Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

User mapping without Passwords.

Former Member
0 Kudos

hello all,

I got a large number of users.

We wont use logon tickets for some limitation.

Now we are only going to allow the administrator to map portal users to r3 users.

But he will have to know the passwords all the time. If a user logs in from the backend and changes the password, the user mapping will fail because of a wrong password. Is there a way that the administrator can map only usernames?

thanks.

1 ACCEPTED SOLUTION

tim_alsop
Active Contributor
0 Kudos

Prem,

You need to use an external (e.g. non SAP) authentication method so that the SAP password can be deactivated. When you setup SAP this way, you can map external authenticated identity onto a SAP user and admin who looks after the mapping does not need to care about users passwords.

Thanks,

Tim

8 REPLIES 8

tim_alsop
Active Contributor
0 Kudos

Prem,

You need to use an external (e.g. non SAP) authentication method so that the SAP password can be deactivated. When you setup SAP this way, you can map external authenticated identity onto a SAP user and admin who looks after the mapping does not need to care about users passwords.

Thanks,

Tim

Former Member
0 Kudos

Tim,

I read here http://help.sap.com/saphelp_nw04/helpdata/en/f8/3b514ca29011d5bdeb006094191908/frameset.htm

that we can set a property called ume.usermapping.admin.pwdprotection

Does this mean the administrator (when he logs in from his login) can do a user mapping for all users without entering the <b>users</b> backend password?

Thanks

tim_alsop
Active Contributor
0 Kudos

Prem,

The SAP doc you referred to is related to functionality in the portal where a user can logon to portal via any authentication method supported, then they can set their own userid and passwords which will be used to logon to other apps on the network which are also web enabled, e.g. logon to a web based business app which is not based on SAP technology using a userid and password which only the user knows. It is not clear to me that this is what you are using. Can you confirm how you are using 'user mapping' so I can make sure I answer your questions correctly.

Thanks,

Tim

Former Member
0 Kudos

Hi Tim,

2 or more portal users will share a common r3 user.

For security reasons, the administrator would like to map peoples portal id's to the necessary r3 user.

Moreover since we are not allowing users to map portal to an r3 user, the Admin has the job of mapping all the portal users to backend users.

Now the admin will have to call the user to enter the new password whenever the latter changes the r3 password. So if only usernames suffice for user mapping, that would be great.

I heard if admin does mapping and the property I mentioned is set the system will not prompt for password when he does the mapping.

tim_alsop
Active Contributor
0 Kudos

Prem,

The documentation that you referred to earlier does not make this clear and I have no experience of this parameter. From what I read and understand it sounds like it is not what you are looking for, but maybe somebody else will answer this post and give you more positive news. I hope I have been of some help ?

It also seems to me that you have a potential security issue to consider because portal users logging onto the back-end r/3 system as the same SAP user is not very good from auditing perspective. Have you considered assigning an r/3 user account for each portal user, so you have a 1:1 relationship instead of many:1 ?

Thanks again,

Tim

0 Kudos

Tim is correct that 1:1 is preferrable. If you have to do many to 1, be sure to map to a user with limited access. Do not map to a super user.

As far as the property, it only applies to SAP logon tickets method. But I already answered this in another forum.

-Michael

Former Member
0 Kudos

Hello Michael,

Thanks for your reply.

Yes, the backend user to which 2 or more users are mapped to is a limited rights one, not a super user.

Now, I need your advice.

If only the administrator can do the mapping for these users, how does he go about mapping without using the password. Because the end user might change the backend password and will have to go again to the admin to change the mapping. Is there a way out of this. They will not allow me to give end users the right to do this.

0 Kudos

Hi Prem,

I'm sorry to say it, but I believe you have run into a limitation of the system. SAP recommends that you use logon tickets and avoid user mapping by having the same user IDs in the front end as in the back end. Anything else requires compromises.

Wait a minute. You are mapping to a technical user in the ABAP system. Do you maintain this user or do your coworkers maintain this user? I am not a an ABAP expert, but you could set this password not to expire. Users would have no need to change the ABAP password. I assume they are not logging in directly through an ABAP system, so they should not be changing the password anyway.

For user mapping you are not entering the AS Java password of the user.

-Michael