he SAP J2EE Engine has an open service provider architecture for storing user data. In the standard system, SAP delivers multiple user stores, which include the User Management Engine (UME) and the DBMS user store. In turn, the UME can use different data sources for storing the user information. Per default, the UME user store using a database as the data source is the active user store after the installation. Alternatively, you can use either a directory server or an SAP Web Application Server ABAP as the data source.
The standard users and groups are slightly different for each these options as shown in the sections below.
In addition, if you use UME with an SAP Web AS ABAP as the data source, then during the installation, you create a communication user to use for the connection between these two servers.
Standard Users
The standard users for each of the user store options are shown in the table below.
Standard Users
Description | User for UME with SAP Web AS ABAP | User for UME with Directory Server or Database | User for the DBMS User Store |
Administrator User | Specified during the installation. Example: J2EE_ADM_ This user must exist on the SAP Web AS ABAP prior to installation. For an Add-In installation this user is J2EE_ADMIN. | Administrator | Administrator |
Guest User | Specified during the installation. Example: J2EE_GST_ This user must exist on the SAP Web AS ABAP prior to installation. For an Add-In installation, this user is J2EE_GUEST. | Guest | Guest |
Emergency User | SAP* | SAP* | Not available |
Note the following:
· You assign initial passwords for these users during the installation.
Exception: When using the UMEwith SAP Web AS ABAP as the data source, the users must exist in the ABAP data source and you need to have changed their initial passwords prior to installation of the SAP Web AS Java.
· SAP* is the emergency user which has full administrative authorizations and can be used to reconfigure UME if the configuration is faulty and administrators and users can no longer access applications. To use this user, you must explicitly activate it and specify its password. See 
Activating the Emergency User.
Standard Groups
The standard groups for each user store and data source are shown in the table below:
Standard Groups
Description | Group for UME with SAP Web AS ABAP | Group for UME with Directory Server or Database | Group for the DBMS User Store |
Administrators | Specified during the installation. Example: J2EE_ADM_ For an Add-In installation this user is SAP_J2EE_ADMIN. | Administrators | Administrators |
Guests | Specified during the installation. Example: J2EE_GST_ For an Add-In installation this user is SAP_J2EE_GUEST. | Guests | Guests |
Authenticated Users | Authenticated Users | Authenticated Users | Not available |
Anonymous Users | Anonymous Users | Anonymous Users | Not available |
Everyone | Everyone | Everyone | all |
The groups contain users as follows:
· The group of administrators contains all the users that have administrative privileges on the server or for the application. Users in this group inherit the rights to manage all the other users (including other users with administrative privileges) as well as other security settings. No other users can perform user maintenance tasks.
· The group of guest users initially contains only the standard guest user (Guest or J2EE_GST_
· The group of authenticated users contains all non-anonymous users, that is, users that have to authenticate themselves on the SAP J2EE Engine.
· The group of anonymous users group contains all named anonymous users that are listed in the ume.login.guest_user.uniqueids property in the UME properties.
· The group Everyone (or all) contains all of the users and groups on the server.
You should not create groups with the names of the groups Everyone, Authenticated Users, and Anonymous Users. If you create a group with one of these names through the native user interface of your LDAP directory or database, you will not get an error message, and your user management will no longer function correctly. If you try to create a group with one of these names through the user management administration console, you will get an error message.
Communication User
User Management Engine (UME) requires communication users to access data in the user data sources:
· SAP Web AS ABAP: When using an SAP Web AS ABAP as the user data source, you specify the communication user during the installation. The standard user suggested is SAPJSF, however, if you have several J2EE Engines using the SAP Web AS ABAP as the data source, then we recommend you create system-specific communication users using the naming convention SAPJSF_
· LDAP directory: The administrator of the LDAP directory must create a user that UME can use to connect to the LDAP server. This user should have read and search permissions for all branches of the LDAP directory. If UMEalso needs to write to the LDAP directory, the user must additionally have create and change authorizations.
· Database: UME uses the DB pool user of the J2EE Engine and no communication user is necessary.
Additional Information
For more information about maintaining users and groups, see User Administration in the Administration Manual.
No comments:
Post a Comment