Integration of SAP CUA With Ative Directory

SCUR351:

User Management and Authorizations: The Details

© SAP AG 2004, SAP TechEd / SCUR351 / 2

Contributing Speakers

TechEd San Diego:

Larry JusticePlatinum Security Consultant, SAP America

Jens KosterSecurity Product Manager, SAP AG

Gerlinde ZibulskiSecurity Product Manager, SAP Labs LLC

TechEd Munich:

Frank BuchholzSecurity Product Manager, SAP AG

Jens KosterSecurity Product Manager, SAP AG

Oliver NoconRIG Specialist, SAP AG


Learning Objectives

As a result of this workshop, you will be able to:

Explain and use Central User Administration (CUA)

Understand and use LDAP directory synchronization

Configure and use the User Management Engine (UME)

User Management Overview

Central User Administration (CUA)

SAP LDAP Connector

Portal User Management

Role Integration Scenario

Summary

User Management Overview


SAP LDAP Connector



Summary


Decentralized User Maintenance

Each SAP System has its own user data store

Decentralized user maintenance

Inconsistencies can occur between address data

SAP R/3Enterprise

SAPEBP

SAPBW

SAPAPO

SAP…


CUA central system SAP release as of 4.6C

ALE ALE

SAP 6.xCUA client

SAP 4.6CUA client

SAP 4.5CUA client

Central User Administration

Users can be administrated in central SAP system

Automatic distribution to client SAP systems

Local administration still possible (back distribution)

No inconsistencies

Central locks possible


LDAPsynchronization

CUA central system SAP release as of 6.10

ALE ALE

SAP 6.xCUA client

SAP 4.6CUA client

SAP 4.5CUA client

Directory

Central User Administration & LDAP Synchronization


Enterprise Portalwith User Management

Engine (UME)

LDAPsynchronization

CUA central system SAP release as of 6.10

ALE ALE

SAP 6.xCUA client

SAP 4.6CUA client

SAP 4.5CUA client

Persistencestore

Directory

CUA & LDAP Synchronization & Enterprise Portal

Overview User Management


SAP LDAP Connector



Summary


Note that ‘syste

m’ always means:

client in a syst

em

Set Up of System Infrastructure

Setting Up ALE communication users

Define logical systemslater on, systems are always referred to by their logical system ID

Define RFC destinations between central system and child systems

Switch on the Central User Administration

Define field attributes

Migrate users

} USER

} ALE

} CUA

Steps to go through


TechEd: CUA System Landscape

CUA Master

Logical system name: TT1CLNT200

Used RFC Destinations:TT1CLNT100 with RFC user CUA_TT1_100 TT1CLNT200 with RFC user CUA_TT1 TT1CLNT300 with RFC user CUA_TT1_300TT1CLNT400 with RFC user CUA_TT1_400

RFC User: CUA_TT1Roles of RFC user:

SAP_BC_USR_CUA_CENTRALSAP_BC_USR_CUA_CLIENTSAP_BC_USR_CUA_SETUP_CENTRALSAP_BC_USR_CUA_SETUP_CLIENT

CUA ClientLogical system name: TT1CLNT100Used RFC Destinations:

TT1CLNT200 with RFC user CUA_TT1RFC User: CUA_TT1_100Roles of RFC user:

SAP_BC_USR_CUA_CLIENTSAP_BC_USR_CUA_SETUP_CLIENT







Central system to client system (used for user distribution)

Client system to central system (used for user migration and status response)

RFC Destinations

RFC Users have user type ‘communication’ and belong to the user group ‘SUPER’


Demo

DemoandExercise


CUA Hands-On

In the following exercise you will review the setup of the Central User Administration:

1. Log on to the SAP System TT1 client 200 (see next slide for detailed connection data)

2. Review the definition of logical systems and the assignment of logical systems to clients in Transaction SALE.

3. Perform a connection test of RFC destination TT1CLNT300.

4. Review the CUA system landscape (Transaction SCUA). What system is the central system? What are the client systems?

5. Review the configuration for field distribution (Transaction SCUM).

6. Display Log Files for Central User Administration (Transaction SCUL).


System Information for this Exercise

SAP System Information

SAP System ID: TT1

IP Address: 10.16.140.70

System Number: 00

Client 200

User: SCUR351-<Group Number>(Group Number provided by speaker)

Password: demo


Review the Logical Systems I

Go into transaction SALE.

