Post on 17-Nov-2014
SCUR351:
User Management and Authorizations: The Details
© SAP AG 2004, SAP TechEd / SCUR351 / 2
Contributing Speakers
TechEd San Diego:
Larry JusticePlatinum Security Consultant, SAP America
Jens KosterSecurity Product Manager, SAP AG
Gerlinde ZibulskiSecurity Product Manager, SAP Labs LLC
TechEd Munich:
Frank BuchholzSecurity Product Manager, SAP AG
Jens KosterSecurity Product Manager, SAP AG
Oliver NoconRIG Specialist, SAP AG
© SAP AG 2004, SAP TechEd / SCUR351 / 3
Learning Objectives
As a result of this workshop, you will be able to:
Explain and use Central User Administration (CUA)
Understand and use LDAP directory synchronization
Configure and use the User Management Engine (UME)
User Management Overview
Central User Administration (CUA)
SAP LDAP Connector
Portal User Management
Role Integration Scenario
Summary
User Management Overview
Central User Administration (CUA)
SAP LDAP Connector
Portal User Management
Role Integration Scenario
Summary
© SAP AG 2004, SAP TechEd / SCUR351 / 6
Decentralized User Maintenance
Each SAP System has its own user data store
Decentralized user maintenance
Inconsistencies can occur between address data
SAP R/3Enterprise
SAPEBP
SAPBW
SAPAPO
SAP…
© SAP AG 2004, SAP TechEd / SCUR351 / 7
CUA central system SAP release as of 4.6C
ALE ALE
SAP 6.xCUA client
SAP 4.6CUA client
SAP 4.5CUA client
Central User Administration
Users can be administrated in central SAP system
Automatic distribution to client SAP systems
Local administration still possible (back distribution)
No inconsistencies
Central locks possible
© SAP AG 2004, SAP TechEd / SCUR351 / 8
LDAPsynchronization
CUA central system SAP release as of 6.10
ALE ALE
SAP 6.xCUA client
SAP 4.6CUA client
SAP 4.5CUA client
Directory
Central User Administration & LDAP Synchronization
© SAP AG 2004, SAP TechEd / SCUR351 / 9
Enterprise Portalwith User Management
Engine (UME)
LDAPsynchronization
CUA central system SAP release as of 6.10
ALE ALE
SAP 6.xCUA client
SAP 4.6CUA client
SAP 4.5CUA client
Persistencestore
Directory
CUA & LDAP Synchronization & Enterprise Portal
Overview User Management
Central User Administration (CUA)
SAP LDAP Connector
Portal User Management
Role Integration Scenario
Summary
© SAP AG 2004, SAP TechEd / SCUR351 / 11
Note that ‘syste
m’ always means:
client in a syst
em
Set Up of System Infrastructure
Setting Up ALE communication users
Define logical systemslater on, systems are always referred to by their logical system ID
Define RFC destinations between central system and child systems
Switch on the Central User Administration
Define field attributes
Migrate users
} USER
} ALE
} CUA
Steps to go through
© SAP AG 2004, SAP TechEd / SCUR351 / 12
TechEd: CUA System Landscape
CUA Master
Logical system name: TT1CLNT200
Used RFC Destinations:TT1CLNT100 with RFC user CUA_TT1_100 TT1CLNT200 with RFC user CUA_TT1 TT1CLNT300 with RFC user CUA_TT1_300TT1CLNT400 with RFC user CUA_TT1_400
RFC User: CUA_TT1Roles of RFC user:
SAP_BC_USR_CUA_CENTRALSAP_BC_USR_CUA_CLIENTSAP_BC_USR_CUA_SETUP_CENTRALSAP_BC_USR_CUA_SETUP_CLIENT
CUA ClientLogical system name: TT1CLNT100Used RFC Destinations:
TT1CLNT200 with RFC user CUA_TT1RFC User: CUA_TT1_100Roles of RFC user:
SAP_BC_USR_CUA_CLIENTSAP_BC_USR_CUA_SETUP_CLIENT
CUA ClientLogical system name: TT1CLNT300Used RFC Destinations:
TT1CLNT200 with RFC user CUA_TT1RFC User: CUA_TT1_300Roles of RFC user:
SAP_BC_USR_CUA_CLIENTSAP_BC_USR_CUA_SETUP_CLIENT
CUA ClientLogical system name: TT1CLNT400Used RFC Destinations:
TT1CLNT200 with RFC user CUA_TT1RFC User: CUA_TT1_400Roles of RFC user:
SAP_BC_USR_CUA_CLIENTSAP_BC_USR_CUA_SETUP_CLIENT
Central system to client system (used for user distribution)
Client system to central system (used for user migration and status response)
RFC Destinations
RFC Users have user type ‘communication’ and belong to the user group ‘SUPER’
© SAP AG 2004, SAP TechEd / SCUR351 / 13
Demo
DemoandExercise
© SAP AG 2004, SAP TechEd / SCUR351 / 14
CUA Hands-On
In the following exercise you will review the setup of the Central User Administration:
