look when HR-Org is used? What prerequisites have to be met to use HR-Org? How would a scenario look where HR-Org is used to support user administration? How do I implement HR-Org based user administration?


HR Organizational Management – Org Structure in HR OU Org Unit Market MY

Org Units (OU)

1:n

OU

OU

Org Unit Finance

Org Unit HR

1:n

Positions

S

S

Position 70008501

Position 70008502

1:1

1:1

Employees Infotype 105

P

P

Employee John Smith 1:1

Employee Peter Scott 1:1

Users US

US

SAP User MYSMITHJ

SAP User MYSCOTTP


© 2003 SAP AG


22


HR Organizational Management – Objects

Object types

Object keys

Organizational Unit

O

Position

S

Employee

P

Jobs

C

User

US

Role

AG

All Objects are identified by an ObjectID.


Position-Based Security in HR Org 0

Role Z_GEN_ALL

1

3

5

2

4

6

Position Payroll Admin Role Z_HR_Payroll Admin User MAIER

⇒ User Maier inherits the roles Z_GEN_ALL and Z_HR_Payroll Admin

⇒ If you want to connect an employee to a user you have to maintain infotype 0105


© 2003 SAP AG


23


Position-Based Security and CUA 1. Build composite roles in the central CUA system that combine single roles from different logical systems

Role Z_FI_Controlling Composite Role Role Z_HR_Payroll Admin Z_HR_ADMIN Role Z_Reporting

FICLNT100 HRCLNT200 BWCLNT200

2. Assign Composite Roles to objects in HR Organizational Management in the CUA central and run “org compare” and “user compare” 0 5

3

1

Position Payroll Admin 4

2

6

Composite Role Z_HR_ADMIN

Requirements: 4.6B or higher; support packages according to SAP note 511200  SAP AG 2003, TechED_Basel / SCUR351, P. Hildenbrand u. K. Lehment / 47

Landscapes HR Org sits on the CUA Central System Central System of CUA

HR Org sits on a CUA daughter System Indirect Role Assignment

Central System of CUA

ALE

ALE

ALE

Only Composite roles residing in the CUA central system can be assigned to PD-Org objects

Replication of Organizational ALE Structure into CUA Central

HR System with HR Org


© 2003 SAP AG


24


HR Org Structure Replication

a) Initial Replication Performed only once at Go-Live Distributes all objects of the HR Org structure

b) Delta Replications Performed periodically Only distribution of objects with change pointers Should be scheduled as background job


Role Assignment to Positions in CUA (Indirect Role Assignment)

Drag&Drop

Role assignment becomes independent of daily user administration!  SAP AG 2003, TechED_Basel / SCUR351, P. Hildenbrand u. K. Lehment / 50

© 2003 SAP AG


25


Assignment of Roles to Orgunits (O) and Jobs (C)

Role can be assigned to orgunits (O) as well In this case role assignments are inherited to all (sub-) orgunits and positions below Alternatively roles can be assigned to jobs In this case role assignments are inherited to all positions linked to the job Fairly generic roles only can be assigned to orgunits and jobs, since it is replicated to a potentially large number of users


HR-Org Driven User Administration: Pros & Cons Advantages

Disadvantages

Org view available for role assignments

More complex user mass upload procedure (pre-go live)

Automated role assignment for all employee actions like hire, transfer etc.

Additional ALE distribution model to be monitored

Role accumulation avoided Close integration of user administration processes to HR Clear separation of user and role assignment administration

less flexible in terms of individual assignments of roles to users no transition period in terms of role assignments after transfers


© 2003 SAP AG


26


Documentation SAP Documentation 'Indirect Role Assignment - 620'

SAP Note 578265 'PFCG integration HR Org and role administration' SAP Note 578271 'PFCG integration of role assignment maint. in PPOME' SAP Note 581019 'Distribute PFCG HR-ORG model for ind. role assignm' SAP Note 511200 'PFCG/PFUD/SU01/SU10: Role assignment and profile comparison' SAP Note 200343 'HR-CA-ALE: Composite SAP note re distributing HR master data' SAP Note 363187 'HR-CA-ALE: Initial dist. w. HRMD_A/HRMD_ABA (hint)'


Agenda

Identity Management Overview CUA in Detail LDAP Directory Integration in Detail UME in Detail Summary


© 2003 SAP AG


27


What Is a Directory Service?