Expand the node Sending and Receiving Systems.

Expand the node Logical Systems.

Click on Define Logical Systems


Review the Logical Systems II

You should find these entries.

Go back with the green arrow.


Review the Logical Systems III

Click on Assign Client to Logical System.


Review the Logical Systems IV

Display the entries for Client 100.


Review the Logical Systems V

You should find these entries.


Review the RFC Connections I

Go into transaction SM59.

Expand the R/3 connections node.

Double click on TT1CLNT200.


Review the RFC Connections II

Test this connection!


Review the RFC Connections III

Test was successful !!!


CUA Review I: What is the CUA Landscape?

Go into transaction SCUA and click on Display.


The CUA central system is client 200.

This CUA has three client systems: 100, 300 and 400.

CUA Review II: What is the CUA Landscape?


Look up the Configuration for Field Distribution in CUA

Go into transaction SCUM.(Nice name, isn’t it?)


Look up Log Files for CUA I

Go into transaction SCUL.

Select ALL.

Execute the report.


Look up Log Files for CUA II

Messages relating to distributed objects appear according to the selection you made.



SAP LDAP Connector



Summary


HR

E-mail

Telephony

Operatingsystem

Otherapplications

Meta-Directory

Central UserAdministration

User Management – Directory Integration


Directory Benefits

Directories serve as central repository for master data, which is used by several different applications.

Every authorized application can modify this data.

Access to this data is provided using the standardized Lightweight Directory Access Protocol (LDAP).

Hundreds of other application and hardware suppliers support this protocol.

SAP systems can be connected to such a directory to share parts of their user data or database content (e.g. HR data) with other applications.


Information Model – Hierarchical Structure

/

C=GB C=DE

o=CompuNeto=SAP

DIT: Directory Information Tree


Information Model – Names in the Tree

cn=Anton Schmidt cn=Xaver Huber cn=Norbert Hofer

ou=Security Consulting

cn=Kurt Wagner

ou=Sales

o=SAP AG

c=DE

cn=Anton Schmidt, ou=Security Consulting, o=SAP AG, c=DE

The way through the DIT defines the identification of an object

Absolute and relative names

Distinguished names have to be unique

Relative distinguished names are unique in their naming context


Information Model – Object Class Hierarchy

cn

givenName

sn

telephone

mail

person

employeeID

title

department

function

orgPersoncn

givenName

sn

telephone

mail

top

person

orgPerson

inetOrgPersonSAPaddonUM

object class hierarchy

orgUnit

(SAP Schema extension)


Information Model – Entries in the DIT

operational attribute20010730175352ZmodifyTimestamp

ABC:000:sapDeveloperXYZ:100:sapAdministrator

SMITH

[email protected]

+49-6227 7-47474

Smith

Max

inetOrgPersonsapAddOnUM

CN=D505050;O=SAP-AG;C=DE

optional attributetelephoneNumber

Attribute (SAP)sapUserName

multi-value attribute (SAP)sapRoles

optional attributemail

naming attribute (DN)Uid

mandatory attributesn

single-value attributegivenName

special attributeobject class


Application Server

Call Function‘LDAP_XXX‘

Work Process LDAPConnector

Function‘LDAP_XXX‘

LDAP Client

LDAP Server

Directory

RFC

LDAP

Executable LDAP_RFC shipped since Release 4.6A

Loads LDAP Library of operating system at runtime

LDAP Connector


Configure LDAP Connection

1. Configure LDAP Connector

2. Enter LDAP System User Data

3. Enter LDAP Server Connection Data

4. Configure Field Mapping

Later steps in TechEd Demo Scenario:

1. Create users using Portal UME

2. Synchronize Data between Directory and SAP


Demo

DemoandExercise


LDAP Hands-On

In this exercise you will prepare the LDAP connector and server, which you will use later in the course to run a user synchronization.

1. Create the RFC connection LDAP_NOVELL_GR<Group Number> for the LDAP connector (connection type: T, gateway host: iwdf5350, gateway service: sapgw00). Enter the same name as the Program ID for the registered server program.

