Service users in SAP XI?

Similar Messages

• How to disable web service authentication by sap-user string in url

  Hi Experts,
  I am publish some RFC function as webservice for my SAP AS ABAP, i set the authentication as basic. I can using http basic authentication to call the service and get the result. But it also accept passing user/password through the url string: http://localhost:8001/sap/bc/soap/wsdl11?services=BAPI_PO_CHANGE&sap-client=100&sap-user=myId&sap-password=myPassword
  I want to disable this, make it no user/password through url string. Can anyone tell me how to do it, thanks.
  Best regards,
  Peter

  Well, it's not a backdoor - but (extremely) bad style: an URL should never contain any authentication data (like UID & PWD) nor should it ever contain any (security) session ID (which, if valid, would allow to skip authentication).
  So, I agree with you / your customer: it should be (made) possible to configure the system to discard / ignore any authentication data which is contained in the URL.
  I recommend to submit a customer message to SAP (using message component BC-MID-ICF). You might refer to this SDN posting (by providing the URL) in the support ticket.
  PS: Basic Authentication is not much better but at least the information (UID & PWD) is not sent in the clear (although simply Base64-encoded) and not in the URL (but in the http header). Sending cleartext data in the URL is really the worst. The best is: use stronger authentication mechanisms (e.g. X.509 client certificates, Kerberos, Biometric authentication mechanisms, etc.).

• Data Services user rights  on SAP BW

  Hi guys,
  I am currently in a project and BASIS team is asking me what authorization rights should they apply on BOBJ Data Services user to pull data from BW. And I have no idea what authorizations should be applied.
  Help please.
  Thanks,
  R.A.

  Hi,
  check the Guide:
  http://help.sap.com/businessobject/product_guides/boexir32/en/xi32_ds_sap_en.pdf
  Chapter "SAP applications security levels" starting on Page 53
  Regards
  -Seb.

• SAP user licensing - service users and system users

  Hello,
  In SAP licensing process, will it count service users and system users for the license.
  (or licensing occurs only to the dialog users)
  In the license agreement , it is not mentioned.
  (Mentioned as 500 user license only)
  regards,
  zerandib.

  Hi Zerandib,
  This forum is for SAP Business One users only. I think your question is related to R/3. Please close your thread and post on a proper forum.
  Thanks,
  Gordon

• KM Scheduler Task - Service user

  Dear all,
  I created a scheduled task in the NWDS and deployed the par and configured the time table for it. The task is running every minute, so it's all working. Now i'm wondering, is it possible to set the user that executes the task somewhere? like in a service user or so.
  I played around a bit in the portalapp.xml and it now looks like:
  <?xml version="1.0" encoding="utf-8"?>
  <application>
    <application-config>
      <property name="SharingReference" value="usermanagement, knowledgemanagement, landscape, htmlb, exportalJCOclient, exportal,SAPJ2EE::sap.com/ear~test"/>
      <property name="SecurityArea" value="Netweaver.portal"/>
      <property name="Vendor" value="sap.com"/>
    </application-config>
    <components/>
    <services>
      <service name="RFServiceWrapper">
        <service-config>
          <property name="className" value="com.sap.netweaver.rf.wrapper.RFServiceWrapper"/>
          <property name="startup" value="true"/>
          <property name="SafetyLevel" value="low_safety"/>
        </service-config>
      </service>
    </services>
  </application>
  In the run(..) method, i call an ejb, and in the ejb i print the username that's executing it. Sometimes it says it's executed by Guest (most of the times), and sometimes it says it's executed by Administrator...
  What user is used for running the scheduled task? can it be a fixed user, as in "serviceUserX" for example? How do i configure that?
  Kind regards.
  J.
  Message was edited by:
          Joren Crauwels
  Message was edited by:
          Joren Crauwels

  Hi
  Did you find a solution fo this problem?
  Florin

• BOE XI R2 - Configuring RAS with Service user, RAS Fails to start...