1. Log on to the SAP System TT1 client 200 (see next slide for detailed connection data)
2. Review the definition of logical systems and the assignment of logical systems to clients in Transaction SALE.
3. Perform a connection test of RFC destination TT1CLNT300.
4. Review the CUA system landscape (Transaction SCUA). What system is the central system? What are the client systems?
5. Review the configuration for field distribution (Transaction SCUM).
6. Display Log Files for Central User Administration (Transaction SCUL).
© SAP AG 2004, SAP TechEd / SCUR351 / 15
System Information for this Exercise
SAP System Information
SAP System ID: TT1
IP Address: 10.16.140.70
System Number: 00
Client 200
User: SCUR351-<Group Number>(Group Number provided by speaker)
Password: demo
© SAP AG 2004, SAP TechEd / SCUR351 / 16
Review the Logical Systems I
Go into transaction SALE.
Expand the node Sending and Receiving Systems.
Expand the node Logical Systems.
Click on Define Logical Systems
© SAP AG 2004, SAP TechEd / SCUR351 / 17
Review the Logical Systems II
You should find these entries.
Go back with the green arrow.
© SAP AG 2004, SAP TechEd / SCUR351 / 18
Review the Logical Systems III
Click on Assign Client to Logical System.
© SAP AG 2004, SAP TechEd / SCUR351 / 19
Review the Logical Systems IV
Display the entries for Client 100.
© SAP AG 2004, SAP TechEd / SCUR351 / 20
Review the Logical Systems V
You should find these entries.
© SAP AG 2004, SAP TechEd / SCUR351 / 21
Review the RFC Connections I
Go into transaction SM59.
Expand the R/3 connections node.
Double click on TT1CLNT200.
© SAP AG 2004, SAP TechEd / SCUR351 / 22
Review the RFC Connections II
Test this connection!
© SAP AG 2004, SAP TechEd / SCUR351 / 23
Review the RFC Connections III
Test was successful !!!
© SAP AG 2004, SAP TechEd / SCUR351 / 24
CUA Review I: What is the CUA Landscape?
Go into transaction SCUA and click on Display.
© SAP AG 2004, SAP TechEd / SCUR351 / 25
The CUA central system is client 200.
This CUA has three client systems: 100, 300 and 400.
CUA Review II: What is the CUA Landscape?
© SAP AG 2004, SAP TechEd / SCUR351 / 26
Look up the Configuration for Field Distribution in CUA
Go into transaction SCUM.(Nice name, isn’t it?)
© SAP AG 2004, SAP TechEd / SCUR351 / 27
Look up Log Files for CUA I
Go into transaction SCUL.
Select ALL.
Execute the report.
© SAP AG 2004, SAP TechEd / SCUR351 / 28
Look up Log Files for CUA II
Messages relating to distributed objects appear according to the selection you made.
Overview User Management
Central User Administration (CUA)
SAP LDAP Connector
Portal User Management
Role Integration Scenario
Summary
© SAP AG 2004, SAP TechEd / SCUR351 / 30
HR
Telephony
Operatingsystem
Otherapplications
Meta-Directory
Central UserAdministration
User Management – Directory Integration
© SAP AG 2004, SAP TechEd / SCUR351 / 31
Directory Benefits
Directories serve as central repository for master data, which is used by several different applications.
Every authorized application can modify this data.
Access to this data is provided using the standardized Lightweight Directory Access Protocol (LDAP).
Hundreds of other application and hardware suppliers support this protocol.
