By default, the AS Java provides standard users for administrative and guest access, as well as communication users for connecting to the installed user data store. The standard users on the AS Java vary according to the user store and installation options and are as shown in the table below.
AS Java Standard Users
Description
|
UME with AS ABAP
|
UME with LDAP
|
Database (DB) store
|
Administrator user
|
Specified during the installation. Example:
J2EE_ADM_<SID>
For an add-in installation the standard user is J2EE_ADMIN.
|
Administrator
This user has unlimited administrative permissions over the AS Java. We recommend that you use strong password and auditing policies for this user.
|
Administrator
This user has unlimited administrative permissions over the AS Java. We recommend that you use strong password and auditing policies for this user.
|
Guest user
|
Specified during the installation. Example:
J2EE_GST_<SID>
For an add-in installation, this user isJ2EE_GUEST.
|
Guest
This user is also used for anonymous access to the AS Java. By default, this user is locked.
|
Guest
This user is also used for anonymous access to the AS Java. By default, this user is locked.
|
Technical user
|
Specified during installation. Example:
SAPJSF_<SID>
In case you have several AS Java systems with AS ABAP data sources, we recommend that you create system-specific communication users using the above naming convention.
|
Configuration of the communication users for LDAP data sources is performed as an additional post-installation step.
|
DB user is specified during installation. Example:
SAP<SID>DB
The AS Java also uses this user for DB connectivity when you configure the UME with a DB user store.
|
You can use the Parameter Summary screen at the end of the input phase of the installation to revise the change the standard user IDs. In addition, if the user management engine (UME) is configured to use an AS ABAP system for user management, you can enter the name of the ABAP user that is defined as administrator for this system.
When using the UME with AS ABAP in an add-in installation, the AS Java users must exist in the AS ABAP data source. In addition, you have to complete the initial password setup for the AS ABAP users, prior to creating the respective users on the AS Java.
For more information, see UME Data Sources in the UME documentation.
In addition to the above standard users, a default AS Java installation can also contain the following technical users:
User
|
Description
|
ADSuser
|
Used for communication between the AS Java and the Adobe Document Services (ADS) . This user is created in the AS Java or in the AS ABAP depending on the user store installation settings. For more information, see the Adobe Config Guide in the ADS Documentation and SAP Interactive Forms by Adobe Security Guide in the SAP NetWeaver Security Guide.
|
caf_mp_scvuser
|
Used internally in the Composite Application Framework (CAF) core transport system whenever the execution of a certain function requires administrator permissions, and the caller principal does not have this permission. The CAF also uses this service user to communicate with other AS Java services.
For more information, see Composite Application Framework Core Security Guide in the SAP NetWeaver Security Guide.
|
Security Considerations for Standard Users
You assign initial passwords for the AS Java standard users during installation. In your productive operations or after the installation is complete, you can use the UME and the AS Java administration tools to change the initial passwords, manage the default properties for these users, lock users and create users with equivalent permissions on the AS Java.
For more information, see Administration of Users and Roles in the Administration Manual.
By default, the administrator user is used by certain applications on the AS Java to perform administrative and installation tasks, for example software deployment and undeployment. For additional security, you can assign the use of another administrator user on the AS Java and lock the use of the administrator user.
For more information about creating AS Java users, see Managing Users, Groups, and Roles in the Administration Manual.
We recommend that you do not delete the default administrator user. If you decide to lock the default administrator user, you have to create another AS Java user with equivalent administrative privileges, for example by assigning it to the Administrators user group. In addition, you have to update the security credentials of the new administrator user in the AS Java file system secure store and in the configuration properties of the JMS service of the AS Java.
For more information, see Modifying the Default Administrator User in the Administration Manual.
Emergency User
In case of emergency, you can enable the Emergency User store on the AS Java. By default this user store contains only one user SAP*. For security purposes, when the Emergency User store is enabled, users defined in other user stores will be unable to access the AS Java.
The SAP* user is the emergency user that has full administrative authorizations and can be used to reconfigure UME if the configuration is faulty and administrators and users can no longer access applications. To use this user, you must explicitly activate it and specify its password. For more information, see Activating the Emergency User in the Administration Manual.
No comments:
Post a Comment