Integration of SAP CUA With Ative Directory

SCUR351:

User Management and Authorizations: The Details

Contributing Speakers

TechEd San Diego:

Larry JusticePlatinum Security Consultant, SAP America

Jens KosterSecurity Product Manager, SAP AG

Gerlinde ZibulskiSecurity Product Manager, SAP Labs LLC

TechEd Munich:

Frank BuchholzSecurity Product Manager, SAP AG

Jens KosterSecurity Product Manager, SAP AG

Oliver NoconRIG Specialist, SAP AG

Learning Objectives

As a result of this workshop, you will be able to:

Explain and use Central User Administration (CUA)

Understand and use LDAP directory synchronization

Configure and use the User Management Engine (UME)

User Management Overview

Central User Administration (CUA)

SAP LDAP Connector

Portal User Management

Role Integration Scenario

Summary

User Management Overview

SAP LDAP Connector

Summary

Decentralized User Maintenance

Each SAP System has its own user data store

Decentralized user maintenance

Inconsistencies can occur between address data

SAP R/3Enterprise

SAPEBP

SAPAPO

SAP…

CUA central system SAP release as of 4.6C

ALE ALE

SAP 6.xCUA client

SAP 4.6CUA client

SAP 4.5CUA client

Central User Administration

Users can be administrated in central SAP system

Automatic distribution to client SAP systems

Local administration still possible (back distribution)

No inconsistencies

Central locks possible

LDAPsynchronization

CUA central system SAP release as of 6.10

ALE ALE

SAP 6.xCUA client

SAP 4.6CUA client

SAP 4.5CUA client

Directory

Executable LDAP_RFC shipped since Release 4.6A

Loads LDAP Library of operating system at runtime

LDAP Connector

Configure LDAP Connection

1. Configure LDAP Connector

2. Enter LDAP System User Data

3. Enter LDAP Server Connection Data

4. Configure Field Mapping

Later steps in TechEd Demo Scenario:

1. Create users using Portal UME

2. Synchronize Data between Directory and SAP

DemoandExercise

LDAP Hands-On

In this exercise you will prepare the LDAP connector and server, which you will use later in the course to run a user synchronization.

1. Create the RFC connection LDAP_NOVELL_GR<Group Number> for the LDAP connector (connection type: T, gateway host: iwdf5350, gateway service: sapgw00). Enter the same name as the Program ID for the registered server program.

2. Configure the LDAP connector with your newly created RFC destination and activate the connector. (Transaction LDAP, Function: Connector)

3. Make sure that the LDAP admin user TECHED-ADMIN is already configured in the system. (Transaction LDAP, Function: System Users)

4a. Create the LDAP server LDAP_NOVELL_GR<Group Number> with the data provided on the next slide. (Transaction LDAP, Function: Server Names).

4b. Import the Mapping Proposal for your server. Change the mapping for the attribute sapUsername into the attribute uid. Remove Object Class sapAddOnUM.

4c. Set the synchronization options to IMPORT for the following attributes: uid, givenName, sn. Save your server settings.

4d. Log on to your group’s LDAP server using your LDAP Connector (Transaction LDAP) and look up LDAP server entries for attributes uid and sn.

System Information for This Exercise

SAP System Information: See Slide No. 14

LDAP Server:

LDAP Connector: LDAP_NOVELL_GR<Group Number>

LDAP Server: LDAP_NOVELL_GR<Group Number>

IP-Address: 10.16.140.70

Port Number: 389

Product Name: Novell eDirectory 8.5

LDAP Version: LDAP Version 3

LDAP Application: User

Base Entry of LDAPserver: ou=users, ou=teched_test, o=corp_ldap

System Logon: TECHED-ADMIN

Create a New RFC Destination for Your LDAP Connector I

Go into transaction SM59 and click on Create.

Create a New RFC Destination for Your LDAP Connector II

Input Values and Click Enter.

