03-17-2009 7:37 PM
Hello
We have a requirement.
Employees use Java portal to access ESS portal functions.
But there is issue of authorizations because employees are not required to have SAP IDs. Employees just need to access portal, but not SAP system.
But SAP Authorizations can only be done on SAP USER ID.
So, we thought of creating 1 service user for 1 employee (and not mention the password to the employee) , and assign roles and profils to the service user; and perform authorization check on these user ids that are assigned to each employee.
In this situation, we are required to create 10,000 service users for 10,000 employees. Is this OK ? or the right approach ? Your suggestions are greatly appreciated.
Will there be license issues for creating service users ?
What types of users does not fall under license ?
Best regards
Vijay
Edited by: jakk on Mar 18, 2009 12:37 AM
03-17-2009 8:33 PM
It depends on your license and therefore how it's measurement is done...
Note that from a security perspective (this is the security forum...) there are other implications for service type users as well. For example, they are not required to change their passwords as per password policies (if used...) and if not used (SSO scenarios) then there are limitations to the (secure) technologies you can use for implementing this.
I think your thoughts have led you in the wrong direction (looking for a technical work-around to a license problem...).
What will limit you severly for ESS is that you cannot use P_PERNR in most (but not all) scenarios using a generic Service (if you have considered that option). There are special cases where you can use it at own risk, but you need to secure your client side for that). You seem to have noticed this already...
Cheers,
Julius
03-18-2009 10:33 AM
Hi,
But there is issue of authorizations because employees are not required to have SAP IDs. Employees just need to access portal, but not SAP system.
Still you need to create the id in SAP and assign authorizations for that user id. if the maintaining passwords is an issue then consider for the single sign on.
We had the same issue last year when upgrading, however we have created users in portal and sap (same user id is used).
ESS users have to pay license to SAP. The catergory is called as mySAP Business Suite ESS User or mySAP Employee (Cat. IV). When you perform license measurement then SAP checks for the installed applications like ESS and needs to know how many users uses ESS and their lincesing fees. SAP offers less licensing fees if the user is using SAP just for ESS(depends on your contract).
Regards,
Gowrinadh
03-18-2009 10:42 AM
Thanks for your comments.
Are you considering web dynpro for ESS in your case ?
Because we are using Java Portal (third party) to connect with backend RFCs. Is it possible to also implement Single Sign on in such cases ?
Best regards
Vijay.
03-18-2009 1:05 PM
Hi,
We use Enterprise portal from SAP as pack of ECC 6.0. If there is any third party application then you can use the service user but I doubt whether SAP allows 10000. I am not sure about the single sign on with other thrid party applications. Please refer the third party application document .
Regards,
Gowrinadh