User Self Service in SAP NetWeaver Gateway
This blog introduces a new feature – User Self Service, from SAP NetWeaver Gateway. This mainly focuses on business to customers(B2C) scenarios using which SAP Business Suite B2C customers:
- can register themselves in the SAP Business suite systems.
- have an option to reset their password in case they forget it.
- can manage their profile
- Change profile data
- Change password
For example, if a company is using SAP’s Business Suite solution, they can enable their business consumers to register themselves in the SAP Business suite system by providing them with an application based on User Self Service.
So are you wondering how to start? How do I use the OData services provided to start using this feature? What are the steps? Can I customize or extend the features to my requirements?
Everything you need to know is below! I will be talking about customizations more while explaining the process.
Prerequisites
Self Registration Process
- /IWBEP/USERREQUESTMANAGEMENT – to register a user, activate a user and reset credential. You also have an option to extend the UserRequest entity in this service to suit their requirements.
- /IWBEP/USERMANAGEMENT – to access user’s profile, change profile data and change the password.
Note: Please activate the above two services in your Gateway hub system.
Before we get started, let’s have a quick look at the complete picture of the functionality in brief. An anonymous user can create his user in the SAP system by following the below mentioned two step process:
Figure 1:
User Interface
Step 1: Register your username
UI: The first UI may look like as shown below where in it provides option for users to register themselves. It also shows another view where users can login and view their profile.
Figure 2:
- Customization 1*: You need to provide the UserCategory as you must have earlier maintained, in the IMG activity – Maintain User Category. User category is mapped to a reference user which will be used to create your user. The reference user has to be created with proper authorizations and profiles based on your requirements. Multiple user categories can be maintained and used while creating users as per the customers’ requirements. Please check IMG documentation for more information.
The HTTP POST to create a User Request can be done as shown below:
- Customization 2* : To receive the notification email, you need to maintain the application URL in the IMG Maintain URL for User Account Activation as mentioned in the IMG Activities. This URL should take the user to the application page(Figure 3) where he can provide password and can proceed with next step – Activate your User.
- Customization 3 : The email notification is the default implementation provided by SAP. You can define your own notification process. in the IMG Define Notification Process for User Request Management as mentioned in the IMG Activities.
- Customization 4 : In case you want to use the standard notification agent to send email notifications but customize the content of the email, the same can be in the IMG Define Notification Process for User Request Management as mentioned in the IMG Activities. Please check the IMG documentation for more information.
Step 2: Activate your user
UI: The below image is the activation UI which appears when you click on the activation URL received in the email. Here the end users need to just enter the password and click activate. The UI also shows a navigation back to the login page where end users can view their profile after successfully activating their user:
Figure 3:
<applicationURL>?RequestID=005056A509D41ED2BA8EBB9F89EEEBE1&ActivationKey=47CBAC803E9B6F1FA3508F0A76F8095EB647A9F3&type=0
- Customization 5 [Optional but IMPORTANT] : Users have an option to implement their own User Management flow – create users, manage users, reset password and check user existence in a totally different user management system. By default SAP provides an implementation to manage users using the user and role administration functions of SAP NetWeaver AS ABAP. The relevant IMG is Implement User Management – IMG Activities.
- Customization 6* : You need to maintain an RFC destination for a non co-deployed scenario. This enables the user replication on the SAP NetWeaver Gateway hub system. This is not required if IW_BEP and IW_FND component are in the same system i.e. a co-deployed scenario. The relevant IMG node is – Maintain RFC Destination for User Replication – IMG Activities. Please check the IMG documentation for more information.
- Customization 7 : You can also define a handler for User Management notification which is executed after the user is created in the system. For example if you would like to notify the person (who has implemented the BAdI) about the user creation or applications can use this information to perform application specific logic like replication of user along with Business partner data into SAP Business Suite system. The relevant IMG node is – Define Handler for User Management Notification – IMG Activities. Please check the IMG documentation for more information.
The HTTP PUT request can be done as shown below:
——- ( updated )———-
- If the user only remembers his/her user name: A function import(service operation) named ResetUserCredential with method POST needs to be executed with the UserName as an input parameter.