SAP systems can be connected to such a directory to share parts of their user data or database content (e.g. HR data) with other applications.
© SAP AG 2004, SAP TechEd / SCUR351 / 32
Information Model – Hierarchical Structure
/
C=GB C=DE
o=CompuNeto=SAP
DIT: Directory Information Tree
© SAP AG 2004, SAP TechEd / SCUR351 / 33
Information Model – Names in the Tree
cn=Anton Schmidt cn=Xaver Huber cn=Norbert Hofer
ou=Security Consulting
cn=Kurt Wagner
ou=Sales
o=SAP AG
c=DE
cn=Anton Schmidt, ou=Security Consulting, o=SAP AG, c=DE
The way through the DIT defines the identification of an object
Absolute and relative names
Distinguished names have to be unique
Relative distinguished names are unique in their naming context
© SAP AG 2004, SAP TechEd / SCUR351 / 34
Information Model – Object Class Hierarchy
cn
givenName
sn
telephone
person
employeeID
title
department
function
orgPersoncn
givenName
sn
telephone
top
person
orgPerson
inetOrgPersonSAPaddonUM
object class hierarchy
orgUnit
(SAP Schema extension)
© SAP AG 2004, SAP TechEd / SCUR351 / 35
Information Model – Entries in the DIT
operational attribute20010730175352ZmodifyTimestamp
ABC:000:sapDeveloperXYZ:100:sapAdministrator
SMITH
Max.Smith@sap.com
+49-6227 7-47474
Smith
Max
inetOrgPersonsapAddOnUM
CN=D505050;O=SAP-AG;C=DE
optional attributetelephoneNumber
Attribute (SAP)sapUserName
multi-value attribute (SAP)sapRoles
optional attributemail
naming attribute (DN)Uid
mandatory attributesn
single-value attributegivenName
special attributeobject class
© SAP AG 2004, SAP TechEd / SCUR351 / 36
Application Server
Call Function‘LDAP_XXX‘
Work Process LDAPConnector
Function‘LDAP_XXX‘
LDAP Client
LDAP Server
Directory
RFC
LDAP
Executable LDAP_RFC shipped since Release 4.6A
Loads LDAP Library of operating system at runtime
LDAP Connector
© SAP AG 2004, SAP TechEd / SCUR351 / 37
Configure LDAP Connection
1. Configure LDAP Connector
2. Enter LDAP System User Data
3. Enter LDAP Server Connection Data
4. Configure Field Mapping
Later steps in TechEd Demo Scenario:
1. Create users using Portal UME
2. Synchronize Data between Directory and SAP
© SAP AG 2004, SAP TechEd / SCUR351 / 38
Demo
DemoandExercise
© SAP AG 2004, SAP TechEd / SCUR351 / 39
LDAP Hands-On
In this exercise you will prepare the LDAP connector and server, which you will use later in the course to run a user synchronization.
1. Create the RFC connection LDAP_NOVELL_GR<Group Number> for the LDAP connector (connection type: T, gateway host: iwdf5350, gateway service: sapgw00). Enter the same name as the Program ID for the registered server program.
2. Configure the LDAP connector with your newly created RFC destination and activate the connector. (Transaction LDAP, Function: Connector)
3. Make sure that the LDAP admin user TECHED-ADMIN is already configured in the system. (Transaction LDAP, Function: System Users)
4a. Create the LDAP server LDAP_NOVELL_GR<Group Number> with the data provided on the next slide. (Transaction LDAP, Function: Server Names).
4b. Import the Mapping Proposal for your server. Change the mapping for the attribute sapUsername into the attribute uid. Remove Object Class sapAddOnUM.
4c. Set the synchronization options to IMPORT for the following attributes: uid, givenName, sn. Save your server settings.
4d. Log on to your group’s LDAP server using your LDAP Connector (Transaction LDAP) and look up LDAP server entries for attributes uid and sn.
© SAP AG 2004, SAP TechEd / SCUR351 / 40
System Information for This Exercise
SAP System Information: See Slide No. 14
LDAP Server:
LDAP Connector: LDAP_NOVELL_GR<Group Number>
LDAP Server: LDAP_NOVELL_GR<Group Number>
IP-Address: 10.16.140.70
Port Number: 389
Product Name: Novell eDirectory 8.5
LDAP Version: LDAP Version 3
LDAP Application: User
Base Entry of LDAPserver: ou=users, ou=teched_test, o=corp_ldap
System Logon: TECHED-ADMIN
© SAP AG 2004, SAP TechEd / SCUR351 / 41
Create a New RFC Destination for Your LDAP Connector I
Go into transaction SM59 and click on Create.
