XI J2ee roles

On the UME side, do user groups like sap_xi_adminstartor_j2ee, sap_xi_configurator_j2ee...etc have any roles or actions assigned to them?
I'm confused because when i look at sap_j2ee_admin & sap_sld_ administrator user groups on the UME, I see tht there are roles & actions assigned to them by default.
Thanks.

Hi The role sap_j2ee_admin is created by default and it is a single role unlike the others that you have mentioned. The ones that you have mentioned are composite roles which are created seperately. You can assign actions and individuale roles to it. you can also assign profiles to it. You can do these in the transaction PFCG.
Reward if helpful.

Similar Messages

Client certificate authentication with custom authorization for J2EE roles?

We have a Java application deployed on Sun Java Web Server 7.0u2 where we would like to secure it with client certificates, and a custom mapping of subject DNs onto J2EE roles (e.g., "visitor", "registered-user", "admin"). If we our web.xml includes:
<login-config>
 <auth-method>CLIENT-CERT</auth-method>
 <realm-name>certificate</realm-name>
<login-config>that will enforce that only users with valid client certs can access our app, but I don't see any hook for mapping different roles. Is there one? Can anyone point to documentation, or an example?
On the other hand, if we wanted to create a custom realm, the only documentation I have found is the sample JDBCRealm, which includes extending IASPasswordLoginModule. In our case, we wouldn't want to prompt for a password, we would want to examine the client certificate, so we would want to extend some base class higher up the hierarchy. I'm not sure whether I can provide any class that implements javax.security.auth.spi.LoginModule, or whether the WebServer requires it to implement or extend something more specific. It would be ideal if there were an IASCertificateLoginModule that handled the certificate authentication, and allowed me to access the subject DN info from the certificate (e.g., thru a javax.security.auth.Subject) and cache group info to support a specialized IASRealm::getGroupNames(string user) method for authorization. In a case like that, I'm not sure whether the web.xml should be:
<login-config>
 <auth-method>CLIENT-CERT</auth-method>
 <realm-name>MyRealm</realm-name>
<login-config>or:
<login-config>
 <auth-method>MyRealm</auth-method>
<login-config>Anybody done anything like this before?
--Thanks

