Skip to Content

SAP Sourcing/CLM 7 on the recommended application server SAP Netweaver, has always had support for Netweaver UME as an option for authentication. With the release of SAP Sourcing/CLM 7 SP3 and above on SAP Netweaver 7.3, that collusion has been further strengthened, with additional considerations to the way our customers would like to use the authentication options provided.

Again, at the expense of sounding repetitive, with the advent and furthering of using Netweaver UME for authentication, it is strongly recommended that our customers consider using Netweaver UME to provide authentication, even if the user data repository is an Active Directory. Using this method would allow greater extensibility, and flexibility as well as support for a wider range of Active Directories becomes available. This native support for Netweaver UME is a much better option than using the native support for a smaller range of Active Directories, currently provided in Sourcing/CLM.

The recommended landscape is visualized below, and as can be seen, the user repository options afforded by this setup are – Netweaver UME internal database and, Netweaver UME supported Active Directory. The latter is ideally recommended. This also means a combination of user repositories could be configured providing a physical separation between the purchaser and vendor users, which forms the crux of this article, so read on.

Recommended Landscape.png

Figure 1: Recommended Landscape Setup

Before diving into the improved facilities provided with the Netweaver UME authentication option in SAP Sourcing/CLM 7 SP3+, a word of caution to the customers who have been using the Netweaver UME driver, and have recently upgraded to the SP3 release – there is an additional field, “External Role”, that has been introduced, which is mandatory, and has to be populated in the Directory Configuration for both Purchaser and Vendor.

DirectoryConfigurationSample.png

Figure 2: Directory Configuration Sample

Caution: The roles assigned in Netweaver UME are not to be confused with the Profiles in Sourcing/CLM. There is no mapping between the roles in Netweaver UME being defined and referenced below, and Profiles. This blog is a pointer for the Authentication aspect only, and the authorization schemes in Sourcing/CLM which support the complex requirements and rigors of the application have not been changed at all. All the profiles will function as usual and will still need to be configured regardless of the authentication option or user data repository being used.

Let’s look at some really straightforward scenarios:

Scenario 1 – No logical partition between Purchaser and Vendor

If Netweaver UME is the authentication mechanism for both purchaser AND vendor and a separation between the purchaser and vendor users is not pertinent and important to your specific scenario, then the solution is simple. The value for the External Field should be set to “everyone” in both Purchaser and Vendor Directory Configurations (as shown in Figure 2 above).

This might be the solution for customers upgrading to the version 7 SP3 release.

Scenario 2 – Only Purchaser or Vendor on UME

If Netweaver UME is the authentication mechanism and will be used only for the purchaser OR vendor directory configurations only, then again the value for the External Role field will be “everyone” for the directory using Netweaver UME driver only (as shown in Figure 2 above). The directory not using Netweaver UME as the authentication driver does not need an entry for this field.

Onto the slightly more involved and advanced scenarios, which will support the situations that will is probably the most desirable, and probably mandated for compliance purposes for many of you;  partitioning of the purchaser and vendor users, when only one user data repositories would be used.

Scenario 3 – Logical partition between Purchaser and Vendor

If Netweaver UME is the authentication mechanism for both purchaser AND vendor and a separation between the purchaser and vendor users is required then this section is for you. This scenario is the inverse of what is described in Scenario 1 above. The straightforward steps described below will guide you to achieve this objective.

This is also the setup that is the recommended mode for setting up users, and provides the most secure mechanism for managing users in Sourcing. This might also be the implied approach for most of the compliance regulations.

Step 1: Create a purchaser role in Netweaver UME. The value could be anything that is meaningful and relevant in your situation. In the example below, the Unique Name is defined as “biogenyx_buyside_role”

UniquePurchaserRole.png

Figure 3: Unique Purchaser Role creation in Netweaver UME

Step 2: Create a vendor role in Netweaver UME. The value could be anything that is meaningful and relevant in your situation. In the example below, the Unique Name is defined as “biogenyx_sellside_role”

UniqueVendorRole.png

Figure 4: Unique Vendor Role creation in Netweaver UME

Step 3: Now, while configuring the purchaser Directory Configuration, ensure that the exact Unique Name defined for the role in Netweaver UME for purchaser users is entered in the External Role field as shown below:

DCPurchaserRole.png

Figure 5: Directory Configuration sample for purchaser

Step 4: Now, while configuring the vendor Directory Configuration, ensure that the exact Unique Name defined for the role in Netweaver UME for vendor users is entered in the External Role field as shown below:

DCVendorRole.png

Figure 6: Directory Configuration sample for vendor

That’s it!

The important thing that was mentioned above, is that the user authorization is still the domain of the Sourcing/CLM application, which means that the users need to exist in the Sourcing/CLM database. The synchronization of the user attributes between Netweaver UME and Sourcing/CLM database is crucial for the smooth functioning of the solution.

Of course we make the user synchronization process as seamless as possible, but there are multiple options which are available to ensure the synchronization suits your needs. One of the important tools that has now been made available in Sourcing, is the ability to export user information in the SAP Netweaver UME format, which allows for increased efficiency.

The options for synchronizing of users and detailed instructions for setting up and configuration, including attribute mapping as described in brief above are described in the Wave 7 SP3 Security Guide in the SAP Service Marketplace.

Please feel free to get in touch with me or send me comments – amish.shah@sap.com

To report this post you need to login first.

2 Comments

You must be Logged on to comment or reply to a post.

  1. Shehryar Humayun

    Hi Amish,

    Thanks for the guidance on how to configure User Authentication in SAP Sourcing. Can you please suggest how the configuration would work in a Portal landscape?

    We are looking to isolate vendor and purchaser user data stores. So Scenario 3 is most relevant. However, we are looking to integrate Sourcing into SAP Portal. This Portal will use ABAP system as UME due to product limitations (SLC Sell Side with Portal requires SLC-S to be used as the UME). All the vendors will be registered in SLC first before distriution to Sourcing and SRM applications. So the ABAP UME will have all external users any way which can then log on to Portal. Question is: can we configure NetWeave UME in Sourcing to use the same ABAP data store as source? Has this configuration been tested?

    Thanks and regards,

    Shehryar

    (0) 
    1. Shehryar Humayun

      A bit more information on the landscape. There is already an internal Portal which uses LDAP as the primary user data source for internal employees. Integrated Windows Authentication has been configured (SPNego with Kerberos).

      Going forward, we’ll installing a separate Portal for external suppliers in DMZ. This DMZ will also host SLC Sell Side Sourcing applications. The Portal, as mentioned above, will use SLC-S (ABAP) as the UME for external suppliers. Users will then be replicated from SLC to Sourcing and SRM systems.

      Internal employees also need access to Sourcing application. So we’ll need to configure Sourcing such that it can use corporate LDAP to log on employees and also use SLC-S or Portal (which then uses SLC-S) as user data store for suppliers.

      Any guidance will be appreciated.

      Thanks.

      (0) 

Leave a Reply