  Colleagues:
  Where would kbase article c2018785 be found?
  I am configuring my BOE XI R2 to use End-to-End SSO via IIS using this document from Business Objects:
  Link: [https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/403cdf46-c63e-2b10-2997-978cb8ba59f0]
  In this document, you create a service user under which certain applications run, including the Report Application Server.
  There is a specific note on page 6 in the doc which states:
  The RAS server may fail to start under this new service account. If you experience this issue, follow the steps outlined in the following kbase:
  Link: [http://support.businessobjects.com/library/kbase/articles/c2018785.asp]
  Unfortunately, the link is out of date, and I have not found the article using the existing search tools.
  I did use the -trace argument to the command line to start up the RAS service, and the output is follows:
  Timestamp     ProcessID     ThreadID     Message
  [Thu May 07 13:21:39 2009]     4448     4228     (.ashwin32service.cpp:165): trace message: RAS starting
  [Thu May 07 13:21:39 2009]     4448     4228     (.dtsdts.cpp:1794): trace message:
  TraceLog 2009  5  7  8:21:39.936 4448 4228 (.dtsdts.cpp:2039): CDTSApp::InitInstance(): In CDTSParameters::RUN
  [Thu May 07 13:21:39 2009]     4448     4228     (.dtsdts.cpp:1794): trace message:
  TraceLog 2009  5  7  8:21:39.936 4448 4228 (.dtsdts.cpp:2055): CDTSApp::InitInstance(): Starting server. Process Id=4448
  [Thu May 07 13:21:39 2009]     4448     4228     (.dtsdts.cpp:1794): trace message:
  TraceLog 2009  5  7  8:21:39.936 4448 4228 (.dtsdts.cpp:2062): CDTSApp::InitInstance(): setServerParameters() done
  [Thu May 07 13:21:39 2009]     4448     4228     (.dtsdts.cpp:1794): trace message:
  TraceLog 2009  5  7  8:21:39.936 4448 4228 (.dtsdts.cpp:2130): CDTSApp::InitInstance(): initLicenseLimit() returns 1
  [Thu May 07 13:21:39 2009]     4448     4228     (.dtsdts.cpp:1794): trace message:
  TraceLog 2009  5  7  8:21:39.936 4448 4228 (.dtsdts.cpp:3895): CDTSApp::loadServerOptions(): about to SaveToRegistryAsDefault
  [Thu May 07 13:21:39 2009]     4448     4228     (.dtsdts.cpp:1794): trace message:
  TraceLog 2009  5  7  8:21:39.936 4448 4228 (.dtsdts.cpp:3897): CDTSApp::loadServerOptions(): done SaveToRegistryAsDefault hr=-2147024891
  [Thu May 07 13:21:39 2009]     4448     4228     (.dtsdts.cpp:1794): trace message:
  TraceLog 2009  5  7  8:21:39.936 4448 4228 (.dtsdts.cpp:3916): CDTSApp::loadServerOptions(): error Access is denied.