- If the user only remembers his/her email ID: A function import(service operation) named ResetUserCredentialUsingEmail with method POST needs to be executed with the UserEmailID as an input parameter.
The function import can be executed as show below:
A new auto generated password and an activation link will be sent to the user in both the above mentioned cases, to the same e-mail id which was used to create the user. The activation link this time should have a parameter type=1 which signifies it’s a link to reset the credential. The auto generated password can be enabled by the user only upon clicking the activation link.
<applicationURL>?RequestID=005056A509D41ED2BA8EBB9F89EEEBE1&ActivationKey=47CBAC803E9B6F1FA3508F0A76F8095EB647A9F3&type=1
You need to execute a PUT request on the entity i.e. UserRequestActivationRequestCollection with key as RequestID. The request body while executing PUT in this case has only one property ActivationKey. RequestID and ActivationKey is present in the email link that you received earlier.
Now the user can use the same password for the next login.
————-
Hi Akash,
Nice work. 🙂
As I understand SAP has given two NW Gateway services which can create users, activate, reset/unlock passwords. The UI screens shown by you need to be created by the applications themselves. Is that right?
Thanks
Krishna
Hi Krishna,
Thanks!
And yes, the UI shown can be designed by application developers in their own way using the OData services provided!
Thanks,
Aakash
Excellent Blog Akash.
When we are creating/updating the user ,we need to pass the CSRF tokens or not?.
Thanks,
Syam
Hi Syam,
Thanks!
CSRF token is not required. End user is anonymous and the service executes in Service User context. Service User is a part of configuration and can be found in pre-requisite section.
Best regards,
Aakash
Hi Akash,
/IWBEP/USERREQUESTMANAGEMENT
/IWBEP/USERMANAGEMENT
to activate the above mentioned services, i am passing system alias as local, as i am using same system as gateway hub system, i am not able to see any of the above mentioned services in /iwfnd/maint_service transaction.
pleas give me u r inputs..
Thanks,
Vijay
Hi Vijay,
This is a feature with SAP NetWeaver Gateway 2.0 SP7 onwards. Please check the pre requisite.
Best regards,
Aakash
Ok thanks akash..
regards,
Vijay
Informative...Thanks.
Best Regards,
Naresh K.
very useful Aakash..
Thanks,
Vijay Vegesana
Hi Aakash,
verey useful information. A few questions:
- Will this also work through GWaaS?
- Does ResetUserCredential also help if the user is locked out because of repeated wrong password entered?
- Are you willing to share your sample UI5 pages which are used in the screenshot?
Regards,
Wolfgang
Hi Wolfgang,
- This is not supported with GWaaS.
- Yes user will be unlocked if locked due to unsuccessful logon attempts.
- UI was only developed as sample. I would suggest you to create simple UI of your own. Should not take much time!
Best regards,
Aakash
Hi Aakash,
This seems only to be true after applying SapNote 1901821 - User Self Service: Unlock User While Resetting the Password
Regards,
Wolfgang
Hi Wolfgang,
That is true if you are using SP07 level of component IW_BEP. This feature is shipped with SP08 of IW_BEP.
Thanks,
Aakash
Hi Akash,
Can NW Gateway be used to manage User Self Registration Process for SAP CRM as backend.
Hello Hermant,
yes, this SAP NW Gateway feature is available on all supported ABAP stacks, so also on SAP CRM as well.
Best regards,
Martin
Hello Akash:
my gateway system is install in a abap system,and gw is 2.0 sp08.
can we use the uss following your blog?
I don't see two odata services in the system.
/IWBEP/USERREQUESTMANAGEMENT and /IWBEP/USERMANAGEMENT
thank you very much,
lexian
Hi,
did you already try to activate the services? More here: Activate and Maintain Services - SAP NetWeaver Gateway - SAP Library
Martin
Hello Martin:
Thank you for giving me good suggestion,now I have found two odata services /IWBEP/USERREQUESTMANAGEMENT and /IWBEP/USERMANAGEMENT.
Our gateway is not a single system,we installed it on SAP NetWeaver as ABAP(a business suit system),is it allowed?is it suitable for this blog?