Choose the group number provided by the instructors:

LDAP_NOVELL_GR<group number>

Create a New RFC Destination for Your LDAP Connector III

After having clicked on Enter the screen will change to this.

Enter the Program ID and save your entries.

Configure the LDAP Connector I

Start transaction LDAP. Click on Connector.

Configure the LDAP Connector II

Click on the Change Button.

Confirm this pop-up.

Configure the LDAP Connector III

Click on New Entries.

Configure the LDAP Connector IV

Choose your group’s RFC destination and choose the values above. Save your entries.

The lights should now turn green! (Otherwise click on the activate button)

Review the Data of the LDAP Admin User I

Click on System Users.

Review the Data of the LDAP Admin User II

You should find this data.

Go back with the green arrow twice.

Create the LDAP Server I

Click on Server Names.

Create the LDAP Server II

Click on the Change Button.

Create the LDAP Server III

Click on the New Entries Button.

Create the LDAP Server IV

1. Enter the data shown above. As the group number, choose the number provided by the instructor.

2. Save your entries.

3. Then double click on mapping.

Create the LDAP Server V

1. Go via the menu Utilities and Import Proposals. This will import the appropriate LDAP server proposals.

2. Accept the pop-up.

Create the LDAP Server VI

1. Remove the Object Class sapAddOnUM

2. Double click on sapUsername to change the attribute name

Create the LDAP Server VII

Change the attribute name to the value ‘uid’ and go back twice using the green arrow

Create the LDAP Server VIII

Double click on Synchronization

Create the LDAP Server VIII

Choose these fields to be imported from the directory.

Go back using the green arrow and save the data.

Test the LDAP Connection I

Select you group’s LDAP server and LDAP connector.

Choose Log On to log on to your LDAP server.

Test the LDAP Connection II

Choose “Use System User” and continue with “Execute”

Test the LDAP Connection III

The push buttons should all be active now.

Press “Find” to search for objects in your LDAP server

Test the LDAP Connection IV

Enter the attributes uid and snand continue your search with Execute.

Test the LDAP connection V

Congratulations!

The SAP system is successfully connected to the LDAP server!

SAP LDAP Connector

Summary

SAP Enterprise

Portal

Applications Accessing User Management

User Management Core Layer

Persistence Manager

Database

Replication Manager

LDAP Directory

SAP System

External System

Persistence Adapters

User API

User Account

Group API

Role API

Architecture Overview – User Management Engine

User Persistence Store

Persistence Manager

Central place for reading and writing user-specific data

Groups

Role assignments

Uses Persistence Adapters to read/write data

Supports database, LDAP directory and SAP system as repository

User Management Core Layer

Persistence Manager

DatabaseLDAP

DirectorySAP

System

Persistence Adapters

User Persistence Store

Type-Based Data Partitioning

Principals of different types stored in different data sources

Example: users in LDAP, groups in DB

Principal-Based Data Partitioning

Principals of the same type stored in different data sources

Example: regular users in LDAP, service users in DB

Attribute-Based Data Partitioning

Attributes of one principal stored over different data sources

Example: userId in LDAP, role assignment in DB

Users Groups

Users1 Users2

Users Users

Data Source Configuration

Special Features Enterprise Portal 6.0

Web-based user administration

End-user self-registration

User can create account in the portal

Workflow for approval of registration request by administrator

Password management & policies

Configurable expiration dates

Initial passwords and change at first login

Limit of failed logon attempts

Flexible user persistence layer

LDAP directory, database or SAP system as user store

Delegated administration

User Administration

Administration GUI completely based on iViews

User Administration Functions:

Create users

Copy users

Modify users

Search for users

Assign users and groupsto role(s)

User Administration

User Administration Functions (cont.):

Set or auto-create password

Set date & time for user account activation

Lock/unlock users

View user account history

Approve/deny self-registered users

Adapt attributes contained in self-registration

E-Mail notifications for specified events

SAP LDAP Connector

Summary

Main Role Concepts in SAP NetWeaver

Single and CompositeRoles in

ABAP-basedSystems

PortalRoles

SAP Enterprise Portal

Roles in ABAP-based Systems(Roles in Transaction PFCG)

ABAP Roles and Portal Roles: A Comparison

Authorizations

Portal Roles are mainly content objects for the user interface definition and not authorization objects.