We have JDBCRealm.java and JDBCLoginModule.java in <ws-install-dir>/samples/java/webapps/security/jdbcrealm/src/samples/security/jdbcrealm. I think we need to tweak it to suite our needs :
$cat JDBCRealm.java
* JDBCRealm for supporting RDBMS authentication.
* This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* In order to plug in a realm into the server you need to
* implement both a login module (see JDBCLoginModule for an example)
* which performs the authentication and a realm (as shown by this
* class) which is used to manage other realm operations.
* A custom realm should implement the following methods:
* <ul>
* <li>init(props)
* <li>getAuthType()
* <li>getGroupNames(username)
* </ul>
* IASRealm and other classes and fields referenced in the sample
* code should be treated as opaque undocumented interfaces.
final public class JDBCRealm extends IASRealm
 protected void init(Properties props)
 throws BadRealmException, NoSuchRealmException
 public java.util.Enumeration getGroupNames (String username)
 throws InvalidOperationException, NoSuchUserException
 public void setGroupNames(String username, String[] groups)
}and
$cat JDBCLoginModule.java
* JDBCRealm login module.
* This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* In order to plug in a realm into the server you need to implement
* both a login module (as shown by this class) which performs the
* authentication and a realm (see JDBCRealm for an example) which is used
* to manage other realm operations.
* The PasswordLoginModule class is a JAAS LoginModule and must be
* extended by this class. PasswordLoginModule provides internal
* implementations for all the LoginModule methods (such as login(),
* commit()). This class should not override these methods.
* This class is only required to implement the authenticate() method as
* shown below. The following rules need to be followed in the implementation
* of this method:
* <ul>
* <li>Your code should obtain the user and password to authenticate from
* _username and _password fields, respectively.
* <li>The authenticate method must finish with this call:
* return commitAuthentication(_username, _password, _currentRealm,
* grpList);
* <li>The grpList parameter is a String[] which can optionally be
* populated to contain the list of groups this user belongs to
* </ul>
* The PasswordLoginModule, AuthenticationStatus and other classes and
* fields referenced in the sample code should be treated as opaque
* undocumented interfaces.
* Sample setting in server.xml for JDBCLoginModule
* <pre>
* <auth-realm name="jdbc" classname="samples.security.jdbcrealm.JDBCRealm">
* <property name="dbdrivername" value="com.pointbase.jdbc.jdbcUniversalDriver"/>
* <property name="jaas-context" value="jdbcRealm"/>
* </auth-realm>
* </pre>
public class JDBCLoginModule extends PasswordLoginModule
 protected AuthenticationStatus authenticate()
 throws LoginException
 private String[] authenticate(String username,String passwd)
 private Connection getConnection() throws SQLException
}One more article [http://developers.sun.com/appserver/reference/techart/as8_authentication/]
You can try to extend "com/iplanet/ias/security/auth/realm/certificate/CertificateRealm.java"
[http://fisheye5.cenqua.com/browse/glassfish/appserv-core/src/java/com/sun/enterprise/security/auth/realm/certificate/CertificateRealm.java?r=SJSAS_9_0]
$cat CertificateRealm.java
package com.iplanet.ias.security.auth.realm.certificate;
* Realm wrapper for supporting certificate authentication.
* The certificate realm provides the security-service functionality
* needed to process a client-cert authentication. Since the SSL processing,
* and client certificate verification is done by NSS, no authentication
* is actually done by this realm. It only serves the purpose of being
* registered as the certificate handler realm and to service group
* membership requests during web container role checks.
* There is no JAAS LoginModule corresponding to the certificate
* realm. The purpose of a JAAS LoginModule is to implement the actual
* authentication processing, which for the case of this certificate
* realm is already done by the time execution gets to Java.
* The certificate realm needs the following properties in its
* configuration: None.
* The following optional attributes can also be specified:
* <ul>
* <li>assign-groups - A comma-separated list of group names which
* will be assigned to all users who present a cryptographically
* valid certificate. Since groups are otherwise not supported
* by the cert realm, this allows grouping cert users
* for convenience.
* </ul>
public class CertificateRealm extends IASRealm
 protected void init(Properties props)
 * Returns the name of all the groups that this user belongs to.
 * @param username Name of the user in this realm whose group listing
 * is needed.
 * @return Enumeration of group names (strings).
 * @exception InvalidOperationException thrown if the realm does not
 * support this operation - e.g. Certificate realm does not support
 * this operation.
 public Enumeration getGroupNames(String username)
 throws NoSuchUserException, InvalidOperationException
 * Complete authentication of certificate user.
 * As noted, the certificate realm does not do the actual
 * authentication (signature and cert chain validation) for
 * the user certificate, this is done earlier in NSS. This default
 * implementation does nothing. The call has been preserved from S1AS
 * as a placeholder for potential subclasses which may take some
 * action.
 * @param certs The array of certificates provided in the request.
 public void authenticate(X509Certificate certs[])
 throws LoginException
 // Set up SecurityContext, but that is not applicable to S1WS..
}Edited by: mv on Apr 24, 2009 7:04 AM

J2EE roles vs Portal roles vs ABAP roles

(I also posted this on portal implementation, but i hope i receive more reactions here )
Dear all,
I have a question about the information on the following link:
http://help.sap.com/saphelp_nw2004s/helpdata/en/4c/6c0f40763f1e07e10000000a1550b0/content.htm
It says the following:
"These functions are intended to assign users and their assigned portal roles a corresponding role in the SAP System. This corresponding role (authorization role) contains the authorizations needed to execute certain functions from the portal."
1. These "...certain functions..." they talk about, can someome give an example of these functions?
2. Is it possible for example to create a role in the portal that gives a user authorisation for starting transaction SE80 in the backend system? Without making the role in the backend first and uploading it to the portal.
3. It's also possible to upload ABAP roles to the portal. Is the main reason for this that users can see their SAP menu (or part of it) in the portal? Or does this have other advantages too?
4. I'm very confused about the relation between J2EE roles, portal roles and ABAP roles. Is it possible to manage the roles for a user in one place, without having to do certain actions in the portal AND the backend system?
From what I've read on help.sap.com, you always need to do certain actions in both places.
A possible approach is the following (from what i know): Creation of roles in the R/3 system, without assigning to users. From a webdynpro application, a user can then be created and roles can be assigned: portal roles (via some API) and R/3 roles (via BAPIs).
I hope someone can give a bit information on this issue. I've done alot of reading on help.sap.com, but it's still an abstract issue for me.
Kind regards,
Joren