A directory service is a mechanism to Store Distribute Search Retrieve

- structured information of general or specific interest


Actual Situation (Example: User Administration) SAP HR

Infra DB

Telephone DB IT Tracking

License DB

Mail server Oracle DB

Internet Internet Firewall

RADIUS

Hello, I am the new Personnel data employee Where is my office/desk

Room, location

User-ID, password I need a telephone, telephone number, PC, mobile mobile I need software ABC

SMS configuration

I use e-mail, E-mail address, intranet and internet User-ID, PW, time management access rights I use my VPN, User-ID, applications remote password


© 2003 SAP AG


28


Integrated Cross-platform User Management

RACF user m anage

il

VPN a ccess

Directory

plo yee Em

er n t us N me LA age n ma

E-Ma n of s io t a e Cr esse addr

ment

por ta l

HOST applications

• Maintain basic user master data • Grant access to groups = applications • Control user accounts Administration • Maintain application-specific e.g. (Web application) attributes • Rule based creation / deletion of accounts

Internet Internet VPN

Messaging Server

Mail system Web App.. Service

Windows domain


Directory Benefits Directories serve as central repository for master data, which is used by several different applications Modifications on this data can be done by every authorized application Access to this data is provided using the standardized Lightweight Directory Access Protocol (LDAP) Hundreds of other application and hardware suppliers support this protocol SAP systems can be connected to such a directory to share parts of their user data or database content (e.g. HR data) with other applications.


© 2003 SAP AG


29


Information Model – Hierarchical Structure DIT: Directory Information Tree

/

C=DE

C=GB

o=SAP

o=CompuNet


Information Model – Names in the Tree c=DE o=SAP AG ou=Security Consulting cn=Max Smith

cn=Xaver Huber

ou=Sales cn=Norbert Hofer

cn=Kurt Wagner

c=DE,o=SAP AG,ou=Security Consulting,cn=Max Smith

• The way through the DIT defines the identification of an object • Absolute and relative names • Distinguished names have to be unique • Relative distinguished names are unique in their naming context  SAP AG 2003, TechED_Basel / SCUR351, P. Hildenbrand u. K. Lehment / 60

© 2003 SAP AG


30


Information Model – Object Class Hierarchy

person

object class hierarchy

cn givenName sn

top

telephone mail

person

orgUnit

orgPerson cn givenName

orgPerson

sn telephone mail employeeID

SAPaddonUM

title

inetOrgPerson

department function

(SAP Schema extension)  SAP AG 2003, TechED_Basel / SCUR351, P. Hildenbrand u. K. Lehment / 61

Information Model – Entries in the DIT Uid

CN=D505050;o=SAPAG;C=DE

naming attribute (DN)

object class

inetOrgPerson sapAddOnUM

special attribute

givenName

Max

single-value attribute

sn

Smith

mandatory attribute

telephoneNumber

+49-6227 7-47474

optional attribute

mail

[email protected]

optional attribute

sapUserName

SMITH

SAP attribute

sapRoles

ABC:000:sapDeveloper XYZ:100:sapAdministrator

multi-value attribute

modifyTimestamp

20010730175352Z

operational attribute


© 2003 SAP AG


31


LDIF Format In order to allow for a standardized way of • Data extraction, • Data exchange between LDAP servers, • Loading data into LDAP servers, - LDIF (the “LDAP data interchange format”) was introduced.