Portal roles can be used to create authorizations for the backend systems.

Authorizations must still be maintained in the backend system.

Roles (single roles) carry the authorization information.

The Profile Generator is part of role administration in transaction PFCG.

Portal RolesABAP Roles

UME(Web AS Java)

SAP Enterprise

Portal

Role Maintenance

ABAP System

Productive CUA central system

ABAP System

Development systems for customizing

Portal Role Maintenance

TransferRole Information

Text Comparison

Transport to productive systems

Authorization Role

Maintenance(using WP3R)

User Management Example

When using different SAP components, different scenarios for managing identities are possible.

The following slides describe an example with the following components:

ABAP based SAP Systems

Directory Server

ABAP System

LDAP Directory

UME(Web AS Java)

SAP Enterprise

Portal

1. User Maintenance

3. Synchronize User Data

2. Portal Role Assignment

5. Authorization Role Assignment using transaction

4. Publish Role Assignment

User Management Using Persistence Store Directory

Productive Systems

DemoandExercise

Exercises

1. Portal: Create user “teched-<Group Number>” in the portal using the Portal User Management tool. First name: teched, last name: test, E-mail: test@sap.com.( URL: http://iwdf9598.wdf.sap.corp:50000/irj )

2. CUA: Replicate this user into the CUA central system (TT1, client 200) via LDAP synchronization (use report “RSLDAPSYNC_USER” with variant “TECHED” (SA38)).

3. Portal: Assign the Portal role “sapuseradmin” to the newly created user using the Portal User Management tool.

4. Portal: Transfer the role assignment for Portal role “sapuseradmin” to the central system of the CUA.

5. CUA: Generate role assignment in CUA for your created user (teched-<Group Number>) using WP3R.

6. Verify the ABAP role assignment to the user using Transaction SU01.

7. Log on to the portal with user teched-<Group Number> and verify that you have access to the transactions.

System Information for this Exercise

SAP System Information: See Slide No. 14

URL: http://iwdf9598.wdf.sap.corp:50000/irj

User for Logon: SCUR351-<Group Number>(Group Number is provided by referent)

Password: demo

User to be created: teched-<Group Number>

Log on to the Portal

Step 1: Create Portal User

Enter the new user ID here: teched-<group number>

Enter a new password (2x) and memorize it for later use!

Enter first name and last name

Enter any e-mail address

Step 2: Create ABAP User with LDAP Sync I

Call transaction SA38

1. Enter report “rsldapsync_user”

2. Click execute “with variant”

3. Enter variant name “TECHED”

Step 2: Create ABAP User with LDAP Sync II

Enter “teched-<group number>”

Step 2: Create ABAP User with LDAP Sync III

You should find this entry.

Step 2: Verify User Creation I

Enter username teched-<group number>

Step 2: Verify User Creation II

The user’s master data should appear.

Step 3: Assign Role to User I

3. Enter “sapuseradmin”

Select “Roles” and click “Start”

Step 3: Assign Role to User II

1. Enter “teched-<group number>”

Choose “Users” and click “Start”

2. Select your user and click “add”

3. Click “Save”

Step 3: Assign Role to User III

You should find this message.

Step 4: Transfer User Assignment I

5 Select “TT1CLNT200”

Step 4: Transfer User Assignment II

1. Enter “sapuseradmin”

2. Click “Search”

3. Select Role

4. Click “Next”

Step 4: Transfer User Assignment III

Step 4: Transfer User Assignment IV

You should get these messages.