2. Configure the LDAP connector with your newly created RFC destination and activate the connector. (Transaction LDAP, Function: Connector)

3. Make sure that the LDAP admin user TECHED-ADMIN is already configured in the system. (Transaction LDAP, Function: System Users)

4a. Create the LDAP server LDAP_NOVELL_GR<Group Number> with the data provided on the next slide. (Transaction LDAP, Function: Server Names).

4b. Import the Mapping Proposal for your server. Change the mapping for the attribute sapUsername into the attribute uid. Remove Object Class sapAddOnUM.

4c. Set the synchronization options to IMPORT for the following attributes: uid, givenName, sn. Save your server settings.

4d. Log on to your group’s LDAP server using your LDAP Connector (Transaction LDAP) and look up LDAP server entries for attributes uid and sn.


System Information for This Exercise

SAP System Information: See Slide No. 14

LDAP Server:

LDAP Connector: LDAP_NOVELL_GR<Group Number>

LDAP Server: LDAP_NOVELL_GR<Group Number>

IP-Address: 10.16.140.70

Port Number: 389

Product Name: Novell eDirectory 8.5

LDAP Version: LDAP Version 3

LDAP Application: User

Base Entry of LDAPserver: ou=users, ou=teched_test, o=corp_ldap

System Logon: TECHED-ADMIN


Create a New RFC Destination for Your LDAP Connector I

Go into transaction SM59 and click on Create.


Create a New RFC Destination for Your LDAP Connector II

Input Values and Click Enter.

Choose the group number provided by the instructors:

LDAP_NOVELL_GR<group number>


Create a New RFC Destination for Your LDAP Connector III

After having clicked on Enter the screen will change to this.

Enter the Program ID and save your entries.

1

2



3


Configure the LDAP Connector I

Start transaction LDAP. Click on Connector.


Configure the LDAP Connector II

Click on the Change Button.

Confirm this pop-up.

1

2


Configure the LDAP Connector III

Click on New Entries.


Configure the LDAP Connector IV

Choose your group’s RFC destination and choose the values above. Save your entries.

The lights should now turn green! (Otherwise click on the activate button)


Review the Data of the LDAP Admin User I

Click on System Users.


Review the Data of the LDAP Admin User II

You should find this data.

Go back with the green arrow twice.


Create the LDAP Server I

Click on Server Names.


Create the LDAP Server II

Click on the Change Button.


Create the LDAP Server III

Click on the New Entries Button.


Create the LDAP Server IV

1. Enter the data shown above. As the group number, choose the number provided by the instructor.

2. Save your entries.

3. Then double click on mapping.

1

2



3


Create the LDAP Server V

1. Go via the menu Utilities and Import Proposals. This will import the appropriate LDAP server proposals.

2. Accept the pop-up.

1

2


Create the LDAP Server VI

1

2

1. Remove the Object Class sapAddOnUM

2. Double click on sapUsername to change the attribute name


Create the LDAP Server VII

Change the attribute name to the value ‘uid’ and go back twice using the green arrow

1

2


Create the LDAP Server VIII

Double click on Synchronization


Create the LDAP Server VIII

Choose these fields to be imported from the directory.

Go back using the green arrow and save the data.

1

2


Test the LDAP Connection I

1

2

Select you group’s LDAP server and LDAP connector.

Choose Log On to log on to your LDAP server.


Test the LDAP Connection II

Choose “Use System User” and continue with “Execute”

1

2


Test the LDAP Connection III

The push buttons should all be active now.

Press “Find” to search for objects in your LDAP server


Test the LDAP Connection IV

Enter the attributes uid and snand continue your search with Execute.

1

2


Test the LDAP connection V

Congratulations!

The SAP system is successfully connected to the LDAP server!