Hi Jorem
Re: point 3. I don't build portal roles through this mechanism as I don't believe in replicating the SAP easy access menu inside the portal. If there are some specific functions (transactions) that I want to run inside the portal, then I might use this mechanism to build the iViews once. I would rather start an iView that runs transaction SMEN and let the user see their regular easy access menu.
Please note that the speed of executing transactions in the portal isn't a function of the portal, but the fact that you are using ITS, for example, to web enable the transaction...
Re: point 4. Groups are a UME concept. They have nothign to do with ABAP groups. They can be created directly in UME through user administration functions, or they can be created in the LDAP and then they are visible in the portal. If the UME points to an ABAP system, then the ABAP roles are autoamtcially visible as UME groups. Groups created in the UME need to have the members assigned through user admin functions of the Java engine. Groups stored in LDAP are maintained using LDAP admin tools. There are upload utilities that allow you to maintain LDAP users and groups through text files. Google LDIF for more details.
Roles on the portal need to be built in the portal contetn directory. As Michael mentioned, this can be automated by the use of the role upload function built into the portal.

J2EE role level??

What is this meaning of j2EE role level? The link is in http://getahead.ltd.uk/dwr/server/dwrxml/creators
You can also specify J2EE role level access control as follows:
<create creator="new" javascript="Fred">
<param name="class" value="com.example.Fred"/>
<auth method="setWibble" role="admin"/>
</create>

What's DWR?Simply following the OP's first link is too difficult, huh?
Btw, Google is your friend, too:
http://en.wikipedia.org/wiki/DWR

J2EE role with SSO tickets

We are implementing EP and R/3 on MySAP ERP 2004. There are separate J2EE engines for portal and R/3. The R/3 j2ee accepts tickets from the portal and passes to ABAP instance. We are looking to deploy WebDynpro applications outside of the portal. Can the R/3 J2EE both issue tickets with authentication and accept tickets from the portal? Or should only the portal j2EE issue the login tickets?

Hi Stephen,
although I don't have practical experience with that, by reading through the docs I don't see a reason not to have a J2EE Engine as both ticket issuing and accepting system. Perhaps you could take a look at the configuration procedures in the docs and try them out. Here's the link: http://help.sap.com/saphelp_nw04/helpdata/en/53/695b3ebd564644e10000000a114084/frameset.htm
Hope that helps at least a bit!

Dignostic Error-Failed to assign UME support Roles : Server returned: 503

Hi All,
We are trying to implement diagnostics on one of our EPortal Server. We have already completed all the pre-requisites of diagnostics on EP .
When we try for diagnostics System >Managed System> it gives us following error
User existence check failed : Server returned: 503 Service Unavailable
The following J2EE roles were granted to user SAPSUPPORT : SAP-J2EE-Engine/SAP_JAVA_SUPPORT
Failed to get User ID for user with logonname SAPSUPPORT
!! Exception : Server returned: 503 Service Unavailable
Failed to assign UME support Roles : Server returned: 503 Service Unavailable
Failed to assign UME support Roles for XI : Server returned: 503 Service Unavailable
We have checked UME Page on Eportal , where the error is
Application cannot be started.
Details: com.sap.engine.services.deploy.container.ExceptionInfo: JMS error.
Please suggest.
Regards,
Swati

Hi,
Please try to re-start the JAVA instance and then try again.
Regards,
Thulasi