  [Thu May 07 13:21:39 2009]     4448     4228     (.dtsdts.cpp:1794): trace message:
  TraceLog 2009  5  7  8:21:39.936 4448 4228 (.dtsdts.cpp:2134): CDTSApp::InitInstance(): loadServerOptions() returns 0
  [Thu May 07 13:21:39 2009]     4448     4228     (.dtsdts.cpp:1794): trace message:
  TraceLog 2009  5  7  8:21:39.936 4448 4228 (.dtsdts.cpp:2194): CDTSApp::InitInstance(): getDataEngineName() returns C:TrouxBusiness Objectscommon3.5 incrpe32.dll
  [Thu May 07 13:21:39 2009]     4448     4228     (.dtsdts.cpp:1794): trace message:
  TraceLog 2009  5  7  8:21:39.936 4448 4228 (.dtsdts.cpp:2197): CDTSApp::InitInstance(): openEngine() returns 0
  [Thu May 07 13:21:39 2009]     4448     4228     (.dtsdts.cpp:1794): trace message:
  TraceLog 2009  5  7  8:21:39.936 4448 4228 (.dtsdts.cpp:2292): CDTSApp::InitInstance(): preloadMSXML() done
  [Thu May 07 13:21:39 2009]     4448     4228     trace message: EnCOMSessionMgr::EnCOMSessionMgr begins...
  [Thu May 07 13:21:39 2009]     4448     4228     trace message: EnCOMSessionMgr::EnCOMSessionMgr trying to get Singleton SessionManager.
  [Thu May 07 13:21:39 2009]     4448     4228     trace message: CInfoSessionManager::Initialize start
  [Thu May 07 13:21:39 2009]     4448     4228     trace message: CInfoSessionManager::Initialize, start the cluster refresh thread
  [Thu May 07 13:21:40 2009]     4448     4228     (.dtsdts.cpp:1794): trace message:
  TraceLog 2009  5  7  8:21:40.217 4448 4228 (.dtsdts.cpp:2445): CDTSApp::InitInstance(): caught UNKNOWN EXCEPTION!!!
  [Thu May 07 13:21:40 2009]     4448     4228     (.dtsdts.cpp:1794): trace message:
  TraceLog 2009  5  7  8:21:40.217 4448 4228 (.dtsdts.cpp:2461): CDTSApp::InitInstance() returns 0
  [Thu May 07 13:21:40 2009]     4448     4228     (.dtsdts.cpp:1794): trace message:
  TraceLog 2009  5  7  8:21:40.217 4448 4228 (.dtsdts.cpp:1039): CAgentMapMT::ShutDown - outstanding agents:
  [Thu May 07 13:21:40 2009]     4448     4228     (.ashwin32service.cpp:329): trace message: RAS Exiting: return code = 0
  In the Windows event viewer, this error is echoed:
  Failed to load Report Application Server settings from the system registry.
  Detailed Message: Access is denied.
  It seems my service account needs a certain permission to be able to load and read the registry for this application, and I'm sure this permission is discussed in the missing kbase article. 
  Could you please let me know what permission is required for this user on the OS? This is Win2003 x64 SP2.
  Thanks, and have a good day

