SAP Security Online - Web AS security


	R/3 Security
	BW Security
	Enterprise Portal
		Installation Guide
	CUA
	Single Sign On
	SOX/ SoD
	OSS
	HR Security
	Other SAP Apps
	Solution Manager
	Interview Questions

SAP Web Application Server Java

User Concept for WEB AS / JAVA
SAP Web Application Server provides following user store:

User Management Engine (UME)
Universal Description Discovery and Integration (UDDI)
Database

By default, the UME user store is set during installation.

The User Management Engine (UME) provides central user administration for all
Java applications. The UME is completely integrated into SAP Web Application
Server Java and is used as the default user store as of SAP Web Application Server
6.40. The UME is integrated into SAP Web Application Server Java as a service.
The UME itself administers users and uses databases, directory services, or the SAP
ABAP user administration to store the data. In the UME, the words data sources are
used to refer to repositories for user data.

To display the active user store, select a Server in the Visual Administrator. In the
Security Provider service, select Runtime → User Management, and choose Manage
Security Stores. In case if it is grayed out, you have to go to change mode. If Activate User Store is inactive for a user store, this means that the user store that you have just chosen is already active. If you want to use UDDI instead of the default user store UME, you can use the described method to change this by choosing Activate User Store for the UDDI user store.

UME Installation Options
During the installation of an SAP Web Application Server (SAP Web AS), you can
select the following options for setting up the User Management Engine (UME):

SAP Web AS Java (without ABAP)
The UME can be configured so that the ABAP user management of another SAP Web Application Server ABAP is used.
The UME can be configured so that the database of this SAP Web Application Server Java is used to store user data.

SAP Web AS ABAP +Java
The UME is configured in such a way that the ABAP user management of this SAP Web Application Server is used. By default, you have read-only access to the user data in ABAP user management from the UME.

The communication between the UME and the ABAP user management is performed with the SAPJSF user. After an installation, this user has the ABAP role SAP_BC_JSF_COMMUNICATION_RO, which provides read access from the UME to the ABAP user management. You can obtain write access by adding the role SAP_BC_JSF_COMMUNICATION. SAP recommends the role SAP_BC_JSF_COMMUNICATION_RO for this user. You can only configure the use of a directory service as the data source later. In this case, it is recommended that you use the database as the data source for user data during the installation

Administration of Users (UME with ABAP User Management as data source)
ABAP Users: transaction SU01
ABAP authorizations and roles: transaction PFCG

Java authorizations and roles (UME roles, security roles): Visual Administrator
and UME administration console. If you are using an SAP Enterprise Portal in this environment, the user administration is controlled using the portal.

SAP Help | SAP Service Market Place | SAP SDN