Advantages of LDIF: • Standardized (described with RFC 2849) • Easy, ASCII based format • Syntax: attribute “:” value • Includes options to add, modify and delete objects and attributes


LDIF Format, Example

dn: cn=smith,ou=employees,o=sap,dc=com Object class: top Object class: person Object class: organizationalPerson Object class: inetOrgPerson Mail: [email protected] givenName: max sn: smith telephoneNumber: +49(0)6227-474747


© 2003 SAP AG


32


LDIF File for Object Classes and Attributes # Version 1: initial release # # -------------------------------------------------------# dn: cn=schema changetype: modify add: attributetypes attributetypes: ( 1.3.6.1.4.1.694.2.1.101 NAME 'sapUsername' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-NDS_NAME 'sapUsername' )

dn: cn=schema changetype: modify add: attributetypes attributetypes: ( 1.3.6.1.4.1.694.2.1.102 NAME 'sapAlias' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-NDS_NAME 'sapAlias' )


Replication, Physical Distribution Replication c=de,o=neptune

ou=parts

ou=stuff

ou=widgets

Physical distribution of content

c=

S de ubs ,o id = n ia ep r y t u “P ne ar ,o ts” u= : pa rts

Replication


© 2003 SAP AG


33


LDAP Connector

Application Server Work Process

Directory

LDAP Connector

Call Function ‘LDAP_XXX‘ Connection with LDAP Server Function ‘LDAP_XXX‘

LDAP

RFC

Executable LDAP_RFC shipped since Release 4.6A Loads LDAP Library of operating system at runtime  SAP AG 2003, TechED_Basel / SCUR351, P. Hildenbrand u. K. Lehment / 67

Transaction LDAP Allows deposition of connection and authentication data for different directory servers

Allows setup of the LDAP connector for directory access

Provides simple access to basic LDAP functionalities for testing purposes  SAP AG 2003, TechED_Basel / SCUR351, P. Hildenbrand u. K. Lehment / 68

© 2003 SAP AG


34


RFC to LDAP Connector Create an RFC destination as shown. Then go back to the LDAP transaction and click on the “connector” button …

The LDAP connector is available from release R/3 4.6c. However the mapping table and the mass synchronization is available with SAP Web Application Server 6.10 and higher.  SAP AG 2003, TechED_Basel / SCUR351, P. Hildenbrand u. K. Lehment / 69

Activate LDAP Connector Now select the RFC destination just created. Enter information for LDAP connector, then click on the activation button:

LDAP activity can be monitored via CCMS.


© 2003 SAP AG


35


User Access to LDAP Server In the LDAP transaction, click on “System user” Then enter similar info as shown below.


Define Logical LDAP System Names In transaction LDAP, click on “Server Names” This screen is also transaction LDAPMAP


© 2003 SAP AG


36


Test Connection to LDAP Server On the main screen of transaction LDAP Select a logical LDAP connector, and a logical LDAP server defined earlier

Click on the Log On button

In the next window, you can use “Use System User” to test the connection.


User Data in SAP Systems

Administration of user data: Transactions SUxx BAPI interfaces

Maintained data: SAP user name Logon data Address data Access control data Personalization data


© 2003 SAP AG


37


LDAP Synchronization On top of the LDAP API, SAP implemented a user master data synchronization tool, which can be used to synch user master data between SAP and an LDAP server. The tool is flexible to allow various scenarios in which single source of user data is maintained across enterprise. In some cases, maybe custom development is desired to extend SAP’s standard functionalities.

Transaction LDAPMAP as shown before  SAP AG 2003, TechED_Basel / SCUR351, P. Hildenbrand u. K. Lehment / 75

Extend Schema of the LDAP Server Execute report RSLDAPSCHEMAEXT from SE38 An SAP proposed schema extension for the LDAP product is created

Method of importing this schema extension to selected SAP supported LDAP products


© 2003 SAP AG


38


Mapping Between Directory and SAP Data Fields

dn

uid=D505050,o=sap,c=de

Objectclass

inetOrgPerson sapAddOnUM

Username

SMITH

Firstname

Max

givenName

Max

Surname

Smith

Sn

Smith

Telephone Nr.

6227 7

telephoneNumber

+49-6227 7-47474

Telephone Ext.

47474

Uid

D505050

Mail

[email protected]

Mail

[email protected]

Roles

sapUserName

SMITH

sapRoles

ABC:100:sapDeveloper XYZ:200:sapAdministrator

sapDeveloper (system ABC, client 100) sapAdministrator (system XYZ, client 200)

Mapping  SAP AG 2003, TechED_Basel / SCUR351, P. Hildenbrand u. K. Lehment / 77

LDAPMAP Transaction - Mapping In this screen, you define the mapping between the LDAP server and the SAP system.