  Hi,
  if this a permissions problem then just start +regedit*, go to
  My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects
  select it, press the right mouse button and choose Permissions. Press the advanced button and assign your service account with full control at this point of the registry. Do not forget to select the +Replace Permissions Entries on all child objects ... + option.
  You can also take a look at Notes 1199630 and 1201489 (this one is for CR 10 but it may be worth it to follow the instructions there) ( [https://service.sap.com/notes])
  Regards,
  Stratos

• Creating a Service User

  I'm trying to create a Service User in the portal.  I've come across this link:
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/cfdc9e90-0201-0010-6780-cc30206dd319
  On page 7, it says that "Service Users reside only in the database. This can be achieved by settings in the configuration file."
  It then goes on to say that several service users such as cmadmin_service are added by KM.  My question is, how do I add my own service users?  My portal is not using LDAP as a user repository, just the portal DB.
  Thanks,
  Matt

  First, thanks for the reponse -
  Yes - I believe the namespace is $serviceUser$.  Since our portal is not integrated with a user repository like AD, how would I create a service user with appropriate namespace?  Creating users via the User Administration role, I cannot assign the new users to the $serviceUser$ namespace.  Do I have to write some SQL to insert into the user database table?
  Thanks again.

• What are the roles need to add for webservice user in SAP ECC 6.0

  Dear SDNS,
  Can you please help me to understand , what are the roles needed to add while creating a webservice user in ABAP STACK.
  Really appreciate your immediate help and response.
  Thanks and Regards.
  Suraj

  Hi Suraj,
  Please refer to this link & apply the role/s as per the requirements for the web service user:
  [http://help.sap.com/saphelp_nwpi71/helpdata/en/2b/07074155bcf26fe10000000a1550b0/content.htm]
  Best Regards, Trevor

• ABAP Service Users  not working - important

  Hi,
  I installed finally BPC 75 NW, and I cannto get ito the application for the 1° time because I have several issues.... I get the error "The user ID, password  cannot be authenticated. Make sure you entered valid credentials".
  On Server Mgr. i get 2 errors " Sap server connection : database connection"  and "ms message queue:  queue name:  .private$BPCstatusmessagequeue".
  I have done eveything in order to solve this... but... after a lot of research I found a note where it is suggested to uninstall, however I still want to change some parameters as described in the installation guide, I hope you can please help me to clear this:
  Manual, page 43, installation for NW.
  - ABAP service users can be locked as a result of the install.
  - Check and unlock users, use SU01, press Ctrl + F5  (done, not a problem)
  - Check that COM + Components exist (done)
  - Check interfaces (this means changes in Pooling & Recycling?)
  - Check that librfc32.dll is set up appropiately (I had the problem during install where i needed to reassign this dll, now is not an issue  unless there is something else to check that i am not aware of)
  - IIS Port (80 by default right?)
  - ServerConfiguration.config for the correct username and system info (cant find this file)
  - Registry Entries on 32 and 64 bits (how can I do this)
  - Check C:windowssytem32driversetchosts file to ensure that a fully qualified domain and IP resolution exists (what exactly do i need to check)
  On server mgr also I have for  COM+ components " domain system administrator with which i installed  & password"   is this right?
  Thanx in advance, it is really important.
  Velázquez

  Hi,
  Thanx for the feedback !! really appreciate it. Here is the response:
  The COM components are ok, as well as the MSMQ and every other component you mentioned (also reinstalled it). I reactivated all "dictionary" to the 3 users created in ABAP, changed role to communication, and give SAP_ALL permission.
  In the machine, changed the Default web site to port 81 (to let BPC website take port 80)
  Reinstalled  NET 2.0, set all components for BPC website to Net 2.0
  Created the 3 abap users in domain and gave in both systems  the same password.
  Entered in the machine as the administrator user (also administrator in Netweaver) and started the installation without trouble.
  After that, tried to run the server diagnostic but this user was lacking permits, so I added the 3 users (abap) in the local machine as administrators, in a  new group called BPC (only giving the administrator role). Entered now in the machine as BPC_SYSADMIN and ran the Server Diagnostic without trouble.
  After doing this, I now am facing an issue trying to add users to the 1° appset... choosing the domain users... however someone mentioned that this is related to the NET tier, is it better to reinstall this tier completely or at least try with NET 1.1, but im just about to find out.
  Thanx again for the response.
  Velázquez

• Copy distribution list  to all content services user folders

  We have an Outlook distribution list PST file that current resides in a Windows file server. This gets pushed out the the personal folder of each user overnight.
  Going forward, we need to push this PST file to all the Content Services user personal folders (Users-A, Users-B ... Users-Z).
  I created a single superuser that has all administrative rights to all the users personal folders. And I can upload a file through the webdav http interface.
  with the "Upload" button while I'm "Switched to Administrative Mode" only.
  And I can't see the users personal folders while using the Oracle Drive nor
  thru a Network drive.
  Is there a way of pushing this to all the users' personal folders???

  Hi Juan,
  I tried that but it is not showing the shared distribution list for moving.
  I found 1 sap BC office document which stats that moving the distribution list form Private to public is not possible due to security reason.
  So, no options for me and to create manual shared distribution list.
  Thanks
  Anil

• No service user name found for Integration Server

  Hi All,
  Our XI is in production..once in a while (once in every 3 weeks) messages get fail saying: No service user name found for Integration Server. When we re-start J2EE engine, messages get processed fine. Does anyone know the reason for the above error?
  <SAP:AdditionalText>3:No service user name found for Integration Server is.00.******<S/AP:AdditionalText>
  <SAP:Stack>Error when reading the access data(URL, user, password)
  Thanks
  Indrasena