Could someone give me some reply?
Thank you very much,
lexian.
Hello Lexian,
in general here you can find the so called 'System Landscape Recommendation talking about the pros and cons of every deployment option:
System Landscape Recommendations for SAP NetWeaver Gateway - Landscape Governance - SCN Wiki
But having GW on top of an ECC system makes sense and is done often.
Only remark I have: when using the B2C User Management option often it is for an external facing scenario. Often the GW system then is deployed stand-alone in the DMZ.
Hope this helps,
Martin
Hello everyone:
do we need to create odata services in SEGW.
we have active the two odata services with
Thank you very much,
lexian.
Hi Lexian,
No, you do not have to create any new service. The two services which you activated are only required to cover all the functionality.
Best regards,
Aakash
Hello Aakash:
Thank you for your reply.
Could you please tell me your email,I have some other problems to ask you.
Best wishes for you.
lexian
Hi Lexian,
If you have any question you can ask them in our Gateway SCN community page: SAP Gateway where many experts will be able to answer them! Alternatively, if you have any business scenario for your company then you can raise an OSS ticket as well.
Thanks,
Aakash
Nice work Akasah...!!
Hi Aakash,
Both the services are very useful for many of app..
Thanks for giving so useful information...
Regards
Vivek
Excellent post!
Thanks.
--Pavan G
I have posted in SCN discussion.. Kindly update..
User Self Service forgot password
Thanks
Hi, Question about SAP MCF and Security Policy
Parameter LOGIN/PASSWORD_CHANGE_WAITTIME = 0
Thanks
Hi Akash,
I am implementing SAP MCF and I have a question.
For the very first step, of just receiving an email for user online registration, is maintaining user category in spro mandatory?
As a part of MCF, as per documentation it seems only business agreement and email is mandatory ( userrequestmanagement is replaced with service crm_utilities_umc_urm ). but when I try to create an online account, it gives me an error in /iwbep/error_log saying " configuration of user category is missing " even though I have maintained it in SPRO.
Any ideas? I am a bit confused because in the template application there is no option to maintain user category while creating an online account for existing customer.
Good day!
Not only do the setting SPRO.
You must pass the application value.
In your case you need to edit ExistingSignUp.controller.js.
Add to the parameters passed var oNewAccount = {:
UsrCategory: "your category from SPRO",
This parameter passed to the OData.
I have a question for the MCF.
User after registration created in SAP ERP and the SAP Gateway system.
In the SAP ERP system had been deactivated password - as it should be.
When I try to log in under a user-created application
I get a message that the password is deactivated and further data is not tightened. How do I solve this problem?
Hi,
I have a questions for Security Question customization:
- In user registration we need to provide a list of security questions. Then the questions and answer should be encrypted and store in oData service of MCF
- In reset password function end-users should provide answer to question before submitting request to reset password.
So is it possible to enhance  /IWBEP/USERMANAGEMENT, /IWBEP/USERREQUESTMANAGEMENT services to do this requirement?
Best Regards,
Phuong
Hi  Aakash,
Very well explained!!
I am trying to achieve User Self Registration via Fiori Launchpad (Logon page). Is there any way out to achieve this functionality by extending our Logon page, putting up a "Register Now" button on Fiori Launchpad Logon page and then calling up our Custom UI5 app (where user can input the details).
Regards
Parth
Hi Akash,
Very nice document.
But for reset password the odata links are not working.
Can you pls let me knw if we need to do any config to set teh activation link values
Hi Akash,
Very Informative blog.
Can you please provide details related to MCF SAP Standard App for sign-up and login.
Regards
Arun
Hi Akash
From where to get test application which you are using.
Can any one confirm project name against odata USERREQUESTMANAGEMENT within SEGW
It is not visible via SEGW, it is code based implementation pre-SEGW.
Hello Aakash,
Thank you, your article is very usefull. I have a few questions here :
Thank you for your help
system_logon_configuration_2
system_logon_configuration_1
I'm using the ResetUserCredential service but i don't receive any emails, even the SOST it's empty. Do I need any prerequisite? The link is broken Â