use the roles from bw system in the portal

Former Member · ‎02-02-2008

hi

now we are maintain the users in the portal from the Active Dictionary.

i want to asign the roles of the bw system in the portal to the users.

when i asked a basis person, he said that we cant do it because we need to change our work to abap generator and stop using the Active Dictionary.

somebody know another way?

tnx

oren

tim_alsop · ‎02-02-2008

Hi,

Can I assume you mean "Active Directory" and not "Active Dictionary" ? The Active Directory product is a Microsoft product and often used for authentication of users accessing the Portal. When this is done, the roles and profiles are not involved and they are maintained in the same way as if Active Directory was not used for authentication. With this in mind, I cannot see what you would have to stop using Active Directory to change/assign roles to a user.

Thanks,

Tim

Former Member · ‎02-03-2008

Hi

Have you implemented teh CUA and SSO to login to BW and Portal ? ???

REgards

Former Member · ‎02-03-2008

first of all, thank you!

second, I see that i wasn't clear enough.

I ment that i want to see the roles of the bw system in the portal as a group.

oren

tim_alsop · ‎02-03-2008

Oren,

I think I understand better now. Thanks for explaining.

If you are using the SAP SPNEGO Login Module to allow you to use Active Directory (Kerberos protocol) for authentication to the portal, this Login Module requires you to configure Active Directory as a UME data source, but you want to use the data source of your BW system in order for you to manage your roles from the user roles from the portal ?

Is the above correct ? If so, I think I have a solution for you which will allow you to have UME configured to use BW user data source, but still use Active Directory for authentication. Please let me know if I understand correctly, then I will give more details and explain how this can be done. If I have missunderstood, then please can you explain which part of my above explanation is wrong.

Cheers,

Tim

Former Member · ‎02-03-2008

i think that you understood me, but I am sorry that i want to be more clearly then before.

i will tell you what is my problem.

today we are giving users authorization on each system:

a) ecc, bw and crm - with the org. management.

b) portal - by assigning the group to users (that created in the active directory)

because of this situation, in order to give a user the appropriate authorization, i need to assign him to a position in the bw org. management and to add him to a group in the portal.

i thought that i can assign the user in the org. management in the bw, and assign the role (of the portal) to a group that the role of bw created.

tnx again

oren

tim_alsop · ‎02-03-2008

Oren,

I think there are two options:

1. You could continue with the current approach and manage roles using Active Directory group membership, and roles for other systems using org. management.

2. You could implement a login module for the portal so that users can authenticate via Active Directory, but not use group membership for roles. This would be done by using UME with ABAP datasource instead of using Active Directory as a UME datasource.

It seems to me that the issue is that you are using a different method of authentication with portal and so you have moved the management of roles to AD using group membership - this is not a problem for some companies, and has some advantages, but for you it seems it is not an ideal setup. Maybe it is worth considering alternatives.

Thanks,

Tim

Former Member · ‎02-03-2008

hi tim

i didn't understand your answer...

you said that i can't manage the users in AD? if i want to see the BW roles in the portal (as a group).

i heard today that there is a new tool that can support it, it's called Identity management... do you familiar with that?

cheers

oren

tim_alsop · ‎02-03-2008

Oren,

If I understand the options correctly, then you can authenticate using AD and roles can either be managed in AD (as they are now) or you can manage roles in SAP instead if you prefer.

Is it clearer now ?

Yes, I know about the SAP IdM product. It was acquired by SAP when they bought a company called MaxWare. From what you have said so far though, I don't think this is what you are looking for.

Thanks,

Tim

tim_alsop · ‎02-04-2008

>

> i want to asign the roles of the bw system in the portal to the users.

Effectively what you are asking to do is move your management of roles/authorisations to ABAP using UME, since you do not want to manage roles using Active Directory group membership for access to BW.

>

> when i asked a basis person, he said that we cant do it because we need to change our work to abap generator and stop using the Active Dictionary.

Yes, I think your basis person was correct. However, you can still use Active Directory for authentication of users to the portal.

>

> somebody know another way?

No, sorry. I think you only have one solution.

>

> tnx

> oren

Former Member · ‎02-05-2008

I got the point and i will check more the option of IDM.

tnx you all

tim_alsop · ‎02-05-2008

Oren,

I think you will find that the IdM solution will only help you with central user management, and not role/authorisation management.

Thanks,

Tim

Former Member · ‎02-05-2008

i am realy appreciate that, i will check it anyway

tnx

Former Member · ‎02-05-2008

Hi Tim and Oren,

If I may invite myself to join your (already answered) discussion; I have also started to look into the IdM topics.

My understanding is that IdM is independent of CUA (though Tim might not have intended any similarity when mentioning "central user management").

On the contrary... "local only user data", "pass the buck selectively user data" and to some extent other "trusted chains of user data" defeat the concept of an enterprise wide IdM which makes the front end identities, the back end resources and the authorization mechanisms (minimum via role names) all transparent to the IdM.

Cheers,

Julius

Former Member · ‎02-05-2008

After-thought: A pre-requisite is that your backend roles are conceptually consistent and do only that which they are described to do.

tim_alsop · ‎02-05-2008

>

> My understanding is that IdM is independent of CUA (though Tim might not have intended any similarity when mentioning "central user management").

yes, you are correct... I was not relating IdM to SAP CUA, but trying to refer to IdM as a tool typically used for user enrollment, adding users centrally and then expecting the user to be added to each system/application required based on their role (e.g. job function). The scope of IdM often extends across many applications, and the products now available from SAP also have functionality outside of SAP products for registering and managing user identities in various applications and systems. Often IdM products are referred to as roles based user management tools.

I think we are in agreement that the management of roles/authorisations are often not part of the scope for an enterprise wide IdM solution, and certainly from what I have seen of the product which SAP acquired from MaxWare this is not included, but I may have been mistaken.

In conclusion - IdM is not the solution to the problem described in this thread.

Thanks,

Tim