Skip to Content
Author's profile photo Aakash Raj

User Self Service in SAP NetWeaver Gateway

This blog introduces a new feature – User Self Service, from SAP NetWeaver Gateway. This mainly focuses on business to customers(B2C) scenarios using which SAP Business Suite B2C customers:

  • can register themselves in the SAP Business suite systems.
  • have an option to reset their password in case they forget it.
  • can manage their profile
    • Change profile data
    • Change password

For example, if a company is using SAP’s Business Suite solution, they can enable their business consumers to register themselves in the SAP Business suite system by providing them with an application based on User Self Service.

So are you wondering how to start? How do I use the OData services provided to start using this feature? What are the steps? Can I customize or extend the features to my requirements?

Everything you need to know is below! I will be talking about customizations more while explaining the process.

Prerequisites

You need to make sure all the pre-requisites are fulfilled.

Self Registration Process

Assuming that all the required configurations have been done, we would be working with two OData services provided by SAP NetWeaver Gateway:

  1. /IWBEP/USERREQUESTMANAGEMENT – to register a user, activate a user and reset credential. You also have an option to extend the UserRequest entity in this service to suit their requirements.
  2. /IWBEP/USERMANAGEMENT – to access user’s profile, change profile data and change the password.

Note: Please activate the above two services in your Gateway hub system.

Before we get started, let’s have a quick look at the complete picture of the functionality in brief. An anonymous user can create his user in the SAP system by following the below mentioned two step process:

Figure 1:

Block diagram_SCN.JPG
Legends : * = mandatory

User Interface

For better understanding, lets take a simple example, where an organization wants to provide User Self Service facility through a browser based SAP UI5 application and make it available to it’s users. I will try to show how the UI may look in this case with some screenshots. UI is just indicative and not a part of standard delivery.

Step 1: Register your username

UI: The first UI may look like as shown below where in it provides option for users to register themselves. It also shows another view where users can login and view their profile.

Figure 2:

UserAccount_UI.JPG

The first step is to register yourself with a user name. The OData service used for this purpose is /IWBEP/USERREQUESTMANAGEMENT. You need to execute a POST request on the entity UserRequestCollection. This service is executed in service user context. You need to provide other details like FirstName, LastName, EmailAddress, UserCategory, etc.

  • Customization 1*: You need to provide the UserCategory as you must have earlier maintained, in the IMG activity  – Maintain User Category. User category is mapped to a reference user  which will be used to create your user. The reference user has to be created with proper authorizations and profiles based on your requirements. Multiple user categories can be maintained and used while creating users as per the customers’ requirements.  Please check IMG documentation for more information.

The HTTP POST to create a User Request can be done as shown below:

UserRequestCreate.jpg

Upon successful creation of User request, you will receive a notification email to your email Id which you had provided while creating the User Request. The activation link in that email will contain the Activation Key required to perform the next step.

  • Customization 2* : To receive the notification email, you need to maintain the application URL in the IMG Maintain URL for User Account Activation as mentioned in the IMG Activities. This URL should take the user to the application page(Figure 3) where he can provide password and can proceed with next step – Activate your User.
  • Customization 3 : The email notification is the default implementation provided by SAP. You can define your own notification process. in the IMG Define Notification Process for User Request Management as mentioned in the IMG Activities.
  • Customization 4 : In case you want to use the standard notification agent to send email notifications but customize the content of the email, the same can be in the IMG Define Notification Process for User Request Management  as mentioned in the IMG Activities. Please check the IMG documentation for more information.

Step 2: Activate your user

UI:  The below image is the activation UI which appears when you click on the activation URL received in the email. Here the end users need to just enter the password and click activate. The UI also shows a navigation back to the login page where end users can view their profile after successfully activating their user:

Figure 3:

UserActivate_UI.JPG

Now, the next step would be to activate your user. You need to execute a PUT request on the entity i.e. UserRequestActivationRequestCollection with key as RequestID. The request body while executing PUT in this case has two properties ActivationKey and Password. RequestID and ActivationKey is present in the email link that you received earlier and the Password should come from the UI. The email link also has a parameter type, value ‘0′ means its user activation link and value ‘1′ means its a link for reset credential(discussed later in the section – Reset Credential).

Activation URL example:

<applicationURL>?RequestID=005056A509D41ED2BA8EBB9F89EEEBE1&ActivationKey=47CBAC803E9B6F1FA3508F0A76F8095EB647A9F3&type=0

  • Customization 5 [Optional but IMPORTANT] : Users have an option to implement their own User Management flow – create users, manage users, reset password and check user existence in a totally different user management system. By default SAP provides an implementation to manage users using the user and role administration functions of SAP NetWeaver AS ABAP. The relevant IMG is Implement User Management IMG Activities.

  • Customization 6* : You need to maintain an RFC destination for a non co-deployed scenario. This enables the user replication on the SAP NetWeaver Gateway hub system. This is not required if IW_BEP and IW_FND component are in the same system i.e. a co-deployed scenario. The relevant IMG node is – Maintain RFC Destination for User Replication – IMG Activities. Please check the IMG documentation for more information.
  • Customization 7 : You can also define a handler for User Management notification which is executed after the user is created in the system. For example if you would like to notify the person (who has implemented the BAdI) about the user creation or applications can use this information to perform application specific logic like replication of user along with Business partner data into SAP Business Suite system. The relevant IMG node is – Define Handler for User Management Notification – IMG Activities. Please check the IMG documentation for more information.

The HTTP PUT request can be done as shown below:

UserActivateRequest.jpg
So, that’s it! The user is activated and created in the SAP system.

Forgot password? Reset Credential 🙂

——- ( updated )———-

UI: The first part of the UI for reset credential can be same as seen on the right side of the Figure 2.