Click to add a new mapping For the LDAP application “User”, SAP provides a mapping proposal To delete a mapping, select it, then click on To delete all mapping lines, click the trash button


© 2003 SAP AG


39


Transaction LDAPMAP - Mapping

After importing the SAP proposed mapping it may look like this


Mapping Flags in LDAPMAP Filter

Determines how corresponding entries for SAP Objects can be found in the directory (Only one line can be checked)

Import

Determines which mappings are used to read directory entries

Export

Determines which mappings are used to write directory entries

Required

Determines which attributes are essential (mandatory) for new directory entries

RDN

Marks the mapping which is used to form the RDN of new directory entries (Only one line can be checked)


© 2003 SAP AG


40


Transaction LDAPMAP – Synchronization Flags


Report RSLDAPSYNC_USER


© 2003 SAP AG


41


Tasks of the Mapping Layer SAP system with WebAS 6.x release

Directory Server

LDAP Synchronization Mapping

Mapping of SAP data fields to designated directory server attributes Assignment of entries to designated object classes Assignment of RDN and DN (Key) Handling of complex structures  SAP AG 2003, TechED_Basel / SCUR351, P. Hildenbrand u. K. Lehment / 83

Mapping Function Modules SAP system with WebAS 6.x release

Directory Server

LDAP Synchronization Mapping

SAP Fields

Function Module

Directory Attributes

Parameters


© 2003 SAP AG


42


Mapping of Complex Structures


BC-LDAP-USR - Certified Partners Partners currently certified (Status: Beginning 2003) (in sequence of certification date)

Novell, product „eDirectory Rel. 8.5“ Siemens, product „DirX Directory Server, Rel. 6.0“ Critical Path, product „CP Directory Server (CP D, Rel. 4.0“ Computer Associates, product „eTrust Directory, Rel. 4.0“ Oracle Corp., product „Oracle Internet Directory (OID)“ Microsoft Corp., product „Active Directory, Rel. Win2K SP1“


© 2003 SAP AG


43


Directory Server Software Certification Possible

SAP User Management Engine

SAP Certified Integration

3rd Party LDAP Directory Server

With EP 6.0 and WebAS 6.30, a certification of LDAP directory servers is possible This extends the certification that has been offered since WebAS release 6.10 covering the LDAP-communication of the SAP R/3 user management with a 3rd party directory server to the UME


Certification Benefits for SAP Customers and Third-Party Vendors Benefits for SAP Customers Reduced implementation time & costs through tested 3rd party integration Guaranteed data integrity through stable interfaces (here LDAP) Easy selection of certified 3rd party integrations through online search engine

Benefits for Third-Party Vendors Listing on SAP’s homepage including certified scenario and contact data Vendor easily recognizable for SAP customers through SAP media (tagline, certificate, etc.) Technical certification may be prerequisite to join SAP Software Partner Program


© 2003 SAP AG


44


Interested? – Please contact ICC for more details

ICC Walldorf, Germany Phone +49 6227 – 767600 [email protected]

ICC Palo Alto, California US Phone +1 650 - 849 2661 [email protected]

Since 1995 about 800 vendors have successfully certified more than 1,400 interface products! http://www.sap.com/partner/software/directory

ICC Bangalore, India Phone +91 80 8418155 - 300 [email protected] responsible for Japanese requests

ICC: Integration & Certification Center  SAP AG 2003, TechED_Basel / SCUR351, P. Hildenbrand u. K. Lehment / 89

Exercise

Exercise “2”


© 2003 SAP AG


45


Agenda

Identity Management Overview CUA in Detail LDAP Directory Integration in Detail UME in Detail Summary


Features of UME with EP 6.0 Web-based user administration End user self-registration User can create account in the portal Workflow for approval of registration request by administrator

Password management & policies Configurable expiration dates Initial passwords and change at first login Limit of failed logon attempts

