cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Mass Change for security policy for a large subset of UME users?

Go to solution
Former Member

on ‎01-21-2011 5:32 PM

0 Kudos

Hi all,

Looking for some advice around "mass updates" of UME security policy for users. First though, some background:

I'm currently running an SAP NW 7.0 SP21 portal, using an LDAP directory + UME as datasources. All of my "normal employee users" (about 130,000) come from the LDAP, while any "test users" that we may have created in various non-production systems are sourced locally from each system UME. (For example, in some systems, we have created upwards of 3000 unique test users for load testing). Essentially, I would like users from each data source to have a separate "default" security policy.

For my LDAP users, I want a more relaxed password policy, allowing the LDAP directory to fully administer the policy for user lockouts & password resets (eg. in UME, set max failed passwords to 0 and auto-unlock time to 0). Said another way, I want it to be impossible for one of my employee users to lock themselves in my UME --- I want LDAP to manage that. On the other hand,for my test users, I'd like a separate policy with a little more rigor.

So, creating the two separate policies is no big deal. This can be done in the Portal under System Administration > System Configuration > UME Configuration > Security Policy, where we can modify the existing Default and Technical User security policies. Additionally, we can add custom policies, which are then visible in the portal UME application when maintaining a single user.

So, now for a few questions:

1) Is it possible to configure different default security policies depending on the Data Source? eg. apply one set of rules for my LDAP users and another for my local UME users? Can this be done by customizing the dataSourceConfiguration.xml?

2) Can security policies be linked to other UME principal objects (like groups)?

3) In the UME, it seems only possible to change the security policy one user at a time. Has SAP delivered any "mass policy maintenance" utility for UME, where this could be changed for a large number of users simultaneously?

4) Let's say that I use the "default" policy for my LDAP users and create a new custom policy for my UME test users. Normally, when I create test users, I use the UME import functionality. However, it does not appear to be possible to set the security policy as part of the import/create process. This means that, if I created 1000 users and needed to change their policy, I would have to do it one at a time (right after I finished slamming my fingers in the door repeatedly). In reading this [thread|; , it mentions that it should be possible to programmatically update a user's policy via the UME API. However, when searching through [com.sap.security.api|http://help.sap.com/javadocs/NW04S/SPS09/se/com/sap/security/api/package-summary.html], I cannot find any interfaces which expose that attribute of a user.

Has anyone had any luck updating a user's security policy programmatically?

Kind Regards and thanks in advance for any help!

Pete

Edited by: Peter Rauchenstein on Jan 21, 2011 12:32 PM

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member71614
Active Participant
‎01-25-2011 2:40 AM
0 Kudos

Good day,

You can create different security policies for your UME datasources without having to do so by code (depending on your EP version):

Goto System Administration --> System Configuration --> UME Configuration --> Security Policy. This will allow you to create different policies for your datasources, user groups etc.

http://help.sap.com/saphelp_nw72/helpdata/en/49/bf6e8101755d5de10000000a421937/frameset.htm

Once complete you then map users to these policies. You can leverage mass updates to users by using the useradmin tool to import see the following documentation on import notation formats:

http://help.sap.com/saphelp_nw72/helpdata/en/48/a96f43db653206e10000000a42189c/frameset.htm

https://cw.sdn.sap.com/cw/docs/DOC-107900

You can also edit the UME config file to achieve the same if you need to manage different attributes accross datasources for a specific policy or to establish global ones:

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/b5/16c43bdd3da244a1d3372a77b5f83f/frameset.htm

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/7f/c52442ad9f5133e10000000a155106/frameset.htm

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/43/3d77734ae830f3e10000000a11466f/frameset.htm

MY APPOLOGIES:

....> I have tried to adjust the policies using mass upload myself. No luck. I am diving down to the innards now to see if there is an attribute one can reference, but it does not look like this is the case. I can see good value in having this feature. Will update you if I find anything.

Looks like it has been omitted by design:

https://service.sap.com/sap/support/notes/1339611

https://service.sap.com/sap/support/notes/1376435

I would thus suggest you open an OSS for confirmation of this attribute from the SAP market place.

Edited by: Basis Team on Jan 25, 2011 6:33 AM

Show replies
Show replies
Former Member
‎01-27-2011 11:40 PM
0 Kudos

Basis Team,

Thanks for the thorough reply -- and it looks like you have similar findings to my issue. Creating the different custom policies is not all that difficult -- it's just the enforcement or assignment that causes the issue. It does not seem possible to set the security policy as part of the mass UME Import tool found under user administration.

The portal UME application under User Administration can be used to change a user's policy, so it MUST be possible to change programmatically. However, I can't find any such methods in the published UME API documentation -- which is puzzling.

I will open up an OSS message on this (though I fear I will be told that this is a "consulting issue") :-). If I find a solution to the issue, I'll post it here, as I can't be the only one who has stumbled across this.

Thanks for the help!

Pete Rauchenstein

Edited by: Peter Rauchenstein on Jan 27, 2011 6:40 PM

DK007
Active Participant
‎01-28-2011 4:25 PM
0 Kudos

Hello Pete Rauchenstein,

We had a similar requirement to mass update the security policy for users. Through standard mass upload you can not change/update the security policy for the user. So I developed a custom WebDynpro application. This application will update the security policy for the user. An excel file is uploaded which contains User IDs, the programs read each row(user id) and updates the security policy for the user using mutable user account.

Eg.

IUserAccount userAccount = accountFactory.getMutableUserAccount(<UNIQUE ID OF USER>);

userAccount.setSecurityPolicy("<SECURITY POLICY>"); //In my case I'm changing it to technical

userAccount.save();

userAccount.commit();

Let me know if you need any help in this regard.

Regards,

Dheeram

Former Member
‎01-28-2011 6:25 PM
0 Kudos

Dheeram,

Many thanks - believe that's exactly what I'm looking for! Will give it a try and let you know how it goes.

Thanks!

Pete

Former Member
‎05-31-2016 4:05 PM
0 Kudos

Hi Dheeram,

I am from the Security team and we have the same requirement; change Security policy of multiple users.

Could you please help me on how to proceed with creation of Webdynpro application?

P.S. if it's too complicated, I shall seek help from ABAP team

Regards,

Santosh

Answers (0)

Ask a Question