The ever-growing exposure of SAP to the Internet, coupled with the frequency and violence of hacker attacks, means that more and more BASIS administrators are taking an active role in extranet security. One of the greatest challenges in any mixed IT environment is the ability to maintain a single source of record for a company's user registry.
So why do you care about a single user registry? As more companies expose internal systems to the Internet, managing individual user identities across a disparate environment becomes paramount. For many companies, the advantage to productivity far outweighs the risk, but these risks must be adequately assessed and dealt with before moving heavily onto the Internet.
One of the greatest risks to multiple identities for the same user is simply that of being able to track down and turn off that user should they leave the company. Suppose an employee quit, the email account shut down, file-system access revoked, but someone forgot to shut the employee down in SAP. Once this company exposes any aspect of SAP to the Internet, the former employee just might be able to get into the system, because he's still a functioning named user.
The easiest way to mitigate this risk is to provide a single user registry that every back office system must synchronize with. That way, the user must only be turned off in this user registry, which causes all of their system logons to be shutdown. Unfortunately, SAP has not always made this task a simple one. It is only with the release of the Web Application Server 6.10 that an SAP application server can sychronize transparently with an external user registry.
One of the most common user registries is a directory services database called LDAP. LDAP stands for Lightweight Directory Access Protocol, and provides a straightforward implementation of services targeted specifically at maintaining users. You can even download a free, commercial LDAP server from IBM, called IBM Directory Server.
Many other back office applications can sychronize with an LDAP directory server. You can even build front-end authentication schemes based on user data within LDAP. Web servers, such as Apache, provide native authentication support using LDAP and OS level authentication.
To synchronize SAP with an LDAP server, start by creating a new RFC destination for the LDAP connector. This allows SAP to reach the LDAP server via its standard ABAP applications. Once configured, go to the SAP transaction "LDAP".
Here you configure the actual LDAP connector, including the physical server address of the LDAP host and test the LDAP connector. Once that is complete, you must extend the LDAP schema in the directory server to include the additional fields required for an authorized SAP user.
The next step is to map the user fields to those appropriate within the LDAP directory. Again, this function takes places in transaction LDAP. The final step is to configure how SAP pulls/pushes data to the server then execute the synchronization process.
Of course, this tip is not meant to be a comprehensive review of the SAP/LDAP configuration. Rather, I hope that it has given you some good ideas regarding single user registries and gotten you thinking about how your company could use directory services. Do a search over at http://help.sap.com on "LDAP" for a step-by-step walkthrough of LDAP synchronization. With LDAP part of standard WAS 6.10 and IBM's FREE LDAP Directory Server, you can get started today with a single user registry for you entire company.
Author Austin Sincock is a freelance Java/SAP consultant who contributes regularly to Web and print journals. He can be reached at firstname.lastname@example.org. Check out his book Enterprise Java for SAP