LDAP Directory with ABAP System(s)

Description

Data synchronization is set up between the directory service and the ABAP Central User Administration (CUA) central system. The synchronization direction depends on whether the directory service or the CUA central system is the leading system. The ABAP CUA central system distributes the data to the ABAP CUA child systems. In this example, a J2EE Engine is connected to a CUA child system (either as a standalone or as an Add-In) and a non-SAP system is connected to the directory service.

If you only have one ABAP system in your system landscape, you do not need to use CUA, since you can connect every ABAP system directly to the directory service. However, you must perform a synchronization of the user data for each ABAP system. The system-specific ABAP authorization role assignments are also usually not administered using the directory service. We therefore recommend that you administer multiple ABAP systems with a CUA and only to connect the CUA central system directly to the LDAP directory. You can then distribute the synchronized data from the central system to the child systems and use the central system to administer the system-specific ABAP authorization role assignments. See Synchronization of SAP User Administration with an LDAP-Compatible Directory Service.

The user password is not transferred from the SAP NetWeaver ASto the directory service during the synchronization of the user data. You must therefore maintain the user password in a decentralized way, both in the CUA and in the directory service.

As an alternative, you can manage passwords centrally in the directory service, if you configure the UME to use the directory service as the data source, as described in LDAP Directory with J2EE Engine(s). The users must log on using the UME, are authenticated with the directory service, receive a logon ticket, and can then access all systems with Single Sign-On. In this case, all systems must be configured to accept logon tickets.

Prerequisites

The configuration of the ABAP data source must be supported (see J2EE Engine with ABAP Data Source).

Administration of the User Data Without an Enterprise Portal

Object

Recommended Tool

User

·        If you already administer the users in an LDAP directory with an LDAP administration tool, you can continue to use this tool.

·        Use the user maintenance (transaction SU01) of the CUA central system (see User Maintenance with Active Central User Administration). Note that no passwords are synchronized during the synchronization of user data from the CUA central system to an LDAP directory.

ABAP roles

Role administration (transaction PFCG) of the CUA child systems

UME roles and J2EE security roles

Administer the UME roles with the UME administration console and the J2EE security roles with the Visual Administrator. Both tools are part of SAP Web AS Java.

You can integrate the Java-based authorizations of the J2EE security roles and the UME roles with the ABAP roles (see Integration of UME Roles with SAP Roles).

Role assignment

Assign ABAP roles to the users in the CUA central system (see Assigning Roles).

Administration of the User Data with an Enterprise Portal

Object

Recommended Tool

User

·        If you already administer the users in an LDAP directory with an LDAP administration tool, you can continue to use this tool.

·        Alternatively, you can use the Portal Tools.

ABAP roles

Role administration (transaction PFCG) of the CUA child systems

UME roles and J2EE security roles

Administer the UME roles with the UME administration console and the J2EE security roles with the Visual Administrator. Both tools are part of SAP Web AS Java.

Portal roles and user-role assignments

Use the Portal Tools.

If J2EE Engines are also connected to the ABAP systems, these are administered using the tools described under J2EE Engine with ABAP Data Source.

Installation

·        If necessary, set up the Central User Administration

·        Set up an LDAP directory in accordance with the product documentation.

·        Set up the synchronization of the user data between the directory and the CUA central system

·        Set up the J2EE Engines