此为处理被管理系统配置中的第六步。
Note 1647157 - How to Set up Access to the SPML Service on AS Java
Symptom
The administration user that is created during the installation of the SAP NetWeaver Application Server Java (AS Java) is no longer able to access the SPML service, which is used for system to system communication (for example, by SAP NetWeaver Identity Management, SAP GRC and the SAP Solution Manager).
Other terms
SPML, no permission, Administrator, J2EE_ADMIN, /spml/, provisioning, solman_setup, ToSPML, pass, FromSPML
Reason and Prerequisites
You are using AS Java 2004 or higher and you want to grant SPML access to the system for another system (for example SAP NetWeaver Identity Management, SAP GRC, SAP Solution Manager, third party identity management solutions).
Due to security reasons, the implicit permissions of the administration user that is created during the installation of an AS Java were removed. No end users, especially no powerful end users, should be able to read or change user data through the SPML service.
Solution
Follow these steps to create a technical user that can be used to access the SPML service:
1. Navigate to the user administration UI of the AS Java at http(s)://:/useradmin
2. Create a role (for example MY_SPML_FULL_ACCESS_ROLE) and assign the following actions (depending on your use case):
Read-Only access to the SPML service: Spml_Read_Action
Read/Write access to the SPML service: Spml_Read_Action and Spml_Write_Action
a) Select search criteria "Role" in the upper part of the UI.
b) Choose "Create Role".
c) Enter the name of the new role in the "Unique Name" field on the tab "General Information".
d) Navigate to the tab "Assigned Actions".
e) Enter the search criteria "*spml*" in the "Get" field in the area "Available Actions" and choose the "Go" button.
f) Add the UME action with the name "Spml_Read_Action" to the role. If write access is required, additionally add the UME action "Spml_Write_Action".
g) Save the new role by choosing the "Save" button.
3. Create a communication user and assign it to the role created in step 2.
a) Select search criteria "User" in the upper part of the UI.
b) Choose "Create User".
c) Enter name of the user in the field "Logon ID". Enter a password, the last name, and choose the security policy "Technical User".
d) Navigate to the "Assigned Roles" tab. Search for the role created in step 2. Add it to the list of assigned roles.
e) Choose the "Save" button.
4. Test whether the user can log on to the SPML service and has the desired permissions.
a) Navigate to the SPML service at http(s)://:/spml/provisioning
b) Enter the user name and password of the user created in step 3.
Note 1647157 - How to Set up Access to the SPML Service on AS Java
Symptom
The administration user that is created during the installation of the SAP NetWeaver Application Server Java (AS Java) is no longer able to access the SPML service, which is used for system to system communication (for example, by SAP NetWeaver Identity Management, SAP GRC and the SAP Solution Manager).
Other terms
SPML, no permission, Administrator, J2EE_ADMIN, /spml/, provisioning, solman_setup, ToSPML, pass, FromSPML
Reason and Prerequisites
You are using AS Java 2004 or higher and you want to grant SPML access to the system for another system (for example SAP NetWeaver Identity Management, SAP GRC, SAP Solution Manager, third party identity management solutions).
Due to security reasons, the implicit permissions of the administration user that is created during the installation of an AS Java were removed. No end users, especially no powerful end users, should be able to read or change user data through the SPML service.
Solution
Follow these steps to create a technical user that can be used to access the SPML service:
1. Navigate to the user administration UI of the AS Java at http(s)://:/useradmin
2. Create a role (for example MY_SPML_FULL_ACCESS_ROLE) and assign the following actions (depending on your use case):
Read-Only access to the SPML service: Spml_Read_Action
Read/Write access to the SPML service: Spml_Read_Action and Spml_Write_Action
a) Select search criteria "Role" in the upper part of the UI.
b) Choose "Create Role".
c) Enter the name of the new role in the "Unique Name" field on the tab "General Information".
d) Navigate to the tab "Assigned Actions".
e) Enter the search criteria "*spml*" in the "Get" field in the area "Available Actions" and choose the "Go" button.
f) Add the UME action with the name "Spml_Read_Action" to the role. If write access is required, additionally add the UME action "Spml_Write_Action".
g) Save the new role by choosing the "Save" button.
3. Create a communication user and assign it to the role created in step 2.
a) Select search criteria "User" in the upper part of the UI.
b) Choose "Create User".
c) Enter name of the user in the field "Logon ID". Enter a password, the last name, and choose the security policy "Technical User".
d) Navigate to the "Assigned Roles" tab. Search for the role created in step 2. Add it to the list of assigned roles.
e) Choose the "Save" button.
4. Test whether the user can log on to the SPML service and has the desired permissions.
a) Navigate to the SPML service at http(s)://:/spml/provisioning
b) Enter the user name and password of the user created in step 3.
编辑回复