SAP LDAP Connector



Summary


SAP Enterprise

Portal

Applications Accessing User Management

User Management Core Layer

Persistence Manager

Database

Replication Manager

LDAP Directory

SAP System

External System

Persistence Adapters

User API

User Account

API

Group API

Role API

Architecture Overview – User Management Engine

User Persistence Store


Persistence Manager

Central place for reading and writing user-specific data

Users

Groups

Role assignments

Uses Persistence Adapters to read/write data

Supports database, LDAP directory and SAP system as repository

User Management Core Layer

Persistence Manager

DatabaseLDAP

DirectorySAP

System

Persistence Adapters

User Persistence Store


Type-Based Data Partitioning

Principals of different types stored in different data sources

Example: users in LDAP, groups in DB

Principal-Based Data Partitioning

Principals of the same type stored in different data sources

Example: regular users in LDAP, service users in DB

Attribute-Based Data Partitioning

Attributes of one principal stored over different data sources

Example: userId in LDAP, role assignment in DB

Users Groups

Users1 Users2

Users Users

Data Source Configuration


Special Features Enterprise Portal 6.0

Web-based user administration

End-user self-registration

User can create account in the portal

Workflow for approval of registration request by administrator

Password management & policies

Configurable expiration dates

Initial passwords and change at first login

Limit of failed logon attempts

Flexible user persistence layer

LDAP directory, database or SAP system as user store

Delegated administration


User Administration

Administration GUI completely based on iViews

User Administration Functions:

Create users

Copy users

Modify users

Search for users

Assign users and groupsto role(s)


User Administration

User Administration Functions (cont.):

Set or auto-create password

Set date & time for user account activation

Lock/unlock users

View user account history

Approve/deny self-registered users

Adapt attributes contained in self-registration

E-Mail notifications for specified events



SAP LDAP Connector



Summary


Main Role Concepts in SAP NetWeaver

Single and CompositeRoles in

ABAP-basedSystems

PortalRoles

SAP Enterprise Portal

Roles in ABAP-based Systems(Roles in Transaction PFCG)


ABAP Roles and Portal Roles: A Comparison

Authorizations

Portal Roles are mainly content objects for the user interface definition and not authorization objects.

Portal roles can be used to create authorizations for the backend systems.

Authorizations must still be maintained in the backend system.

Roles (single roles) carry the authorization information.

The Profile Generator is part of role administration in transaction PFCG.

Portal RolesABAP Roles


UME(Web AS Java)

SAP Enterprise

Portal

Role Maintenance

ABAP System

Productive CUA central system

ABAP System

ABAP System

ABAP System

Development systems for customizing

Portal Role Maintenance

1

TransferRole Information

2

Text Comparison

5

Transport to productive systems

4

Authorization Role

Maintenance(using WP3R)

3


User Management Example

When using different SAP components, different scenarios for managing identities are possible.

The following slides describe an example with the following components:


ABAP based SAP Systems

Directory Server


ABAP System

CUA

ABAP System

ABAP System

ABAP System

LDAP Directory

UME(Web AS Java)

SAP Enterprise

Portal

1. User Maintenance

3. Synchronize User Data

2. Portal Role Assignment

5. Authorization Role Assignment using transaction

WP3R

4. Publish Role Assignment

User Management Using Persistence Store Directory

Productive Systems


Demo

DemoandExercise


Exercises

1. Portal: Create user “teched-<Group Number>” in the portal using the Portal User Management tool. First name: teched, last name: test, E-mail: [email protected].( URL: http://iwdf9598.wdf.sap.corp:50000/irj )

2. CUA: Replicate this user into the CUA central system (TT1, client 200) via LDAP synchronization (use report “RSLDAPSYNC_USER” with variant “TECHED” (SA38)).

3. Portal: Assign the Portal role “sapuseradmin” to the newly created user using the Portal User Management tool.

4. Portal: Transfer the role assignment for Portal role “sapuseradmin” to the central system of the CUA.

5. CUA: Generate role assignment in CUA for your created user (teched-<Group Number>) using WP3R.

6. Verify the ABAP role assignment to the user using Transaction SU01.

7. Log on to the portal with user teched-<Group Number> and verify that you have access to the transactions.


System Information for this Exercise

SAP System Information: See Slide No. 14


URL: http://iwdf9598.wdf.sap.corp:50000/irj

User for Logon: SCUR351-<Group Number>(Group Number is provided by referent)

Password: demo

User to be created: teched-<Group Number>


Log on to the Portal

1

2


Step 1: Create Portal User

3

4

21

Enter the new user ID here: teched-<group number>

Enter a new password (2x) and memorize it for later use!