Getting portal roles in web dynpro

Hello
I'm sure this is a common problem but I've checked all the older posts and I just can't get it working.
We have a web dynpro app that runs within an EP iView (EP6SP14), and we need to retrieve the portal roles for the user.
With the APIs (using IRole and IUser and the getRoles() method) we only get the J2EE roles. These are not the same.
Can anyone help?
Thanks
Chris

Hi
Thanks for the response. Unfortunately, we have already tried a similar approach. See our code below. It sees to pull the WAS J2EE roles, but not the PCD roles.
public void getPortalUserDetails( )
 IWDMessageManager messageManager =
 this.wdThis.wdGetAPI().getComponent().getMessageManager();
 PortalIntegrator portalIntegrator = null;
 new PortalIntegrator(this.wdThis.wdGetAPI());
 WDClientUser.forceLoggedInClientUser();
 if (WDPortalUtils.isRunningInPortal()) {
 try {
 IWDClientUser currentUser = WDClientUser.getCurrentUser();
 IUser sapCurrentUser = currentUser.getSAPUser();
 sapUser = sapCurrentUser;
 String userId = currentUser.getClientUserID();
 // Get the SAP Current User
 if (sapCurrentUser != null) {
 portalUserId = sapCurrentUser.getUniqueName();
public boolean isManager( )
 String roleName = null;
 boolean correct = false;
 try {
 if (sapUser != null) {
 Iterator rit = null;
 rit = sapUser.getRoles(true);
 IRoleFactory rfact = UMFactory.getRoleFactory();
 while (rit.hasNext()) {
 roleName = (String) rit.next();
 IRole role = rfact.getRole(roleName);
 wdComponentAPI.getMessageManager().reportSuccess(
 "rolename: " + roleName);
 correct = sapUser.isMemberOfRole(roleName, true);
 } catch (Exception e) {
 correct = false;
 Logger.error(e.toString());
 return correct;
// return true;

Whts the role of exchangeProfile in XI?

I'm bit confused about role exchange profile in XI. Could some one help me understanding it?
Sheetal

sheetal,
Exchange profile contains the set of parameter that are used for the complete functioning of SAP XI components. IT's more of a storage area.
From SAPp Help:
The exchange profile is an XML document that is stored in the main database of the SAP Exchange Infrastructure (XI). The parameters contained in this document define certain basic technical settings. Most of them are initialized automatically during the installation phase, but in some cases the administrator may need to maintain them. You can access the maintenance screen at:
http://<host:port>/exchangeProfile
In this HTTP address host and port are the host name and connection port of your Integration Server.
You are prompted for a user name and a password. A user with the J2EE security role administer is required. By default this J2EE role is mapped to role SAP_XI_ADMINISTRATOR_J2EE on SAP Web AS 6.40.
The HTTP address provides you with a browser-based interface for editing the exchange profile.
For more information about editing the exchange profile and for a list of available parameters, see the SAP Exchange Infrastructure Configuration Guide under Exchange Profile Parameters.
After any modification of the exchange profile, you must restart the Integration Server for the changes to take effect.
--Archana

How to create role(s) in Web As Java?

Hi there,
Can you please tell me how to create roles and assign to a user in Web AS Java Standalone system? I know How to do it if it is Dual Stack...but not with Standalone java System?
Thanks In Advance
Kumar

Hello Kumar,
I guess by by dual stack you mean an ABAP+JAVA environment right?
Anyways, in a JAVA only schema, if you are using your user store as UME, you can create the roles in UME through the browser by logging in as J2EE_ADMIIN or a suer with equivalent authorizations.
on the other hand you can create J2ee roles in Visual administrator(VA). For that you need to login to VA and go to the service Security provider. There you will find the option to create roles. But please be advised that the actions (equivalent of authorizations in ABAP stack) should already have been defined by your programmers before you can go ahead with the task of creating roles.
One morething, each J2EE role can contain only one action.
Where as in UME roles you can group them together.
Regards,
Prashant

