Managing SAP User Store

Managing the SAP User Store

Note: Adapter for SAP application typically executes different RFC client calls under different SAP user accounts. If the RFC client call needs to be executed with a different SAP user than the default user, it is recommended to create one RFC connection for each connected SAP system, and to override the SAP username and password during runtime.

IBM webMethods Adapter 7.1 for SAP provides the $user and $pass input parameters for all RFC Adapter Services and for the public client services "pub.sap.client:*" to implement overriding the default user at runtime.

With the previous Adapter for SAP versions, you have to store the SAP user names and SAP passwords as cleartext in $user and $pass input parameters in the application services.

IBM webMethods Adapter 10.1 for SAP extends the user overriding functionality by providing an indirect SAP User Alias mechanism for the RFC client call execution. It provides an SAP User Store user interface to maintain the SAP user aliases together with their associated SAP user names and passwords.

The indirect SAP User Alias mechanism allows you to :

  • Remove the SAP passwords from the application services
  • Change the SAP username and password centrally without modifying the application services.
Note: An SAP User Alias is a unique key name for an SAP user. The SAP User Store holds a list of SAP User Alias entries. Each User Alias entry is associated to an SAP username and password.

The User Alias name is used during runtime to retrieve the SAP username and password from the SAP User Store.

The SAP User Store user interface allows to add, modify and delete the required SAP User Alias entries.

Runtime Behavior

Note: The extended overriding functionality in IBM webMethods Adapter 10.1 for SAP uses the existing (optional) $user and $pass input parameters so that there are no changes in the service signatures required.

If both the $user and $pass values exist in the input pipeline, the runtime behavior remains unchanged. IBM webMethods Adapter 10.1 for SAP will interpret the values as cleartext username and password in the same way as previous versions of Adapter for SAP. Existing Adapter for SAP application will show the same runtime behavior with Adapter for SAP in this case.

However, if only $user value exists in the pipeline and $pass is undefined, the IBM webMethods Adapter 10.1 for SAP will take the $user value as the User Alias name to retrieve the SAP username and password from the SAP User Store.

Note: To use the extended overriding functionality for RFC client calls, the $pass value must be removed from the input pipeline, and the $user value must be changed to a valid SAP User Alias name.

Differences in the runtime behavior when executing RFC client services

Pipeline IBM webMethods Adapter 7.1 for SAP IBM webMethods Adapter 10.1 for SAP
Empty. No values for $user and $pass Service will be executed with the default user of the RFC connection. Service will be executed with the default user of the RFC connection.
$user and $pass exist in the pipeline Service will be executed with the provided user if the SAP user name exists and the password is valid. Service will be executed with the provided user if the SAP user name exists and the password is valid.
$user and $pass exist in the pipeline, but the logon information is incorrect. Service execution will cause an error with the error message JCO_ERROR_LOGON_FAILURE "Name or password is incorrect" or "Incomplete logon data" if the password is missing. Service execution will cause an error with the error message JCO_ERROR_LOGON_FAILURE, "Name or password is incorrect".
$user exists in the pipeline, but $pass does not exist. Service execution will cause an error with the error message JCO_ERROR_LOGON_FAILURE "Incomplete logon data".

Adapter for SAP will use $user as User Alias name to look-up the SAP user name and password in the User Store:

  • If the alias does not exist, there will be an error message in the IS log "SAP user alias "XXX" does not exist!" and the service execution will fail with a JCO_ERROR_LOGON_FAILURE error.
  • If the alias exists in the User Store and the associated SAP user name and password are valid, then the service will be executed with this SAP user. 3. If the alias exists but the associated user information is not valid then the service will fail with JCO_ERROR_LOGON_FAILURE error.

Adding Entries to SAP User Store

Before you begin

After the installation of Adapter for SAP, the SAP User Store is initially empty and the administration user has to add the required SAP user names and passwords and provide each entry with a unique SAP User Alias name.

Procedure

  1. In Integration Server Administrator Adapters menu, click Adapter for SAP.
  2. Click SAP Users, then click Add New User Link.
    The example screen above shows the creation of a new SAP User Store entry with the new SAP User Alias name being 'user1', the SAP User Name being 'TESTUSER1' and the SAP User Password which is not displayed in clear text.

    Clicking on Cancel discards the new entry and returns to the main SAP User Store UI screen.

    Clicking on Save lets Adapter for SAPcheck if the entries are valid and that the User Alias name has not been defined before.

    If the SAP User Name and User Password entries are valid (not empty) and the User Alias name is new and unique then the new entry will be added to the SAP User Store and will be displayed in the SAP User Store main UI screen:
    If the new User Alias name already exists in the User Store or if the SAP User Name or SAP User Password values are empty then the new entry is not added to the User Store and an error message is displayed. Failures with error messages occur in case of unequal password entries, in case of missing password entries and if the new SAP User Alias already exists in the User Store:
    Note: Only the User Alias name must be unique, but the SAP User Names may occur multiple times in the User Store. It is possible to create several different User Alias names which are associated to the same SAP user name and password.

Changing Entries in SAP User Store

Procedure

  1. In Integration Server Administrator Adapters menu, click Adapter for SAP.
  2. Click SAP Users, then click SAPUser Alias.
    In User Store entry table select the user to be modified. For example, user1.

    This leads to a screen displaying the user attributes of the entry.

  3. Click Edit to change the User Name and User Password values.
  4. You can either Cancel or Save the changes by:
    • Click Cancel to cancel all changes.
    • Click Save to let Adapter for SAP verify the changed values and persist them in the User Store, if they are valid.
      Note: When changing the existing password, the new password must be entered twice.
      It is not possible to change the User Alias in the Edit screen. In order to change the User Alias the existing Alias has to be deleted and then a new User Alias entry has to be created with a new User Alias name.
      Note: Adapter for SAP does not check if new or updated SAP user names and passwords are valid and if they exist in any SAP system. The User Store does not depend on specific SAP Systems and it therefore cannot check the validity of the user entries. Whether a SAP user name or password is valid can only be determined during runtime.

Removing Entries from SAP User Store

Procedure

  1. In Integration Server Administrator Adapters menu, click Adapter for SAP.
  2. Click SAP Users, then click for the User Alias entry to be removed.
  3. Confirm the deletion by clicking OK. Click Cancel to cancel the deletion.
    Clicking on Ok deletes the selected entry and displays the updated content of the User Store.