Skip to Content

How to store different users in different datastores (UME/AD)

Hello everyone!

There is a challenge for SAP Netweaver AS Java UME:

According to note 2051697 - Security Policy Enhancements, there are two attributes: SERVICEUSER_ATTRIBUTE which has value IS_SERVICEUSER and SecurityPolicy which can have different values: technical (for Technical User security policy), default, internal or custom (for example, Admins if I created custom security policy with the same name "Admins").

So, I want to store Technical users, Internal users and users with Security policy Admins in UME database, but business users with, for example, Users security policy, in Active Directory data source.

For service users there is attribute SERVICEUSER_ATTRIBUTE which defined in datasource file as:

<homeFor>
<principals>
<principal type="account">
<nameSpace name="$serviceUser$">
<attribute name="SERVICEUSER_ATTRIBUTE">
<values>
<value>IS_SERVICEUSER</value>
</values>
</attribute>
</nameSpace>
</principal>
<principal type="user">
<nameSpace name="$serviceUser$">
<attribute name="SERVICEUSER_ATTRIBUTE">
<values>
<value>IS_SERVICEUSER</value>
</values>
</attribute>
</nameSpace>
</principal>
<principal type="team"/>
<principal type="ROOT"/>
<principal type="OOOO"/>
</principals>
</homeFor>

for PRIVATE_DATASOURCE (UME database) and the same in a <notHomeFor> tag for CORP_LDAP datasource.I tried to implement the same description with a SecurityPolicy attribute with a value "technical" (see note 2051697), but after restarting the application server I can't create users with security policy "Technical user" anymore. I get an error: "No data source feels responsible for principal. Please check the data source configuration!".How should I split storage for different user types (in my situation are: Business users and all other users(Technical, internal, Administrators.. ).

Add a comment
10|10000 characters needed characters exceeded

Related questions

2 Answers

  • Posted on Jul 15, 2018 at 08:43 PM

    Dear Evgeny,


    Please see the datasource configurations of online help:


    https://help.sap.com/doc/saphelp_dm40/4.0/en-US/7e/a2d475e5384335a2b1b2d80e1a3a20/frameset.htm

    The following help describes that it is allowed to use multiple datasources:

    https://help.sap.com/doc/saphelp_nw73ehp1/7.31.19/en-US/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htm

    See:

    The UME can be configured to read and write user-related data from and to multiple data sources, such as Lightweight Directory Access Protocol (LDAP) directories, the system database ofSAP NetWeaver AS for Java, and user management of SAP NetWeaver Application Server for ABAP.


    Additionally please check whrther you content to the prerequisites according to SAP Note: 673824 - LDAP Recommendations for UME


    In case you think you fit all of the prerequisutes check possible issues by UME consistency check tool as per SAP Note: 1016283 - UME Consistency Check Tool


    Best practice can be to search in the consistency check tool traces for this "Technical user" which is problematic.


    Regards,
    Barnabás Paksi

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Jul 18, 2018 at 09:40 AM

    Consistency check tool did not reveal any problems. And recommendations of the note 673824 - LDAP Recommendations for UME are also fulfilled. It seems to me that there is some technical problem or an undocumented feature of the UME. I asked a question to the SAP support. I'm waiting for an answer, but now the third day are silent.

    Add a comment
    10|10000 characters needed characters exceeded

    • Hi,

      Did you get a response from SAP support on your issue?
      I have the same requirement.

      I notice that the SecurityPolicy attribute is only applicable to the "account" principal and not the "user" principal.
      So I suspect that splitting the user storage target by SecurityPolicy attribute, is not going to be possible.

      Thanks.
      Darryl

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.