Role in UME whereas user can be created only in ABAP

Hi experts,
I want to create a user with a MDM EC Administrator role in my WAS Java UME. But i get the following exception while doing so:
1.5#001CC46BDFC200660000153C0000108000044D2CF9474AB3#1210755462890#com.sap.security.core.persistence.datasource.imp.R3PersistenceBase#sap.com/tc~wd~dispwda#com.sap.security.core.persistence.datasource.imp.R3PersistenceBase.createPrincipalDatabag()#J2EE_ADMIN#305344#SAP J2EE Engine JTA Transaction : [631ffffffd660226ffffffb5]#IWDFVM2160.wdf_ERP_103929350#J2EE_ADMIN#72cab7e0219311dd998a001cc46bdfc2#SAPEngine_Application_Thread[impl:3]_4##0#0#Error#1#/System/Security/Usermanagement#Java#An exception was thrown in the UME/ABAP user management connector. Message: {0}.##An exception was thrown in the UME/ABAP user management connector. Message: {0}.
[EXCEPTION]
{1}#2#BAPI_USER_CREATE1@ERPCLNT001: ID=01, NUMBER=491, MESSAGE=You are not authorized to create users in group#com.sap.security.core.persistence.datasource.PersistenceException: BAPI_USER_CREATE1@ERPCLNT001: ID=01, NUMBER=491, MESSAGE=You are not authorized to create users in group
at com.sap.security.core.persistence.datasource.imp.R3PersistenceBase.handleBapiRet2Table(R3PersistenceBase.java:1186)
I problem is - role is existing in UME whereas i could create users only in ABAP. This role is not even visible in the ABAP side!
Is there any way to assign this role to that user?
Thanks in advance
Swarna

you can access the users at http://<host name>:5<sys.no>00/useradmin
You will get to see all the users you created in WAS ABAP... and here you can attach the j2ee roles to him..
Please come back if this reply doesnot answer you..
Award points if this found helpful

Retrieving EP roles from web dynpro

Hello
I'm sure this is a common problem but I've checked all the older posts and I just can't get it working.
We have a web dynpro app that runs within an EP iView (EP6SP14), and we need to retrieve the portal roles for the user.
With the APIs (using IRole and IUser and the getRoles() method) we only get the J2EE roles. These are not the same.
Can anyone help?
Thanks
Chris

Hi Chris,
have you tried to read the groups of your user? As far as i know, the roles from EP are mapped to the groups in J2EE.
Try something like this:
IWDClientUser user = WDClientUser.getCurrentUser();
Iterator groups = user.getSAPUser().getParentGroups(false);
while (groups.hasNext()) {
String bez = UMFactory.getGroupFactory().getGroup((String) groups.next()).getDisplayName();
// bez contains your roles (groups)
i hope that helps
regards
ingo

Authorization or roles assign?

Hi All,
I have installed Xi 3.0 on windows server 2003.but my users are getting this error not able to create a product. Its says "You
are not authorized to view the requested resource 403 forbidden".
What all the authorizations and roles i need to set for every user.
Regards,
Rohit

Error: HTTP 403 Forbidden
Description: The server understood the request, but is refusing to fulfill it
Possible Tips:
Path sap/xi/engine not active
HTTP 403 during cache refresh of the adapter framework - Refer SAP Note -751856
Because of Inactive Services in ICF Go to SICF transaction and activate the services. Refer SAP Note -517484
Error in RWB/Message Monitoring- because of J2EE roles Refer SAP Note -796726
Error in SOAP Adapter - "403 Forbidden" from the adapter's servlet. Because of the URL is incorrect or the adapter is not correctly deployed.
From
/people/krishna.moorthyp/blog/2006/07/23/http-errors-in-xi
Regards,
Prateek

SLD security roles

Hi all -
Could someone shed a light on the SLD security roles for me ?
SLD is running fine (on a EP JAVA WAS) but I seem to miss the roles that come with it (LcrUser, LcrAdministrator, etc...)
Can I import/deploy/create them ? When do I use the 'Assign User Groups to Roles' from the VA - SLD Data Supplier ?
thx guys,
Paul

