Expand +



Central User Administration with LDAP Directories

by Dr. Jürgen Schneider | SAPinsider

January 1, 2002

by Dr. Jürgen Schneider, SAP AG SAPinsider - 2002 (Volume 3), January (Issue 1)

Many enterprises are in the process of deploying central administration of user data for their distributed application and system landscape, including SAP systems.

While the advantages of central administration are wide ranging, the main benefits of this approach, from a security perspective, are these:

  • It establishes a single point of administration of user accounts, and one primary source of information for security attributes of users, such as authentication and authorization (role) data.

  • It provides central functionality for locking and unlocking user accounts, and for granting and removing access rights to various applications and resources.

  • It supports central workflows for the creation and maintenance of user accounts and their security attributes, from the HR system to the central administration instance - and from there to the appropriate systems and applications.

How Does SAP Facilitate Central User Management?

The technology you use to integrate your SAP systems and applications under central user management depends, of course, on what release you are currently using. To establish distributed business processes across several SAP systems, SAP introduced the concept of Application Link Enabling (ALE) a while back. More recently, Directory Services and the Lightweight Directory Access Protocol (LDAP) has become the focal point for access to central organizational and configuration data across your entire system landscape.

Today, a complete solution for central user management comprises several technical components. Depending on the release status of your SAP applications and solutions, you may be able to use some or all of these components.

Let's take a detailed look at the three major components of SAP central user management:

1. Central User Administration Using Application Link Enabling

Central User Administration functionality exists within SAP systems as of SAP Basis Release 4.5. It uses ALE and the SAP Remote Function Call (RFC) mechanism for the communication of user data between a central SAP system running Central User Administration and client SAP systems (see Figure 1).

Figure 1 User Administration Within SAP from R/3 4.5 and Up

There are flexible options for a customized setup, which include central administration of user attributes (such as role assignments) without giving up local maintenance of selected attributes in the client SAP systems (such as address data or logon language). Optionally, locally maintained attributes can also be sent back to the central SAP system and distributed to other client SAP systems from there.

In this approach, productive Central User Administration functionality is typically set up in a well-administered, productive SAP system, such as the SAP HR system or, more recently, the mySAP Workplace - or any other SAP system used for central administration and monitoring. For your SAP system administrators, the SAP Basis system provides simple extensions of the common SAP dialog transactions for user maintenance (SU01, SU10) when central user management is configured.

2. LDAP Connector

With SAP Basis Release 4.6, access to corporate directories is facilitated from the SAP system with the LDAP Connector, an RFC server program that is included in the SAP Application Server installation. SAP applications are provided with ABAP programming interfaces to place queries against directories and to create and modify directory entries via the LDAP Connector. No standard data synchronization functions are included with SAP Basis Release 4.6, but the LDAP Connector can be used in project solutions. (See Figure 2.)

Figure 2 Access to Corporate Directories with R/3 4.6

The LDAP Connector runs as a separate process on the SAP Application Server. To support the LDAP protocol, it loads an LDAP client library that is dependent on the hardware and operating system platform. It receives directory requests via RFC from SAP applications and initiates the corresponding LDAP requests.

The LDAP Connector can be started and monitored from within the Computing Center Management System (CCMS) in your SAP system. To configure physical access to different directory servers and to define the directory users and authentication information required, system administrators can use the dialog transaction LDAP.

3. LDAP Synchronization

With SAP Web Application Server 6.10 comes support for periodic synchronization of user data with your corporate directory using the LDAP Connector. This is achieved via the standard report SLDAPSYNC_USER, which is usually run every 12 or 24 hours in batch mode. Synchronization behavior can be customized to compare time stamps when attribute values in the directory and the SAP user tables differ, and to determine what should be done when new entries appear in either the directory or the SAP user tables. (See Figure 3.)

Figure 3 Synchronizing User Data with SAP Web Application Server 6.10

To support this kind of synchronization functionality, there was one particular challenge that had to be met: how to correctly map SAP user tables to the customer's own directory schema. In other words, which customer directory attributes hold the relevant information for SAP user data fields, such as Firstname, Surname, TelephoneNr, Mail Address, Roles, and so on? The answers can differ depending on the directory product being used and may also vary for each customer who uses individual directory schema extensions.

To solve this problem, the LDAP Connector includes the dialog transaction LDAPMAP, which customizes the mapping between the various fields of the SAP user tables and the given directory attributes. This functionality provides flexible adaptation to the directory schema used in your corporate directory. If required, each attribute can be defined so that its attribute value is exported to or imported from the directory, thus providing the control information for the synchronization report.

Is It Possible to Combine These Approaches?

To place your complete SAP system landscape under central user and security administration, it is possible to use a combined setup. Central User Administration using ALE is set up on a central SAP system, and from there on your client SAP systems (from SAP Basis Release 4.5 on). And of course, LDAP Synchronization is configured and scheduled to run on the central SAP system, which needs to be an SAP Web Application Server 6.10 system.

The Outlook for Central Administration of User Accounts

In the future, the most prevalent approach may be direct synchronization of centrally administered user accounts and security attributes, such as account status and role data, from every SAP system with LDAP directories. Current standardization initiatives, e.g., DSML (Directory Service Markup Language), are also proposing the use of XML schemas to exchange directory information over any protocol, thus replacing LDAP with, for example, HTTP(S).

The central administration of user accounts, roles and role assignments, and other user data provides important benefits - security being just one of them. Look for additional information at

Dr. Jürgen Schneider has been involved in the design and implementation of SAP security functions since 1996. Since 1998, he has been the Development Manager for Security in SAP's Technology Development. He can be reached at

An email has been sent to:

More from SAPinsider


Please log in to post a comment.

No comments have been submitted on this article. Be the first to comment!