Skip to Content

User Self Service in SAP NetWeaver Gateway

This blog introduces a new feature – User Self Service, from SAP NetWeaver Gateway. This mainly focuses on business to customers(B2C) scenarios using which SAP Business Suite B2C customers:

  • can register themselves in the SAP Business suite systems.
  • have an option to reset their password in case they forget it.
  • can manage their profile
    • Change profile data
    • Change password

For example, if a company is using SAP’s Business Suite solution, they can enable their business consumers to register themselves in the SAP Business suite system by providing them with an application based on User Self Service.

So are you wondering how to start? How do I use the OData services provided to start using this feature? What are the steps? Can I customize or extend the features to my requirements?

Everything you need to know is below! I will be talking about customizations more while explaining the process.


You need to make sure all the pre-requisites are fulfilled.

Self Registration Process

Assuming that all the required configurations have been done, we would be working with two OData services provided by SAP NetWeaver Gateway:

  1. /IWBEP/USERREQUESTMANAGEMENT – to register a user, activate a user and reset credential. You also have an option to extend the UserRequest entity in this service to suit their requirements.
  2. /IWBEP/USERMANAGEMENT – to access user’s profile, change profile data and change the password.

Note: Please activate the above two services in your Gateway hub system.

Before we get started, let’s have a quick look at the complete picture of the functionality in brief. An anonymous user can create his user in the SAP system by following the below mentioned two step process:

Figure 1:

Block diagram_SCN.JPG
Legends : * = mandatory

User Interface

For better understanding, lets take a simple example, where an organization wants to provide User Self Service facility through a browser based SAP UI5 application and make it available to it’s users. I will try to show how the UI may look in this case with some screenshots. UI is just indicative and not a part of standard delivery.

Step 1: Register your username

UI: The first UI may look like as shown below where in it provides option for users to register themselves. It also shows another view where users can login and view their profile.

Figure 2:


The first step is to register yourself with a user name. The OData service used for this purpose is /IWBEP/USERREQUESTMANAGEMENT. You need to execute a POST request on the entity UserRequestCollection. This service is executed in service user context. You need to provide other details like FirstName, LastName, EmailAddress, UserCategory, etc.

  • Customization 1*: You need to provide the UserCategory as you must have earlier maintained, in the IMG activity  – Maintain User Category. User category is mapped to a reference user  which will be used to create your user. The reference user has to be created with proper authorizations and profiles based on your requirements. Multiple user categories can be maintained and used while creating users as per the customers’ requirements.  Please check IMG documentation for more information.

The HTTP POST to create a User Request can be done as shown below:


Upon successful creation of User request, you will receive a notification email to your email Id which you had provided while creating the User Request. The activation link in that email will contain the Activation Key required to perform the next step.

  • Customization 2* : To receive the notification email, you need to maintain the application URL in the IMG Maintain URL for User Account Activation as mentioned in the IMG Activities. This URL should take the user to the application page(Figure 3) where he can provide password and can proceed with next step – Activate your User.
  • Customization 3 : The email notification is the default implementation provided by SAP. You can define your own notification process. in the IMG Define Notification Process for User Request Management as mentioned in the IMG Activities.
  • Customization 4 : In case you want to use the standard notification agent to send email notifications but customize the content of the email, the same can be in the IMG Define Notification Process for User Request Management  as mentioned in the IMG Activities. Please check the IMG documentation for more information.

Step 2: Activate your user

UI:  The below image is the activation UI which appears when you click on the activation URL received in the email. Here the end users need to just enter the password and click activate. The UI also shows a navigation back to the login page where end users can view their profile after successfully activating their user:

Figure 3:


Now, the next step would be to activate your user. You need to execute a PUT request on the entity i.e. UserRequestActivationRequestCollection with key as RequestID. The request body while executing PUT in this case has two properties ActivationKey and Password. RequestID and ActivationKey is present in the email link that you received earlier and the Password should come from the UI. The email link also has a parameter type, value ‘0′ means its user activation link and value ‘1′ means its a link for reset credential(discussed later in the section – Reset Credential).

Activation URL example:


  • Customization 5 [Optional but IMPORTANT] : Users have an option to implement their own User Management flow – create users, manage users, reset password and check user existence in a totally different user management system. By default SAP provides an implementation to manage users using the user and role administration functions of SAP NetWeaver AS ABAP. The relevant IMG is Implement User Management IMG Activities.

  • Customization 6* : You need to maintain an RFC destination for a non co-deployed scenario. This enables the user replication on the SAP NetWeaver Gateway hub system. This is not required if IW_BEP and IW_FND component are in the same system i.e. a co-deployed scenario. The relevant IMG node is – Maintain RFC Destination for User Replication – IMG Activities. Please check the IMG documentation for more information.
  • Customization 7 : You can also define a handler for User Management notification which is executed after the user is created in the system. For example if you would like to notify the person (who has implemented the BAdI) about the user creation or applications can use this information to perform application specific logic like replication of user along with Business partner data into SAP Business Suite system. The relevant IMG node is – Define Handler for User Management Notification – IMG Activities. Please check the IMG documentation for more information.

The HTTP PUT request can be done as shown below:

So, that’s it! The user is activated and created in the SAP system.

Forgot password? Reset Credential 🙂

——- ( updated )———-

UI: The first part of the UI for reset credential can be same as seen on the right side of the Figure 2.