Flexible user persistence layer LDAP directory, database or SAP system as user store

Delegated administration


© 2003 SAP AG


46


UME Architecture Applications Accessing User Management

EP 6.0

SRM 3.0

Logon

UME UI

UME Services

User Administration

Authentication / User APISSO User Account API

User API

UME API Layer

User Profile / Group Provisioning API

UME Core Layer

Group API

Role API

Authorization

Role API

Replication Manager

Persistence Manager

LDAP Directory

Database

Persistence Layer

ACL API

External System

ABAP Engine


Persistence Manager Central place for reading and writing user-specific data Users Groups Role assignments

Uses Persistence Adapters to read/write data Supports database, LDAP directory and SAP system as repository User Management Core Layer

Persistence Manager

Persistence Adapters User Persistence Store

Database

LDAP Directory

SAP Engine


© 2003 SAP AG


47


Persistence – Supported Repositories

Portal Database Oracle 9.2 Microsoft SQL Server 2000

LDAP Directory Novell eDirectory Sun ONE Directory Server Microsoft ADS Siemens DirX

SAP System SAP Web Application Server 6.20 or higher


Persistence Manager User Partitioning Specific user sets can be distributed across different repositories Example:

Self-registered, external users

Persistence Manager

Database

LDAP Directories

Internal users

Attribute Partitioning Specific user attributes can be distributed across different repositories Example:

Role assignments (portal-specific data)

Persistence Manager

Database

LDAP Directory

General user data (application independent)


© 2003 SAP AG


48


Replication Manager Replication of user data to external systems Provisioning for external systems that cannot use supported user repositories Notification when users are created or modified Data exchange via XML documents One-way replication of user data (Portal User Management Core Layer

External System)

Replication Manager

External System


Replication Manager – Supported Systems

External System SAP Basis 4.6D, SAP Web Application Server 6.10 or higher Business Add-Ins (BAdis) supported

Example:

Replication Manager Portal User Provisioning to SAP Systems

BW

SRM

CRM


© 2003 SAP AG


49


User Administration Web based Administration GUI User Administration Functions: Create, copy, modify and search users Manage Roles and Permissions Assign users and groups to role(s)


The UME UserAdmin Tool


© 2003 SAP AG


50


Maintaining Roles in the UME UserAdmin tool


User Administration User Administration Functions (cont.): Set or auto-create password Set date & time for user account activation Lock/unlock users View user account history Approve/deny self-registered users Adapt attributes contained in self-registration E-Mail notifications for specified events


© 2003 SAP AG


51


Password Management Administration Functions Configure password policies Set initial password for user Let system auto-create password for user Reset password Customizable “Forgot Password” process

Password Policies Min/max. length Numeric characters allowed/mandatory Password different from UID Mixed case required Special characters required Password expiry time period (days) Password must be changed at next logon Number of failed logon attempts before account is locked  SAP AG 2003, TechED_Basel / SCUR351, P. Hildenbrand u. K. Lehment / 103

Security Logging & Auditing Logging of all security relevant information User login (successful/failed) IP address of user logged in User logoff User created/modified User approval/denial User locked/unlocked Role assignment changed


© 2003 SAP AG


52


Delegated User Administration Currently the delegated user administration is based on the concept of COMPANY. Companies are totally unrelated to groups. It is not possible to use GROUPS as a means of delegated user administration yet. A company is an attribute in a user’s profile. Every user belongs to one company only. Companies are not related to user groups. Companies are needed for the implementation of delegated user administration.


Usage of Companies The following scenarios are possible: 1.

No Companies:

2.

One Company and Guest Users:

Closed environment, internal use only. internal use + self registration and approval process. 3.

Two Companies and Guest Users:

4.

Delegated Administration using the company concept:

5.

Fully Company Aware:

internal use + self reg. + limited access to externals (e. g. suppliers). internal use; companies are treated as administration groups used in SRM/CRM for instance.


