cancel
Showing results for 
Search instead for 
Did you mean: 

Importing ABAP AS Users along with their current passwords to IDM JAVA UME

yavuzaydin
Explorer

Dear Experts,

On SAP IDM 8 SP08, NW 7.5 SP22, I've followed the Configuration Guide to configure Password Reset feature, which works fine for the users in IDM JAVA UME. Then, followed the steps to connect an ABAP AS with CUA to IDM. The connection is OK, and I can see all the ABAP AS users under Idm UI manage tab.

To import ABAP AS users to IDM JAVA UME, IDM NW added to IDM as a ASJavaDB repository, and executed initial load successfully. Manually assigning *idm.authenticated and *JAVA:ONLY privileges to some users under the Manage Tab of Idm UI pushed them to IDM JAVA UME, but without their passwords in ABAP AS.

Is it possible to import ABAP AS users with their current passwords enabled in IDM JAVA UME so that users could login Idm UI with their active passwords in ABAP AS, define password reset questions, and able to reset their password, if needed?

Appreciate any hints, or links to some notes.

Kind Regards,

Yavuz

Accepted Solutions (1)

Accepted Solutions (1)

alexanderbrietz
Active Contributor

Hi Yavuz,

AFAIK this is not possible and from a security point of view it would be critical. Passwords must not be stored in reversible encrypted form. That's why you cannot import them from AS ABAP.
Also, you should keep that in mind when thinking about distributing productive passwords using SAP IdM. Please find details in SAP IdM Security Guide - Data Storage Security - Password Provisioning:

Regards,

Alex

Answers (6)

Answers (6)

alexanderbrietz
Active Contributor

Hi Yavuz,

if that is your goal - which I did not get in the first place... - you just have to change the UME Backend to ABAP DB. Details can be found here: Configuring the UME to Use an AS ABAP as Data Source

This is an issue of SAP NW AS Java and is called "Identity Management" as well, but it's not directly related to SAP IdM.

Regards,

Alex

todor_petrov
Contributor

Hi Yavuz,

actually there is a way to use your active ABAP passwords to authenticate to SAP IDM (e.g. SAP NW Java). The only thing you need to do is connect the local SAP NW Java UME to use ABAP as its identity store.

Then you would need some small adjustments to the initial load for the java repository and you are all set.

No need for initial passwords or anything leading to the fact that your users will have two different passwords in Java and ABAP.

BR,

Todor

yavuzaydin
Explorer
0 Kudos

Hi Alex and Todor,

It seems that the solution is to generate random passwords for each user -not sure if possible with built-in functionality of IDM, or custom development needed-, before importing them to JAVA UME, and then, send the password for IDM UI login via a notification. .

Kind Regards,

Yavuz

alexanderbrietz
Active Contributor

Hi Yavuz,

you could use a javascript with internal function uGeneratePassword.

Regards,

Alex

yavuzaydin
Explorer
0 Kudos

Hi Alex,

Thank you for your guidance. I'll check it out.

Kind Regards,

Yavuz

yavuzaydin
Explorer
0 Kudos

Hi Alex,

I thought of switching the dataSource in UME as ABAP AS, which could work, as you've suggested, since CUA is active on the connected ABAP AS. For any ABAP AS not connected/authenticated through ABAP CUA, I guess I would still need the initial password set for users from other connected ABAP systems, as you suggested in your previous reply.

Kind Regards,

Yavuz

yavuzaydin
Explorer
0 Kudos

Hi Todor,

Thanks for your response.

Any links I can follow to configure the JAVA UME to act as the ABAP IDStore, as you've suggested?

Kind Regards,

Yavuz

yavuzaydin
Explorer
0 Kudos

Hi Alex,

I understand that, contrary to my expectation, importing users from ABAP AS to IDM JAVA UME, keeping the same password for the users is not technically possible for password reset scenario of IDM. So, defining initial password for users before importing them from ABAP AS to JAVA UME is a must.

Thank you for your kind response.

Kind Regards,

Yavuz