on 05-05-2010 9:22 AM
Hi Experts,
As I'm all new to LDAP, I would like a clearifying. According the config manual p. 121 "The approver is always authenticated and authorized using SAP NetWeaver User Management Engine (UME).
Q: Does that mean that an approver will be authenticated against UME even if LDAP is chosen as authentication source?
Q2: Is there any soulution how to use Active Directory as authentication source for approvers?
Q3: If an approver uses the PSS, is he authenticated against UME or LDAP?
Thank you
Kind Regards,
Vit Vesely
follow up
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Vit,
Approver are alway's authenticated with the SAP Netweaver UME. The purpose of defining Authetication system in Configuration -> Authentication system is for End user form users who create request from end user form. Suppose you define authentication system as LDAP in Configuration -> authentication system. Then those user that exists in LDAP will be able to submit the request for end userform screen. It is not linked to approver login. For approver to login approver should exist in UME with AE Approver UME role.
One of the solution is you can use LDAP as data source for UME.
Than UME will have all the approver that exist in LDAP. Than to corresponding approver you can define the AE Approver UME role.
For PSS User's will have to login from end user form. So they will be authenticated as per the authentication system configured in
configuration-> authentication system. Here you can use LDAP system as the authentication system.
Kind Regards,
Srinivasan
Hi Srinivasan,
Than UME will have all the approver that exist in LDAP. Than to corresponding approver you can define the AE Approver UME role.
By that you mean all LDAP users will be avaliable in UME, and for selected users I can give AEApprover role.
I have also the possibility to create new UME accounts. Because it will read both from the database and UME.
Do I understand you correct?
Kindest Regards,
Vit Vesely
Hi Vit,
I mean to say that when you integrate your UME with the Active Directory LDAP system. Than UME will have user information coming from the LDAP. Data source for UME will be LDAP. Now you assign these user the AE Approver role. Hence they will become the approver for CUP application.
Kind Regards,
Srinivasan
Hi Srinivasan,
Thanks for your kind answer.
What happens if I first creates a user account in UME, subseqently register the user in AD with the same account name, hence UME will fetch the new account to UME. Will there be data inconsistency?
I've tested a similar scenario on a dual stack with an ABAP source and any changes made in UME are reflected in the ABAP backend.
Will UME be able to write back to AD or is it read only?
Kind Regards,
Vit Vesely
Edited by: Vit Vesely on May 17, 2010 8:42 AM
Yes, Vit. There will be data incosistency. If you are making AD as data source of UME then you should refrain from creating direct accounts in UME. User Accounts should flow from AD to UME not from UME to AD.
UME can write back to AD if you have chosen the data source as writable.
Regards,
Alpesh
I think I found what I've been looking for:
Process documentation Configuring UME to Use an LDAP Server as Data Source
[http://help.sap.com/saphelp_nw04/helpdata/en/cc/cdd93f130f9115e10000000a155106/content.htm|http://help.sap.com/saphelp_nw04/helpdata/en/cc/cdd93f130f9115e10000000a155106/content.htm]
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Dear experts,
Here is a follow-up questing regarding user data source.
All employees are registred in AD. However, external consultants are not. I need to find a way to provision them aswell (with CUP).
Is the correct to use UME as data source for CUP and point AD as a data source for UME (Read only)? Will it still be possible to create UME accounts (for consultants)?
And add UME roles to approvers and administrators?
Kind Regards,
Vit Vesely
Edited by: Vit Vesely on May 13, 2010 3:09 PM
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.