User Administration and Authentication

User Management

User management is administrated by the application using TREX (for example, SAP Enterprise Portal or SAP Business Information Warehouse). TREX does not have its own user management. For more information on user management in SAP NetWeaver™ see User Authentication and Single Sign-On.

Integration in Single Sign-On Environments

TREX is integrated into the SAP Enterprise Portal single sign-on environment. This means that TREX identifies itself to the portal using an SAP Logon ticket. For more information on client authentication, see Configuration of the TREX Security Settings.

Permissions

The clients that access the TREX servers identify and authorize themselves with the servers in question using client certification (TREX Java client - TREX Web server/Portal Web server – TREX preprocessor). The TREX preprocessor identifies itself to the Portal Web server using the SAP logon ticket that is stored in the configuration file topology.ini and is managed by the TREX name server. Since the TREX servers only allow access to authenticated clients, you can configure a granular configuration of secure access to the TREX servers by the individual clients.

There are no explicit administrator roles for TREX; there is only the user on which TREX runs, which is created during the installation of TREX. This user has the permissions necessary to carry out operations such as creating and indexing documents and triggering indexing.

Because it is a service without specific role or user concepts, TREX cannot tell whom data belongs to. All applications that connect to TREX using the TREX clients (Java client and ABAP client) have full access to all data stores within TREX. In other words, all applications with permission to access TREX also have access to all data. This means that the applications themselves have to control access to the TREX data using the TREX clients.

Secure use of the TREX admin tool in the SAP system

You can now grant permissions for the TREX admin tool in the SAP system, which you call up using the transaction TREXADMIN. You can control these permissions by assigning certain roles and profiles to the authorization object S_TREX_ADM.

Secure use of the TREX admin tool (stand-alone)

You can protect the TREX admin tool (stand-alone) against unauthorized use by a TREX admin tool on another machine by using two root certificates when configuring secure communication:

·        A root certificate for the application that uses TREX, for example, SAP NetWeaver™ Enterprise Portal

·        An additional TREX specific root certificate

For a description of how to proceed, see SAP Note 819143 TREX 6.1/7.0: Using TREX specific root certificate.

Password for Proxy Server for Communication Between TREX Preprocessor and Web Server

The TREX preprocessor is responsible for preparing documents to be indexed by the TREX engines. The application using TREX (for example, Content Management in SAP Enterprise Portal) transfers documents to be indexed to the preprocessor in the form of URIs that reference the storage location of the documents. The preprocessor resolves these URIs and then collects the actual documents using a Web server and HTTP.

If you want to index documents that can only be accessed using a proxy server, you have to register the proxy server with the TREX preprocessor. You specified settings for the proxy server when you installed TREX.If the proxy server is protected by a password for the proxy user, you can register the password with the TREX preprocessor. The password is then automatically transmitted with the user name with every request that the preprocessor sends to the proxy server. This authenticates the preprocessor with the proxy server.

You can specify the password for the proxy user during the TREX installation. You can use a Python script to change the password later on or to define a password if you did not do so during the installation (see Specifying a Password for the Proxy Server). Passwords and user names are stored and transmitted in encrypted form.