Enter first name and last name

Enter any e-mail address


Step 2: Create ABAP User with LDAP Sync I

1

2

Call transaction SA38

1. Enter report “rsldapsync_user”

2. Click execute “with variant”

3. Enter variant name “TECHED”

3

4


Step 2: Create ABAP User with LDAP Sync II

1

2

Enter “teched-<group number>”


Step 2: Create ABAP User with LDAP Sync III

You should find this entry.


Step 2: Verify User Creation I

1

2

Enter username teched-<group number>


Step 2: Verify User Creation II

The user’s master data should appear.


Step 3: Assign Role to User I

3

4

3. Enter “sapuseradmin”

Select “Roles” and click “Start”

12


Step 3: Assign Role to User II

1

2

3

1. Enter “teched-<group number>”

Choose “Users” and click “Start”

2. Select your user and click “add”

3. Click “Save”


Step 3: Assign Role to User III

You should find this message.


Step 4: Transfer User Assignment I

12

5

6

34

5 Select “TT1CLNT200”


Step 4: Transfer User Assignment II

1

2

3

4

1. Enter “sapuseradmin”

2. Click “Search”

3. Select Role

4. Click “Next”


Step 4: Transfer User Assignment III

1


Step 4: Transfer User Assignment IV

You should get these messages.

(Refresh, if you don’t get all the messages at the first time)


Step 5: Assign ABAP Roles to User I

Call transaction SA38

1. Enter report “wp3rolelist”

2. Click execute “with variant”

3. enter variant name “TECHED”

1

2

3

4


Step 5: Assign ABAP Roles to User I

1

2

3

2. Enter “teched-<group number>”


Step 5: Assign ABAP Roles to User II

1 2


Step 5: Assign ABAP Roles to User III

1


Step 5: Assign ABAP Roles to User IV

1


Step 5: Assign ABAP Roles to User V

1


Step 5: Verify ABAP Role Assignment I

1

2


Step 5: Verify ABAP Role Assignment II


Step 6: Logon to Portal with Newly Created User I

1

2


Step 6: Logon to Portal with Newly Created User II

1

2


Step 6: Logon to Portal with Newly Created User III

Congratulations!!!

You have successfully created a user in your system landscape with a portal role and appropriate backend authorizations.



SAP LDAP Connector



Summary


SAP offers a stable and widely used Central User Administration for SAP systems

SAP offers LDAP directory integration

SAP offers a User Management Engine for the Enterprise Portal

Summary


Further Information (San Diego)

Public Web:

SAP Developer Network: www.sdn.sap.com SAP Netweaver Platform Security

SAP Customer Services Network: www.sap.com/services/

Related Workshops/Lectures at SAP TechEd 2004SCUR102, User Management and Authorizations: OverviewWed, 2:00 PM - 6:00 PM, 31A

Fri, 8:00 AM - 12:00 PM, 30D

SCUR101, Security BasicsTue, 1:30 PM - 2:30 PM, 2Wed, 4:00 PM - 5:00 PM, 4

SCUR251, Single Sign-On in Heterogeneous LandscapesWed, 10:30 AM - 12:30 PM, 30CThu, 1:45 PM - 3:45 PM, 30A

SCUR202, Security Optimization ServiceWed, 9:15 AM - 10:15 AM, 6CThu, 9:15 AM - 10:15 AM, 9

PRTL152, Portal Roles – Roles vs. AuthorizationsWed, 1:45 PM - 3:45 PM, 30AThu, 8:00 AM - 10:00 AM, 30B

Related SAP Education Training Opportunitieshttp://www.sap.com/education/ ADM940-960


Further Information (Munich)

Public Web:www.sap.comSAP Developer Network: www.sdn.sap.com SAP Netweaver Platform Security

SAP Customer Services Network: www.sap.com/services/

Related SAP Education Training Opportunitieshttp://www.sap.com/education/ ADM940-960


SAP Developer Network

Look for SAP TechEd ’04 presentations and videos on the SAP Developer Network.

Coming in December.

http://www.sdn.sap.com/


Q&A

Questions?

[email protected]

URL: http://service.sap.com/security


Please complete your session evaluation.

Be courteous — deposit your trash, and do not take the handouts for the following session.

Feedback

Thank You !


No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.

MaxDB is a trademark of MySQL AB, Sweden.

SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

Copyright 2004 SAP AG. All Rights Reserved

Documents

Integration of SAP CUA With Ative Directory