Many enterprises are in the process of deploying central administration
of user data for their distributed application and system landscape, including
While the advantages of central administration
are wide ranging, the main benefits of this approach, from a security
perspective, are these:
- It establishes a single point of administration of user accounts,
and one primary source of information for security attributes of users,
such as authentication and authorization (role) data.
- It provides central functionality for locking and unlocking user
accounts, and for granting and removing access rights to various applications
- It supports central workflows for the creation and maintenance of
user accounts and their security attributes, from the HR system to the
central administration instance - and from there to the appropriate
systems and applications.
How Does SAP Facilitate Central User Management?
The technology you use to integrate your SAP systems and applications
under central user management depends, of course, on what release you
are currently using. To establish distributed business processes across
several SAP systems, SAP introduced the concept of Application Link Enabling
(ALE) a while back. More recently, Directory Services and the Lightweight
Directory Access Protocol (LDAP) has become the focal point for access
to central organizational and configuration data across your entire system
Today, a complete solution for central
user management comprises several technical components. Depending on the
release status of your SAP applications and solutions, you may be able
to use some or all of these components.
Let's take a detailed look at the three
major components of SAP central user management:
1. Central User Administration Using Application Link Enabling
Central User Administration functionality exists within SAP systems as
of SAP Basis Release 4.5. It uses ALE and the SAP Remote Function Call
(RFC) mechanism for the communication of user data between a central SAP
system running Central User Administration and client SAP systems (see
||User Administration Within SAP from R/3 4.5 and
There are flexible options for a customized
setup, which include central administration of user attributes (such as
role assignments) without giving up local maintenance of selected attributes
in the client SAP systems (such as address data or logon language). Optionally,
locally maintained attributes can also be sent back to the central SAP
system and distributed to other client SAP systems from there.
In this approach, productive Central User
Administration functionality is typically set up in a well-administered,
productive SAP system, such as the SAP HR system or, more recently, the
mySAP Workplace - or any other SAP system used for central administration
and monitoring. For your SAP system administrators, the SAP Basis system
provides simple extensions of the common SAP dialog transactions for user
maintenance (SU01, SU10) when central user management is configured.
2. LDAP Connector
With SAP Basis Release 4.6, access to corporate directories is facilitated
from the SAP system with the LDAP Connector, an RFC server program that
is included in the SAP Application Server installation. SAP applications
are provided with ABAP programming interfaces to place queries against
directories and to create and modify directory entries via the LDAP Connector.
No standard data synchronization functions are included with SAP Basis
Release 4.6, but the LDAP Connector can be used in project solutions.
(See Figure 2.)
||Access to Corporate Directories with R/3 4.6
The LDAP Connector runs as a separate process
on the SAP Application Server. To support the LDAP protocol, it loads
an LDAP client library that is dependent on the hardware and operating
system platform. It receives directory requests via RFC from SAP applications
and initiates the corresponding LDAP requests.
The LDAP Connector can be started and monitored
from within the Computing Center Management System (CCMS) in your SAP
system. To configure physical access to different directory servers and
to define the directory users and authentication information required,
system administrators can use the dialog transaction LDAP.
3. LDAP Synchronization
With SAP Web Application Server 6.10 comes support for periodic synchronization
of user data with your corporate directory using the LDAP Connector. This
is achieved via the standard report SLDAPSYNC_USER, which is usually
run every 12 or 24 hours in batch mode. Synchronization behavior can be
customized to compare time stamps when attribute values in the directory
and the SAP user tables differ, and to determine what should be done when
new entries appear in either the directory or the SAP user tables. (See
||Synchronizing User Data with SAP Web Application Server
To support this kind of synchronization
functionality, there was one particular challenge that had to be met:
how to correctly map SAP user tables to the customer's own directory schema.
In other words, which customer directory attributes hold the relevant
information for SAP user data fields, such as Firstname, Surname, TelephoneNr,
Mail Address, Roles, and so on? The answers can differ depending on the
directory product being used and may also vary for each customer who uses
individual directory schema extensions.
To solve this problem, the LDAP Connector
includes the dialog transaction LDAPMAP, which customizes the mapping
between the various fields of the SAP user tables and the given directory
attributes. This functionality provides flexible adaptation to the directory
schema used in your corporate directory. If required, each attribute can
be defined so that its attribute value is exported to or imported from
the directory, thus providing the control information for the synchronization
Is It Possible to Combine These Approaches?
To place your complete SAP system landscape under central user and security
administration, it is possible to use a combined setup. Central User Administration
using ALE is set up on a central SAP system, and from there on your client
SAP systems (from SAP Basis Release 4.5 on). And of course, LDAP Synchronization
is configured and scheduled to run on the central SAP system, which needs
to be an SAP Web Application Server 6.10 system.
The Outlook for Central Administration of User Accounts
In the future, the most prevalent approach may be direct synchronization
of centrally administered user accounts and security attributes, such
as account status and role data, from every SAP system with LDAP directories.
Current standardization initiatives, e.g., DSML (Directory Service Markup
Language), are also proposing the use of XML schemas to exchange directory
information over any protocol, thus replacing LDAP with, for example,
The central administration of user accounts,
roles and role assignments, and other user data provides important benefits
- security being just one of them. Look for additional information at
Dr. Jürgen Schneider has been involved in the design and implementation
of SAP security functions since 1996. Since 1998, he has been the Development
Manager for Security in SAP's Technology Development. He can be reached