  Hi,
  did you configure your adapters like IDoc, RFC based on the SAP service user created in the SAP system ? i,e RFC destination etc..
  did you check pipeline url is correct in the SLD>Business System><Integration Server> and check the url. It should have http port.
  Also check this thread-
  sRFC-adapter  and file adapter with error: no adapter found
  Regards,
  moorthy

• Could any one tell me that How can i create the service User ie j2ee SID

  hi all,
  In the implementation of SPNego Authentication schem in my portal system.
  i want to create the service user ie .j2ee-<SID>.
  <b>could any one tell me that How can i create the service User ie j2ee-<SID> in my visual administrator??</b>.
  any help will be highly Appretiated .
  thanks and regards.
  vinit soni.

  Vineet,
  the user management tab opens in Read Only mode - thats why the button is coming as disabled. There is a button for switching into Edit mode - it looks like a pen / pencil on the top bar. Click on that - your "Create User" button would be enabled.
  Also regarding creation of Service User via code level you can see <a href="https://www.sdn.sap.com/irj/sdn/thread?messageID=1057074">THIS</a> thread. And <a href="http://HERE">http://help.sap.com/saphelp_nw04/helpdata/en/f9/e3162ec55f4df6922d161f3785012a/frameset.htm</a>HERE[/url] is the SAP Help documentation on required permission settings.
  Regards,
  Shubhadip
  Message was edited by:
          Shubhadip Ghosh
  Message was edited by:
          Shubhadip Ghosh

• Unable to create service user Installation

  Hi am unable to create PIAPPLUSER service user.Am installing NW2004s on AIX.
  Its using the BAPI_USER_CREATE1 to create the user, everything is successful but at last it gets a message RFC connection closed.Is this some thing to do with SLD? I created the user PIAPPLUSER manually, but then also its giving RFC connection closed...Please help me...Answers will be greatly rewarded...
  INFO       2007-04-19 12:31:08 [iaxxrfcimp.cpp:478]
             CAbRfcImpl::checkSysInfoSAP
  Version 700  of remote SAP System QPI accepted.
  INFO       2007-04-19 12:31:08 [iaxxrfcimp.cpp:594]
             CAbRfcImpl::setFunction
  Setting new application function BAPI_USER_CREATE1.
  INFO       2007-04-19 12:31:08 [iaxxrfcimp.cpp:1017]
             CAbRfcImpl::callLibraryFunction
  Generating interface for remote function.
  INFO       2007-04-19 12:31:09 [iaxxrfcimp.cpp:1065]
             CAbRfcImpl::performFunctionCall
  Function call was successful.
  INFO       2007-04-19 12:31:09 [iaxxrfcimp.cpp:924]
             CAbRfcImpl::getRfcInterfaceSAP
  Function interface generated successfully.
  INFO       2007-04-19 12:31:10 [iaxxrfcimp.cpp:926]
             CAbRfcImpl::getRfcInterfaceSAP
  Technical properties of function set successfully.
  INFO       2007-04-19 12:31:10 [iaxxrfcfls.cpp:107]
             CRfcFuncRep::insFuncIf
  Information for application function BAPI_USER_CREATE1 copied to local Repository.
  INFO       2007-04-19 12:31:10 [iaxxrfcimp.cpp:622]
             CAbRfcImpl::setFunction
  Function module BAPI_USER_CREATE1 set successfully.
  INFO       2007-04-19 12:31:10 [iaxxrfcimp.cpp:1032]
             CAbRfcImpl::callFunction
  Executing function call BAPI_USER_CREATE1.
  INFO       2007-04-19 12:31:10 [iaxxrfcimp.cpp:1065]
             CAbRfcImpl::performFunctionCall
  Function call was successful.
  INFO       2007-04-19 12:31:10 [iaxxbjsco.cpp:561]
             CIaJSCo::disconnect_impl(001:DDIC:EN:tsqa1d03:40:::)
  RFC connection closed.
  ERROR      2007-04-19 12:31:11 [iaxxejsbas.cpp:178]
             EJS_ErrorReporter
  FJS-00003  TypeError: this.getSystemInfo() has no properties (in script NW_Onehost|ind|ind|ind|ind, line 12941: ???)
  ERROR      2007-04-19 12:31:11 [iaxxgenimp.cpp:736]
             showDialog()
  FCO-00011  The step CreateUser with step key |NW_Onehost|ind|ind|ind|ind|0|0|SAP_Software_Features_Configuration|ind|ind|ind|ind|5|0|NW_Usage_Types_Configuration_PI|ind|ind|ind|ind|1|0|GenericNewCreateAbapUser|ind|ind|ind|ind|1|3|CreateUser was executed with status ERROR .