© SAP AG 2004, SAP TechEd / SCUR351 / 42
Create a New RFC Destination for Your LDAP Connector II
Input Values and Click Enter.
Choose the group number provided by the instructors:
LDAP_NOVELL_GR<group number>
© SAP AG 2004, SAP TechEd / SCUR351 / 43
Create a New RFC Destination for Your LDAP Connector III
After having clicked on Enter the screen will change to this.
Enter the Program ID and save your entries.
1
2
Choose the group number provided by the instructors:
LDAP_NOVELL_GR<group number>
3
© SAP AG 2004, SAP TechEd / SCUR351 / 44
Configure the LDAP Connector I
Start transaction LDAP. Click on Connector.
© SAP AG 2004, SAP TechEd / SCUR351 / 45
Configure the LDAP Connector II
Click on the Change Button.
Confirm this pop-up.
1
2
© SAP AG 2004, SAP TechEd / SCUR351 / 46
Configure the LDAP Connector III
Click on New Entries.
© SAP AG 2004, SAP TechEd / SCUR351 / 47
Configure the LDAP Connector IV
Choose your group’s RFC destination and choose the values above. Save your entries.
The lights should now turn green! (Otherwise click on the activate button)
© SAP AG 2004, SAP TechEd / SCUR351 / 48
Review the Data of the LDAP Admin User I
Click on System Users.
© SAP AG 2004, SAP TechEd / SCUR351 / 49
Review the Data of the LDAP Admin User II
You should find this data.
Go back with the green arrow twice.
© SAP AG 2004, SAP TechEd / SCUR351 / 50
Create the LDAP Server I
Click on Server Names.
© SAP AG 2004, SAP TechEd / SCUR351 / 51
Create the LDAP Server II
Click on the Change Button.
© SAP AG 2004, SAP TechEd / SCUR351 / 52
Create the LDAP Server III
Click on the New Entries Button.
© SAP AG 2004, SAP TechEd / SCUR351 / 53
Create the LDAP Server IV
1. Enter the data shown above. As the group number, choose the number provided by the instructor.
2. Save your entries.
3. Then double click on mapping.
1
2
Choose the group number provided by the instructors:
LDAP_NOVELL_GR<group number>
3
© SAP AG 2004, SAP TechEd / SCUR351 / 54
Create the LDAP Server V
1. Go via the menu Utilities and Import Proposals. This will import the appropriate LDAP server proposals.
2. Accept the pop-up.
1
2
© SAP AG 2004, SAP TechEd / SCUR351 / 55
Create the LDAP Server VI
1
2
1. Remove the Object Class sapAddOnUM
2. Double click on sapUsername to change the attribute name
© SAP AG 2004, SAP TechEd / SCUR351 / 56
Create the LDAP Server VII
Change the attribute name to the value ‘uid’ and go back twice using the green arrow
1
2
© SAP AG 2004, SAP TechEd / SCUR351 / 57
Create the LDAP Server VIII
Double click on Synchronization
© SAP AG 2004, SAP TechEd / SCUR351 / 58
Create the LDAP Server VIII
Choose these fields to be imported from the directory.
Go back using the green arrow and save the data.
1
2
© SAP AG 2004, SAP TechEd / SCUR351 / 59
Test the LDAP Connection I
1
2
Select you group’s LDAP server and LDAP connector.
Choose Log On to log on to your LDAP server.
© SAP AG 2004, SAP TechEd / SCUR351 / 60
Test the LDAP Connection II
Choose “Use System User” and continue with “Execute”
1
2
© SAP AG 2004, SAP TechEd / SCUR351 / 61
Test the LDAP Connection III
The push buttons should all be active now.
Press “Find” to search for objects in your LDAP server
© SAP AG 2004, SAP TechEd / SCUR351 / 62
Test the LDAP Connection IV
Enter the attributes uid and snand continue your search with Execute.
