You are using SAP NetWeaver Enterprise Search 7.0.
Other terms
security, SSO, authentication, Search_Conn, user management
Reason and Prerequisites
You are using SAP NetWeaver Enterprise Search 7.0.
Solution
Additional Information for Enterprise Search Security Issues
You will find the current version of the SAP NetWeaver Enterprise Search Security Guide on SAP Help Portal http://help.sap.com/nwes70
This note describes new delta information to be added to the Enterprise Security Guide.
Additional Roles for users created during installation
a) Search_Conn (requires modifications)
The following roles must be assigned to the Search_Conn user on the ABAP part of the application server:
- SAP_ESH_RFC_ENDUSER
- SAP_ESH_ADMIN
- S_BI-WX_RFC
See also description for user Search_Conn in the next paragraph.
b) Search_Admin (requires modifications)
The Search_Admin user is based on the SAP* super user and has by default the same privileges. To operate properly the following composite roles should also be assigned in the ABAP user store:
- SAP_ESH_RFC_ENDUSER
- SAP_ESH_ADMIN
c) Extraction user (no modifications required)
An extraction user is created automatically in the Enterprise Search ABAP system, when a back end system is initially connected for data extraction. The user is required for the RFC connections between the back-end systems and the Enterprise Search ABAP system that are used for data extraction. The extraction user is assigned to the profile S_BI_WHM_RFC (needed for extraction of business data from the back-end system) and to the role SAP_ESH_ADMIN (needed for transfer of permission data from the back end system).
Maintaining Service User "Search_Conn"
To check the status of a search object connector within the administration cockpit the system uses the service user Search_Conn to call to the back-end system. That is why on the back-end systems a user named Search_Conn must exist, too. If it does not exist, create the user Search_Conn in the respective user management of the back-end system.
Find this also described in the documentation, e.g.
for R/3 back-end systems:
http://help.sap.com/saphelp_nwes70/helpdata
/EN/b1/7e3601074c483dbb72849e5feb9dca/frameset.htm
or for ERP 6.0 (ERP 2005) back-end systems:
http://help.sap.com/saphelp_nwes70/helpdata
/EN/c2/ca580ac3284abe8470e2b09eca9b16/frameset.htm
The service user Search_Conn is also used for the connection between the ABAP and Java stack of Enterprise Search and for the connection between ABAP and TREX.
If you change the password for the service user Search_Conn, which was set initially during installation, you must change the password manually at the following locations:
- Inside Java and ABAP user management. Use the same password for
- user management of Java stack -> URL shortcut /useradmin
- user management of ABAP stack -> transaction SU01
- Update all locations where the password for Search_Conn is used. Use the same password within
- SICF -> Service "esh_adm_smoketest_files"
- SM59 -> "ESH_APPL_CCMS"
- SM59 -> "ESH_APPL_WS_CONNECTORS"
- SM59 -> "ESH_APPL_WS_QSDISPATCHERN"
- TREX Admin tool: "TREX Admin RFC"
Use always the same password for the service user Search_Conn. If the new password is not changed at all locations then the user will be locked after several background log-on activities with an old password.
Affected Releases : Release-Independent
Very neat blog post.
ReplyDeleteSAP Secrity training
SAP Secrity and sap grc online training