  Hi
  I did that....I created the user manually and assigned the role...Then also its not crossing the step "Creating PIAPPL USER step".If it passes thru this step...am all set to go with my installation...Any help??

• Create Substitute Users in SAP ECC 6.0

  Dear Gurus,
  Can someone guide on how to create a temporary user Substitute User) in SAP ECC 6.0. This is a user who will only use the SAP system for a short period while the substantive user is away on leave such that the system should lock the substitute user automatically when the leave preiod expires.
  regards,
  Chansa

  > Very valid points on the PID's etc - hadn't thought of those!.
  A lot of things are easily overlooked when designing substitution or emergency user procedures.
  > Seems that, if the covering user doesn't have the authorisations in their UMR and has to fall back on the reference user's roles, it shows the reference user ID instead.
  This would be very application specific and is not "mainstream". Where you can use it is with WAPIs (Workflow Application Program Interfaces) and BatchInput has been much the same for decades already.
  > I'm not really sure if there''s a way around this as it may cause some questions internally but may benefit the business as the supplier/vendor etc think they are still dealing with their original contact.
  On the backend you still have the created by and posted by fields for many application documents (all else being the same - which I would not rely on...).
  > For small user groups, when one person is covering for another absent user in their user group then there shouldn't be any increased SoD figures (as long as reporting on org levels hasn't been activated in RAR) but we have found many instances where the covering user is either a team leader or similar which tends to increase SoD.
  This is often because the user ID is changed (to a service user) when entering the "special mode". So access other user's (namely back to your own)  spools, jobs, variants, layouts, work items, queries, office messages, etc etc is needed, and these are generally protected by strong administrator authority-checks. These will in combination provide many SoD conflicts or usually over-riding system admin access which makes the application restriction pretty weak in comparison.
  > Pity it (SM20N) doesn't seem to work by user group but not bad at all...
  It does via naming conventions, but is backward compatible for those already logging SAP* user and expecting no entries, which would then become all users starting with the name SAP... See Rz11 param rsau/user_selection (default is "off").
  > Can't make the Berlin conference unfortunately but thank you for the welcome to SDN.
  You can keep an eye out for "SDN Hacker Lunch" in the news streams. After the event, I normally put the infos and discussions together into a blog on SDN.
  Cheers,
  Julius

• How To Create a Service User

  Hello,
  How do I create a service user in EP (or the WAS) similar to the built in service users that come with EP like cadmin_service, index_service, etc.?
  Of course, I've tried creating a normal user, but it does not show up as a service user.  Do I have to create service users programmatically or is there a GUI to do it?
  Thanks!

  Hi Chris,
  > the code used still didn't work
  Please read the post carefully, the creation of the user worked, but the questionner had problems concerning permissions using this user as PCD access user.
  Even if I'm not from SAP: The way shown <i>is</i> the "official" way. To be concrete: IServiceUserFactory is not release, but this is the way SAP itself works with this issue. Also see http://media.sdn.sap.com/html/submitted_docs/60_sp2_javadocs/ume/com/sap/security/api/UMFactory.html#getServiceUserFactory()
  Hope it helps
  Detlev