1
2
© SAP AG 2004, SAP TechEd / SCUR351 / 63
Test the LDAP connection V
Congratulations!
The SAP system is successfully connected to the LDAP server!
Overview User Management
Central User Administration (CUA)
SAP LDAP Connector
Portal User Management
Role Integration Scenario
Summary
© SAP AG 2004, SAP TechEd / SCUR351 / 65
SAP Enterprise
Portal
Applications Accessing User Management
User Management Core Layer
Persistence Manager
Database
Replication Manager
LDAP Directory
SAP System
External System
Persistence Adapters
User API
User Account
API
Group API
Role API
Architecture Overview – User Management Engine
User Persistence Store
© SAP AG 2004, SAP TechEd / SCUR351 / 66
Persistence Manager
Central place for reading and writing user-specific data
Users
Groups
Role assignments
Uses Persistence Adapters to read/write data
Supports database, LDAP directory and SAP system as repository
User Management Core Layer
Persistence Manager
DatabaseLDAP
DirectorySAP
System
Persistence Adapters
User Persistence Store
© SAP AG 2004, SAP TechEd / SCUR351 / 67
Type-Based Data Partitioning
Principals of different types stored in different data sources
Example: users in LDAP, groups in DB
Principal-Based Data Partitioning
Principals of the same type stored in different data sources
Example: regular users in LDAP, service users in DB
Attribute-Based Data Partitioning
Attributes of one principal stored over different data sources
Example: userId in LDAP, role assignment in DB
Users Groups
Users1 Users2
Users Users
Data Source Configuration
© SAP AG 2004, SAP TechEd / SCUR351 / 68
Special Features Enterprise Portal 6.0
Web-based user administration
End-user self-registration
User can create account in the portal
Workflow for approval of registration request by administrator
Password management & policies
Configurable expiration dates
Initial passwords and change at first login
Limit of failed logon attempts
Flexible user persistence layer
LDAP directory, database or SAP system as user store
Delegated administration
© SAP AG 2004, SAP TechEd / SCUR351 / 69
User Administration
Administration GUI completely based on iViews
User Administration Functions:
Create users
Copy users
Modify users
Search for users
Assign users and groupsto role(s)
© SAP AG 2004, SAP TechEd / SCUR351 / 70
User Administration
User Administration Functions (cont.):
Set or auto-create password
Set date & time for user account activation
Lock/unlock users
View user account history
Approve/deny self-registered users
Adapt attributes contained in self-registration
E-Mail notifications for specified events
Overview User Management
Central User Administration (CUA)
SAP LDAP Connector
Portal User Management
Role Integration Scenario
Summary
© SAP AG 2004, SAP TechEd / SCUR351 / 72
Main Role Concepts in SAP NetWeaver
Single and CompositeRoles in
ABAP-basedSystems
PortalRoles
SAP Enterprise Portal
Roles in ABAP-based Systems(Roles in Transaction PFCG)
© SAP AG 2004, SAP TechEd / SCUR351 / 73
ABAP Roles and Portal Roles: A Comparison
Authorizations
Portal Roles are mainly content objects for the user interface definition and not authorization objects.
Portal roles can be used to create authorizations for the backend systems.
Authorizations must still be maintained in the backend system.
Roles (single roles) carry the authorization information.
The Profile Generator is part of role administration in transaction PFCG.
Portal RolesABAP Roles
© SAP AG 2004, SAP TechEd / SCUR351 / 74
UME(Web AS Java)
SAP Enterprise
Portal
Role Maintenance
ABAP System
Productive CUA central system
ABAP System
ABAP System
ABAP System
Development systems for customizing
Portal Role Maintenance
1
TransferRole Information
2
Text Comparison
5
Transport to productive systems
4
Authorization Role
Maintenance(using WP3R)
3
© SAP AG 2004, SAP TechEd / SCUR351 / 75
User Management Example
When using different SAP components, different scenarios for managing identities are possible.