Hi everyone,
the assignment of SLD roles can be done from the Policy Configurations in the Security Provider Service in the Visual Administrator. Once you are there you'll have to choose the sap.com/com.sap.lcr*sld component and then click the Security Roles tab. From there you should have access to the SLD roles. Since the SLD roles are J2EE roles (they won't show up in the User Management console) and you can assign them to users/user groups from VA.
You can use the "Assign roles to groups" button in the SDL Data Supplier service in case the UME is used with an ABAP backend user sotre. In this case the ABAP user roles will appear as user groups in the J2EE Engine. If the J2EE user groups are created after the SLD server has been deployed, you can perform the mappings by using the SLD configuration service in the Visual Administrator.
For documentation of the above, take a look at the Post Installation guide from service.sap.com/sld -> Media Library.
Hope this helps.
Regards,
Yonko

J2EE user authorization

Hell all,
This is related to XI3.1, which is J2EE+ABAP system.
I knwo that Roles in ABAP are called Groups in UME (J2EE) because J2EE has their own roles. ABAP roles are assigned in PFCG or SU01 and can only be viewed in UME console. Same users can be assigned to J2EE roles using UME colsole and these roles are maintained using UME console. They are called Roles in UME.
My question is regarding createting a user and resetting a password. Do I have to create a user in ABAP only using SU01 and reset the password in ABAP system only.
OR
I can do it in UME as well.
Because I see a create, modify button in UME where I can change the user password and create a new user.
AND if possible in both then whic one is advisable?
Your advice will be greately appreciated.
Thank you very much for the help.
SC

No problem, "hell all" was funny!
Anyway, my experience is that usually User Maintenance is done on the ABAP stack via SU01, which is considered the master, and then an automated mechanism (I couldn't go deeper by now) replicates on J2EE stack.
Obviously if you have to deal with J2EE specific auth, you have two approaches:
- strict: create dummy roles on ABAP, assign them and wait for replication
- easy: modify auth direcly on J2EE via UME (supposing J2EE is not locked on this function 'cause it's aware of being a slave in this process)
Hope this helps you.
Regards,
Alex

You do not have permission to view the System Landscape Directory.

Hello there,
When I accessed my SLD from portal, it took me to the page but kept saying:
- You do not have permission to view the System Landscape Directory. Minimum required: UME role with permission com.sap.lcr.LcrUser and J2EE role LcrUser. See the SLD Post-Installation Guide for details
- SLD not configured; configure the SLD in Administration first.
I searched on these forums for the above error. Got some results, but nothing really substantial that has helped/fixed my problem.
I also read a bit on SLD from the pdf file named: System Landscape
Directory of SAP NetWeaver 2004s
I also worked on the security roles and actions to individual
users or user groups like for ex: the above pdf file advised I map the security roles from Visual Administrator, to the created roles in the portal. I've done that too. Like create a user group: 'SAP_SLD_ADMINISTRATOR' and create a user role corresponding to it, which would be: 'LcrAdministrator'
Then, I went to visual administrator, and clicked on 'Assign User Groups to Roles'
Even after this, I tried to access the SLD from portal: It is still giving me the same error I mentioned above in bold italics.
Can somebody please help me how to fix this issue?
Thanks
Dino.

Graham:
Thank you very much for making the effort to reply to my query.
But, it still hasnt solved my problem yet.. for some reason even though I followed your instructions and did what you advised.
I have attached a screenshot of my Visual Administrator screen that you advised me to modify/change.
Here it is: http://img166.imageshack.us/img166/2259/screenshot002co1.jpg
After I made the changes, I restarted the J2EE server and went to my portal SLD page: [http://org-x:50000/sld]
Tried authenticating usernames: LcrAdministrator and Administrator.
Both attempts resulted in the same error show below:
- You do not have permission to view the System Landscape Directory. Minimum required: UME role with permission com.sap.lcr.LcrUser and J2EE role LcrUser. See the SLD Post-Installation Guide for details
- SLD not configured; configure the SLD in Administration first.
I am wondering, if you would have another workaround regarding this issue, can you please let me know?
Thanks
Dino.

XI J2ee roles

Similar Messages

Maybe you are looking for