The Identity Management application allows mass creation of user, roles and groups instead of creating them individually. For mass creation we use the “Import” tab under Identity Management. The screenshot below shows the data for creating a few users in the UME.
For the import to work we first have to prepare a text file with the correct format. Once prepared we can either paste the text in the box as shown above or import the text file by clicking the browse button. We now click the upload button. If our data format is correct, identiy management shows a log for the actions and the user are created in the UME. Checking the “Overwrite Existing Data” checkbox ensure any existing user data is overwritten by the new data being loaded.
There are numerous parameter combinations that can be used while loading users, roles and groups. Many of the options will actually replace existing data with the new mapping data. Please look up the sap help before using any other parameter combinations.
Last but not the least of the UME Objects are Groups. Again we follow the same process for creating groups as for creating roles or users. We start by selecting Groups from the dropdown and click the “Create Group” button.
We start by adding a name and description for the new group. Groups don’t carry any permissions themselves but can be mapped to any number of roles. A user assigned to a UME group will inherit all the roles and the permissions contained in them. Groups also can be a part of a hierarchy of parent and chid groups.
Groups serve a special purpose when the UME uses an ABAP system as its data source. In this case, any new role created in ABAP is available in AS Java as a user group. Also assigning the backend role would assign the UME group and any role mapped to it in the java system. Many a time, a UME role contains java applications accessing backend SAP data. This is specially the case when an Enterprise Portal is installed on the AS Java system. A case in point are ESS and MSS applications used in SAP HCM. For these applications, we can create a backend role and assign the needed java role(s), either UME or portal roles, to the corresponding group. Any user getting the backend role would automatically get the correct Java access.
So for a AS Java system with an ABAP datasource, the entire user-role administration can be carried out from the ABAP backend. For a UME with Active Directory server as its user source, groups can be mapped to a AD group such that a user getting a AD group automatically gets the UME group and all roles mapped to it.
The process of creating a role is technically similar to the process of creating a user. We select “Roles” from the drop down in the initial screen and click the “create role” button. At this point a subscreen opens where we add the details for the role.
UME roles are a bit different from ABAP roles as they don’t contain either transactions or authorization objects. The corresponding concept for AS Java are “Actions”. The UME ships with many Actions already defined. The Assigned Actions tab allows us to search for existing actions in UME and also for actions already assigned to the role. We have the option of adding or removing actions from roles. Actions themselves are themselves composed of “permissions”. Permissions are defined by the creators of AS Java applications and checked in Java code before allowing users access. Unfortunately or fortunately we don’t create Permissions or Actions in Identity Management.
The Create Roles application also allows us to assign the role to Users and to UME groups via the respective tabs.
Like AS ABAP, a user would need an account to be created in the UME to log in. We create a new user by selecting “user” from the drop down in the initial identity management screen and clicking the “Create User” button. We also have options of searching for existing users, copying users, deleting users or locking/unlocking users.
On clicking the “Create User” button, a subscreen for “user details” opens up. The user details screen has a few sub tabs like General Information, Roles, Groups, etc. In the General Information tab, we would be specifying the login id, user first and last names, email address, deafult language and initial password. The obligatory fields are marked with a red asterisk.
Even though filling up the first General Information tab is enough to create a user, it would not give the user any access. For access on AS Java, we would need to assign roles or groups to the user in the respective tabs under user details.
Before we can start building roles or creating users on AS Java we have to start with configuring the UME. The configuration options are available under the configuration tab of the Identity Management application. Even under the configuration there are a number of sub tabs allowing different features to be configured. We look at a few of the more important options below.
Probably the most important configuration option is to set the data sources for the UME. This determines the data sources from where the UME reads the user information. We can set the data source as an AS ABAP SAP system, a LDAP system, an Active Directory server or a AS Java Database. The example screenshot below shows data source to be a set to a Active Directory Server.
Though setting the data source value is part of the Identity Management configuration but many a time the actual choice is determined by your network infrastructure and overall access structure. For example, its quite common that all users would have access to the corporate portal of an organisation but not everyone would be expected to work in SAP. As a result all employees will not a SAP account and in such a case, setting the UME database to a ABAP system would not work.
Identity Management configuration allows us to specify password parameters, like minimum and maximum length, use of special characters and validity dates, user id length, locking of accounts on using wrong password. The names of the parameters are quite self explanatory and appear under the “Security Policy” tab page. The screenshot below show an example configuration.
We also have a way of changing Notification Email settings as part of our configuration activities. Again the screenshot below shows some typical settings. I am not describing all the remaining tabs. Just explore them as the need arises. The configuration steps that are performed on the UME are basically one time activities. It would be very rare that you need to change these once the system is set up and running.
The Identity Management application provides an user interface for administrators to work on the underlying User Management Engine (UME) of AS Java. The identity management can be launched in any of the following three ways. The look and feel and the underlying features remain the same irrespective of which ever path we use. Unless Single Sign On is being used each of the options below would require the administrator to use the screen below to login.
Identity Management can be launched as a standalone application by launching the following url on any of the major web browser (I have used used IE, Firefox and Chrome) – “http://<AS_Java_Server>:<AS_Java_HTTP_Port>/useradmin“. The person logging in will need adminstrator priviledges for AS Java and after logging in will be welcomed by the following screen.
As a component of the Netweaver Administrator (NWA) application in AS Java. NWA is launched by following the following URL, http://<AS_Java_Server>:<AS_Java_HTTP_Port>/nwa . Identity Management is available under System Management> Administration as shown below.
The Identity Management application can also be deployed on the enterprise portal. The administrator would need the user admin or super admin portal roles to gain access. SAP Portal is launched by following the URL “http://<AS_Java_Server>:<AS_Java_HTTP_Port>/irj/portal“. Identity Management will be one of the tabs at the very top. I am not currently using Portal and don’t have a screenshot for it, but the look and feel of the application remains essentially same.
In the next few articles we discuss the different features of the Identity Management application.
Most of SAP’s traditional business applications were built on the ABAP language to run on Application Server ABAP. However more and more large enterprises are moving to a more heterogenous model for their SAP infrastrucure such that both Application Server ABAP (AS ABAP) and Application Server Java (AS Java) are being used for different SAP solutions. For example, even though the Enterprise Core Component or ECC, which can be considered to be the bed rock for a SAP system is ABAP based, a sizable percentage of organizations use SAP’s newer solutions like Enterprise Portal, Supplier Relationship Management, ESS/MSS applications and SAP GRC Access Control, all of which run on the AS Java. As security consultants we are increasingly being expected to design and support the security infrastructure for this newer platform. The next series of posts will attempt to do just that.
I will admit beforehand that my experience in AS Java security is very limited. However, its also true that web resources on AS Java security are also limited. Hence, these posts on the basics might yet help some of my friends from the SAP security community to get started with AS Java.
Like security on AS ABAP, AS JAVA also uses the concept of Role Based Access Control (RBAC). So we still continue to use the concepts of users and roles for these users. However since we don’t have transactions and authorization objects in Java. The nearest equivalent to these ECC concepts are permissions which are added to Java roles and checked by the different applications on AS JAVA.
Security on AS Java is built around the User Management Engine (UME) component. The UME can be configured for user and role administration across different user sources like Active Directory Servers, LDAP and even AS ABAP. As administrators we access the security administration functions of the UME through the Identity Management application. Identity Management is the central cockpit from which user administration, role administration and general configuration settings for UME can be controlled. This entire series of articles will mostly deal with the different features and functions of Identity Management.