The following slides describe an example with the following components:
SAP Enterprise Portal
ABAP based SAP Systems
Directory Server
© SAP AG 2004, SAP TechEd / SCUR351 / 76
ABAP System
CUA
ABAP System
ABAP System
ABAP System
LDAP Directory
UME(Web AS Java)
SAP Enterprise
Portal
1. User Maintenance
3. Synchronize User Data
2. Portal Role Assignment
5. Authorization Role Assignment using transaction
WP3R
4. Publish Role Assignment
User Management Using Persistence Store Directory
Productive Systems
© SAP AG 2004, SAP TechEd / SCUR351 / 77
Demo
DemoandExercise
© SAP AG 2004, SAP TechEd / SCUR351 / 78
Exercises
1. Portal: Create user “teched-<Group Number>” in the portal using the Portal User Management tool. First name: teched, last name: test, E-mail: test@sap.com.( URL: http://iwdf9598.wdf.sap.corp:50000/irj )
2. CUA: Replicate this user into the CUA central system (TT1, client 200) via LDAP synchronization (use report “RSLDAPSYNC_USER” with variant “TECHED” (SA38)).
3. Portal: Assign the Portal role “sapuseradmin” to the newly created user using the Portal User Management tool.
4. Portal: Transfer the role assignment for Portal role “sapuseradmin” to the central system of the CUA.
5. CUA: Generate role assignment in CUA for your created user (teched-<Group Number>) using WP3R.
6. Verify the ABAP role assignment to the user using Transaction SU01.
7. Log on to the portal with user teched-<Group Number> and verify that you have access to the transactions.
© SAP AG 2004, SAP TechEd / SCUR351 / 79
System Information for this Exercise
SAP System Information: See Slide No. 14
SAP Enterprise Portal
URL: http://iwdf9598.wdf.sap.corp:50000/irj
User for Logon: SCUR351-<Group Number>(Group Number is provided by referent)
Password: demo
User to be created: teched-<Group Number>
© SAP AG 2004, SAP TechEd / SCUR351 / 80
Log on to the Portal
1
2
© SAP AG 2004, SAP TechEd / SCUR351 / 81
Step 1: Create Portal User
3
4
21
Enter the new user ID here: teched-<group number>
Enter a new password (2x) and memorize it for later use!
Enter first name and last name
Enter any e-mail address
© SAP AG 2004, SAP TechEd / SCUR351 / 82
Step 2: Create ABAP User with LDAP Sync I
1
2
Call transaction SA38
1. Enter report “rsldapsync_user”
2. Click execute “with variant”
3. Enter variant name “TECHED”
3
4
© SAP AG 2004, SAP TechEd / SCUR351 / 83
Step 2: Create ABAP User with LDAP Sync II
1
2
Enter “teched-<group number>”
© SAP AG 2004, SAP TechEd / SCUR351 / 84
Step 2: Create ABAP User with LDAP Sync III
You should find this entry.
© SAP AG 2004, SAP TechEd / SCUR351 / 85
Step 2: Verify User Creation I
1
2
Enter username teched-<group number>
© SAP AG 2004, SAP TechEd / SCUR351 / 86
Step 2: Verify User Creation II
The user’s master data should appear.
© SAP AG 2004, SAP TechEd / SCUR351 / 87
Step 3: Assign Role to User I
3
4
3. Enter “sapuseradmin”
Select “Roles” and click “Start”
12
© SAP AG 2004, SAP TechEd / SCUR351 / 88
Step 3: Assign Role to User II
1
2
3
1. Enter “teched-<group number>”
Choose “Users” and click “Start”
2. Select your user and click “add”
3. Click “Save”
© SAP AG 2004, SAP TechEd / SCUR351 / 89
Step 3: Assign Role to User III
You should find this message.
© SAP AG 2004, SAP TechEd / SCUR351 / 90
Step 4: Transfer User Assignment I
12
5
6
34
5 Select “TT1CLNT200”
© SAP AG 2004, SAP TechEd / SCUR351 / 91
Step 4: Transfer User Assignment II
1
2
3
4
1. Enter “sapuseradmin”
2. Click “Search”
3. Select Role
4. Click “Next”
© SAP AG 2004, SAP TechEd / SCUR351 / 92
Step 4: Transfer User Assignment III
1
© SAP AG 2004, SAP TechEd / SCUR351 / 93
Step 4: Transfer User Assignment IV
You should get these messages.