© 2003 SAP AG


53


User Self-Service User can change his or her profile User can set a new password During logon (for initial passwords, when expired) By changing user profile

User can request new password (sent to user by E-Mail) Use self-registration User fills out a simple registration form User immediately becomes a guest user Optional approval process: User waits for approval by administrator to become a registered user


Demo

Demo and Exercise “3”


© 2003 SAP AG


54


Summary

SAP offers a stable and widely used Central User Administration for SAP systems SAP offers LDAP directory integration SAP offers a User Management Engine for the Enterprise Portal


Further Information Public Web: http://www.sap.com/netweaver E-Mail: [email protected]

Key capabilities

Security

Consulting Contact Frank Rambo, SAP Security Consulting ([email protected])

Related SAP Education Training Opportunities http://www.sap.com/usa/education/ CA940 SAP R/3 Authorization Concept ADM950 Secure SAP System Management ADM960 Security in SAP System Environment

Related Workshops/Lectures at SAP TechEd 2003 SCUR251 Eliminating Authentication Pop-Ups in SAP Landscapes, October 02 / 14:00 – 16:00 pm, Room H10, Hands-On Session


© 2003 SAP AG


55


Questions?

Q&A


Feedback

Please complete your session evaluation and drop it off on your way out. Be courteous — deposit your trash, and do not take the handouts for the following session.

The SAP TechEd ’03 Basel Team  SAP AG 2003, TechED_Basel / SCUR351, P. Hildenbrand u. K. Lehment / 112

© 2003 SAP AG


56


Copyright 2003 SAP AG. All Rights Reserved No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft®, WINDOWS®, NT®, EXCEL®, Word®, PowerPoint® and SQL Server® are registered trademarks of Microsoft Corporation. IBM®, DB2®, DB2 Universal Database, OS/2®, Parallel Sysplex®, MVS/ESA, AIX®, S/390®, AS/400®, OS/390®, OS/400®, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere®, Netfinity®, Tivoli®, Informix and Informix® Dynamic ServerTM are trademarks of IBM Corporation in USA and/or other countries. ORACLE® is a registered trademark of ORACLE Corporation. UNIX®, X/Open®, OSF/1®, and Motif® are registered trademarks of the Open Group. Citrix®, the Citrix logo, ICA®, Program Neighborhood®, MetaFrame®, WinFrame®, VideoFrame®, MultiWin® and other Citrix product names referenced herein are trademarks of Citrix Systems, Inc. HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. JAVA® is a registered trademark of Sun Microsystems, Inc. JAVASCRIPT® is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MarketSet and Enterprise Buyer are jointly owned trademarks of SAP AG and Commerce One. SAP, R/3, mySAP, mySAP.com, xApps, xApp and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies.


© 2003 SAP AG


57

SCUR351 Simplifying User Administration in Heterogeneous ...

SCUR351 Simplifying User Administration in Heterogeneous ...

Suggest Documents

Simplifying Storage Administration with 3PAR Autonomic Groups

Simplifying Complexity in Metabolomics

Supporting Adaptivity with Heterogeneous Platforms Through User ...

Satisfying Heterogeneous User Needs via Innovation ... - CiteSeerX

Heterogeneous Multicast in Heterogeneous QoS

user association scheme in heterogeneous networks ... - IEEE Xplore

Middleware for ad hoc user task composition in heterogeneous ...

Context-based user grouping for multi-casting in heterogeneous radio ...

Energy-Efficient User Association in Heterogeneous ... - IEEE Xplore

Middleware for Ad hoc User Task Composition in Heterogeneous ...

LogMeIn Rescue Administration Center User Guide

Identity Manager User Application: Administration Guide - NetIQ

Small Office Administration Console - User Guide - Avast

IBM TRIRIGA 10 Application Administration User Guide

Simplifying the Text or Simplifying the Task: How to Improve ...

simplifying Power Systems

Simplifying Your Life - Tildet

Simplifying Mobile Marketing - WordPress.com

Simplifying supply chains

Heterogeneous Traffic Distribution in Heterogeneous Wireless ... - arXiv

Simplifying Reductions - CiteSeerX

Simplifying Herbert Simon

Simplifying Friendlist Management - People

Simplifying Multiple Sums in Difference Fields