In case the user has forgotten his/her password, there is an easy way to reset the password. There are two options available here:
  1. If the user only remembers his/her user name: A function import(service operation) named ResetUserCredential with method POST needs to be executed with the UserName as an input parameter.
  2. If the user only remembers his/her email ID: A function import(service operation) named ResetUserCredentialUsingEmail with method POST needs to be executed with the UserEmailID as an input parameter.

The function import can be executed as show below:


A new auto generated password and an activation link will be sent to the user in both the above mentioned cases, to the same e-mail id which was used to create the user. The activation link this time should have a parameter type=1 which signifies it’s a link to reset the credential. The auto generated password  can be enabled by the user only upon clicking the activation link.

Activation URL example in case of Reset credential:


When the above URL is clicked, it should internally execute the OData service similar to Step 2: Activate your user (with a minor change in the request body), which would enable the password that was sent in the email. The exact process to be followed is mentioned below:

You need to execute a PUT request on the entity i.e. UserRequestActivationRequestCollection with key as RequestID. The request body while executing PUT in this case has only one property ActivationKey. RequestID and ActivationKey is present in the email link that you received earlier.

Now the user can use the same password for the next login.


Manage your Profile
Now that user is created, he/she can now access the information, update profile data, or change password easily using the OData service provided – /IWBEP/USERMANAGEMENT. This service uses the same user name(internet user) as logon credential which you had created.

UI : The sample UI can look like this:

Figure 5:

Sample URL to access profile data:
To update the profile data, use PUT operation on the above URL with a proper request body. To change the password, you can use another entity UserCredential and execute a PUT request providing UserName, Password and CurrentPassword in the request body.

And we are done! 🙂

For more info on User Self Service, check out the below video tutorial.

Feedback appreciated.
You must be Logged on to comment or reply to a post.
  • Hi Akash,

    Nice work. 🙂

    As I understand SAP has given two NW Gateway services which can create users, activate, reset/unlock passwords. The UI screens shown by you need to be created by the applications themselves. Is that right?



    • Hi Krishna,


      And yes, the UI shown can be designed by application developers in their own way using the OData services provided!



    • Hi Syam,


      CSRF token is not required. End user is anonymous and the service executes in Service User context. Service User is a part of configuration and can be found in pre-requisite section.

      Best regards,


      • Hi Akash,



        to activate the above mentioned services,  i am passing system alias as local, as i am using same system as gateway hub system, i am not able to see any of the above mentioned services in  /iwfnd/maint_service transaction.

        pleas give me u r inputs..



  • Hi Aakash,

    verey useful information. A few questions:

    - Will this also work through GWaaS?

    - Does ResetUserCredential also help if the user is locked out because of repeated wrong password entered?

    - Are you willing to share your sample UI5 pages which are used in the screenshot?



  • Hello Akash:

      my gateway system is install in a abap system,and gw is 2.0 sp08.

      can we use the uss following your blog?

      I don't see two odata services in the system.


    thank you very much,


  • Hello everyone:

    do we need to create odata services in SEGW.

    we have active the two odata services with

     SAP NetWeaver  Gateway  OData Channel  Administration  General Settings  Activate and Maintain Services  .

    Thank you very much,


    • Hi Lexian,

      No, you do not have to create any new service. The two services which you activated are only required to cover all the functionality.

      Best regards,


      • Hello Aakash:

           Thank you for your reply.

           Could you please tell me your email,I have some other problems to ask you.

           Best wishes for you.


        • Hi Lexian,

          If you have any question you can ask them in our Gateway SCN community page: SAP Gateway where many experts will be able to answer them! Alternatively, if you have any business scenario for your company then you can raise an OSS ticket as well.



  • Hi Aakash,

              Both the services are very useful for many of app..

              Thanks for giving so useful information...



  • Hi Akash,

    I am implementing SAP MCF and I have a question.

    For the very first step,  of just receiving an email for user online registration, is maintaining user category in spro mandatory?

    As a part of MCF, as per documentation it seems only business agreement and email is mandatory ( userrequestmanagement is replaced with service crm_utilities_umc_urm ). but when I try to create an online account, it gives me an error in /iwbep/error_log saying " configuration of user category is missing " even though I have maintained it in SPRO.

    Any ideas? I am a bit confused because in the template application there is no option to maintain user category while creating an online account for existing customer.

    • Good day!

      Not only do the setting SPRO.

      You must pass the application value.

      In your case you need to edit ExistingSignUp.controller.js.

      Add to the parameters passed var oNewAccount = {:

      UsrCategory: "your category from SPRO",

      This parameter passed to the OData.

  • I have a question for the MCF.

    User after registration created in SAP ERP and the SAP Gateway system.

    In the SAP ERP system had been deactivated password - as it should be.

    When I try to log in under a user-created application

    I get a message that the password is deactivated and further data is not tightened. How do I solve this problem?

  • Hi,
    I have a questions for Security Question customization:
    - In user registration we need to provide a list of security questions. Then the questions and answer should be encrypted and store in oData service of MCF
    - In reset password function end-users should provide answer to question before submitting request to reset password.

    So is it possible to enhance  /IWBEP/USERMANAGEMENT, /IWBEP/USERREQUESTMANAGEMENT services to do this requirement?

    Best Regards,

  • Hi  Aakash,

    Very well explained!!

    I am trying to achieve User Self Registration via Fiori Launchpad (Logon page). Is there any way out to achieve this functionality by extending our Logon page, putting up a "Register Now" button on Fiori Launchpad Logon page and then calling up our Custom UI5 app (where user can input the details).




  • Hi Akash,


    Very nice document.

    But for reset password the odata links are not working.

    Can you pls let me knw if we need to do any config to set teh activation link values