(Refresh, if you don’t get all the messages at the first time)
© SAP AG 2004, SAP TechEd / SCUR351 / 94
Step 5: Assign ABAP Roles to User I
Call transaction SA38
1. Enter report “wp3rolelist”
2. Click execute “with variant”
3. enter variant name “TECHED”
1
2
3
4
© SAP AG 2004, SAP TechEd / SCUR351 / 95
Step 5: Assign ABAP Roles to User I
1
2
3
2. Enter “teched-<group number>”
© SAP AG 2004, SAP TechEd / SCUR351 / 96
Step 5: Assign ABAP Roles to User II
1 2
© SAP AG 2004, SAP TechEd / SCUR351 / 97
Step 5: Assign ABAP Roles to User III
1
© SAP AG 2004, SAP TechEd / SCUR351 / 98
Step 5: Assign ABAP Roles to User IV
1
© SAP AG 2004, SAP TechEd / SCUR351 / 99
Step 5: Assign ABAP Roles to User V
1
© SAP AG 2004, SAP TechEd / SCUR351 / 100
Step 5: Verify ABAP Role Assignment I
1
2
© SAP AG 2004, SAP TechEd / SCUR351 / 101
Step 5: Verify ABAP Role Assignment II
© SAP AG 2004, SAP TechEd / SCUR351 / 102
Step 6: Logon to Portal with Newly Created User I
1
2
© SAP AG 2004, SAP TechEd / SCUR351 / 103
Step 6: Logon to Portal with Newly Created User II
1
2
© SAP AG 2004, SAP TechEd / SCUR351 / 104
Step 6: Logon to Portal with Newly Created User III
Congratulations!!!
You have successfully created a user in your system landscape with a portal role and appropriate backend authorizations.
Overview User Management
Central User Administration (CUA)
SAP LDAP Connector
Portal User Management
Role Integration Scenario
Summary
© SAP AG 2004, SAP TechEd / SCUR351 / 106
SAP offers a stable and widely used Central User Administration for SAP systems
SAP offers LDAP directory integration
SAP offers a User Management Engine for the Enterprise Portal
Summary
© SAP AG 2004, SAP TechEd / SCUR351 / 107
Further Information (San Diego)
Public Web:
SAP Developer Network: www.sdn.sap.com SAP Netweaver Platform Security
SAP Customer Services Network: www.sap.com/services/
Related Workshops/Lectures at SAP TechEd 2004SCUR102, User Management and Authorizations: OverviewWed, 2:00 PM - 6:00 PM, 31A
Fri, 8:00 AM - 12:00 PM, 30D
SCUR101, Security BasicsTue, 1:30 PM - 2:30 PM, 2Wed, 4:00 PM - 5:00 PM, 4
SCUR251, Single Sign-On in Heterogeneous LandscapesWed, 10:30 AM - 12:30 PM, 30CThu, 1:45 PM - 3:45 PM, 30A
SCUR202, Security Optimization ServiceWed, 9:15 AM - 10:15 AM, 6CThu, 9:15 AM - 10:15 AM, 9
PRTL152, Portal Roles – Roles vs. AuthorizationsWed, 1:45 PM - 3:45 PM, 30AThu, 8:00 AM - 10:00 AM, 30B
Related SAP Education Training Opportunitieshttp://www.sap.com/education/ ADM940-960
© SAP AG 2004, SAP TechEd / SCUR351 / 108
Further Information (Munich)
Public Web:www.sap.comSAP Developer Network: www.sdn.sap.com SAP Netweaver Platform Security
SAP Customer Services Network: www.sap.com/services/
Related SAP Education Training Opportunitieshttp://www.sap.com/education/ ADM940-960
© SAP AG 2004, SAP TechEd / SCUR351 / 109
SAP Developer Network
Look for SAP TechEd ’04 presentations and videos on the SAP Developer Network.
Coming in December.
http://www.sdn.sap.com/
© SAP AG 2004, SAP TechEd / SCUR351 / 110
Q&A
Questions?
security@sap.com
URL: http://service.sap.com/security
© SAP AG 2004, SAP TechEd / SCUR351 / 111
Please complete your session evaluation.
Be courteous — deposit your trash, and do not take the handouts for the following session.
Feedback
Thank You !
© SAP AG 2004, SAP TechEd / SCUR351 / 112
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.
MaxDB is a trademark of MySQL AB, Sweden.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.
These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.
Copyright 2004 SAP AG. All Rights Reserved