(Refresh, if you don’t get all the messages at the first time)

Step 5: Assign ABAP Roles to User I

Call transaction SA38

1. Enter report “wp3rolelist”

2. Click execute “with variant”

3. enter variant name “TECHED”

Step 5: Assign ABAP Roles to User I

2. Enter “teched-<group number>”

Step 5: Assign ABAP Roles to User II

Step 5: Assign ABAP Roles to User III

Step 5: Assign ABAP Roles to User IV

Step 5: Assign ABAP Roles to User V

Step 5: Verify ABAP Role Assignment I

Step 5: Verify ABAP Role Assignment II

Step 6: Logon to Portal with Newly Created User I

Step 6: Logon to Portal with Newly Created User II

Step 6: Logon to Portal with Newly Created User III

Congratulations!!!

You have successfully created a user in your system landscape with a portal role and appropriate backend authorizations.

SAP LDAP Connector

Summary

SAP offers a stable and widely used Central User Administration for SAP systems

SAP offers LDAP directory integration

SAP offers a User Management Engine for the Enterprise Portal

Summary

Further Information (San Diego)

Public Web:

SAP Developer Network: www.sdn.sap.com SAP Netweaver Platform Security

SAP Customer Services Network: www.sap.com/services/

Related Workshops/Lectures at SAP TechEd 2004SCUR102, User Management and Authorizations: OverviewWed, 2:00 PM - 6:00 PM, 31A

Fri, 8:00 AM - 12:00 PM, 30D

SCUR101, Security BasicsTue, 1:30 PM - 2:30 PM, 2Wed, 4:00 PM - 5:00 PM, 4

SCUR251, Single Sign-On in Heterogeneous LandscapesWed, 10:30 AM - 12:30 PM, 30CThu, 1:45 PM - 3:45 PM, 30A

SCUR202, Security Optimization ServiceWed, 9:15 AM - 10:15 AM, 6CThu, 9:15 AM - 10:15 AM, 9

PRTL152, Portal Roles – Roles vs. AuthorizationsWed, 1:45 PM - 3:45 PM, 30AThu, 8:00 AM - 10:00 AM, 30B

Related SAP Education Training Opportunitieshttp://www.sap.com/education/ ADM940-960

Further Information (Munich)

Public Web:www.sap.comSAP Developer Network: www.sdn.sap.com SAP Netweaver Platform Security

SAP Customer Services Network: www.sap.com/services/

Related SAP Education Training Opportunitieshttp://www.sap.com/education/ ADM940-960

SAP Developer Network

Look for SAP TechEd ’04 presentations and videos on the SAP Developer Network.

Coming in December.

http://www.sdn.sap.com/

Questions?

security@sap.com

URL: http://service.sap.com/security

Please complete your session evaluation.

Be courteous — deposit your trash, and do not take the handouts for the following session.

Feedback

Thank You !

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.

MaxDB is a trademark of MySQL AB, Sweden.

SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

Integration of SAP CUA With Ative Directory

Documents

Transcript of Integration of SAP CUA With Ative Directory

FSA1 cua Tu

CUA 2012 : Final Programme

CUA LSC 747_2011

SAP CUA Security

CASE OF CUA

Quan Su Cua My

CUA With Web AS_eBook

Chuyen cua chu gian

Ative Structural Control for Frame Seismic Vibrations

CUA LSC 888_2011

Mannella Cua 0043A 10074display

41456-043: Cua Lo Water Supply Subproject Resettlement …Cua Lo Water Supply Subproject Prepared by Cua Lo Water Supply Company for the Asian Development Bank. ... Resettlement Due

CRE ATIVE ONIT DIGITAL - GitHub Pages

Physics Library at CUA

Plan de Marketing Final Cua Cua

Cua flip'n introduction - show

ALTERN ATIVE GRI-FOOD NETWORKS: CONVERGENCES AND ...

ATIVE SIGNERS OF THE TAXPAYER PROTECTION PLEDGE

CUA Configuration Steps

2007 CUA Engineer