In case the user has forgotten his/her password, there is an easy way to reset the password. There are two options available here:
  1. If the user only remembers his/her user name: A function import(service operation) named ResetUserCredential with method POST needs to be executed with the UserName as an input parameter.
  2. If the user only remembers his/her email ID: A function import(service operation) named ResetUserCredentialUsingEmail with method POST needs to be executed with the UserEmailID as an input parameter.

The function import can be executed as show below:

UserResetCredential.jpg

A new auto generated password and an activation link will be sent to the user in both the above mentioned cases, to the same e-mail id which was used to create the user. The activation link this time should have a parameter type=1 which signifies it’s a link to reset the credential. The auto generated password  can be enabled by the user only upon clicking the activation link.

Activation URL example in case of Reset credential:

<applicationURL>?RequestID=005056A509D41ED2BA8EBB9F89EEEBE1&ActivationKey=47CBAC803E9B6F1FA3508F0A76F8095EB647A9F3&type=1

When the above URL is clicked, it should internally execute the OData service similar to Step 2: Activate your user (with a minor change in the request body), which would enable the password that was sent in the email. The exact process to be followed is mentioned below:

You need to execute a PUT request on the entity i.e. UserRequestActivationRequestCollection with key as RequestID. The request body while executing PUT in this case has only one property ActivationKey. RequestID and ActivationKey is present in the email link that you received earlier.

Now the user can use the same password for the next login.

————-

Manage your Profile
Now that user is created, he/she can now access the information, update profile data, or change password easily using the OData service provided – /IWBEP/USERMANAGEMENT. This service uses the same user name(internet user) as logon credential which you had created.

UI : The sample UI can look like this:

Figure 5:
UserProfile_UI.jpg

Sample URL to access profile data:
To update the profile data, use PUT operation on the above URL with a proper request body. To change the password, you can use another entity UserCredential and execute a PUT request providing UserName, Password and CurrentPassword in the request body.

And we are done! 🙂

For more info on User Self Service, check out the below video tutorial.


Feedback appreciated.

Assigned tags

      38 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Krishna Kishor Kammaje
      Krishna Kishor Kammaje

      Hi Akash,

      Nice work. 🙂

      As I understand SAP has given two NW Gateway services which can create users, activate, reset/unlock passwords. The UI screens shown by you need to be created by the applications themselves. Is that right?

      Thanks

      Krishna

      Author's profile photo Aakash Raj
      Aakash Raj
      Blog Post Author

      Hi Krishna,

      Thanks!

      And yes, the UI shown can be designed by application developers in their own way using the OData services provided!

      Thanks,

      Aakash

      Author's profile photo Syam Babu
      Syam Babu

      Excellent Blog Akash.

      When we are creating/updating the user ,we need to pass the CSRF tokens or not?.

      Thanks,

      Syam

      Author's profile photo Aakash Raj
      Aakash Raj
      Blog Post Author

      Hi Syam,

      Thanks!

      CSRF token is not required. End user is anonymous and the service executes in Service User context. Service User is a part of configuration and can be found in pre-requisite section.

      Best regards,

      Aakash

      Author's profile photo Former Member
      Former Member

      Hi Akash,

      /IWBEP/USERREQUESTMANAGEMENT

      /IWBEP/USERMANAGEMENT

      to activate the above mentioned services,  i am passing system alias as local, as i am using same system as gateway hub system, i am not able to see any of the above mentioned services in  /iwfnd/maint_service transaction.

      pleas give me u r inputs..

      Thanks,

      Vijay

      Author's profile photo Aakash Raj
      Aakash Raj
      Blog Post Author

      Hi Vijay,

      This is a feature with SAP NetWeaver Gateway 2.0 SP7 onwards. Please check the pre requisite.

      Best regards,

      Aakash

      Author's profile photo Former Member
      Former Member

      Ok thanks akash..

      regards,

      Vijay

      Author's profile photo Former Member
      Former Member

      Informative...Thanks.

      Best Regards,

      Naresh K.

      Author's profile photo Former Member
      Former Member

      very useful Aakash..

      Thanks,

      Vijay Vegesana

      Author's profile photo Former Member
      Former Member

      Hi Aakash,

      verey useful information. A few questions:

      - Will this also work through GWaaS?

      - Does ResetUserCredential also help if the user is locked out because of repeated wrong password entered?

      - Are you willing to share your sample UI5 pages which are used in the screenshot?

      Regards,

        Wolfgang

      Author's profile photo Aakash Raj
      Aakash Raj
      Blog Post Author

      Hi Wolfgang,

      - This is not supported with GWaaS.

      - Yes user will be unlocked if locked due to unsuccessful logon attempts.

      - UI was only developed as sample. I would suggest you to create simple UI of your own. Should not take much time!

      Best regards,

      Aakash

      Author's profile photo Former Member
      Former Member

      Hi Aakash,

      Aakash Raj wrote:

      - Yes user will be unlocked if locked due to unsuccessful logon attempts.

      This seems only to be true after applying SapNote 1901821 - User Self Service: Unlock User While Resetting the Password


      Regards,

        Wolfgang

      Author's profile photo Aakash Raj
      Aakash Raj
      Blog Post Author

      Hi Wolfgang,

      That is true if you are using  SP07 level of component IW_BEP. This feature is shipped with SP08 of IW_BEP.

      Thanks,

      Aakash

      Author's profile photo Former Member
      Former Member

      Hi Akash,

      Can NW Gateway be used to manage User Self Registration Process for SAP CRM as backend.

      Author's profile photo Martin Bachmann
      Martin Bachmann

      Hello Hermant,

      yes, this SAP NW Gateway feature is available on all supported ABAP stacks, so also on SAP CRM as well.

      Best regards,

      Martin

      Author's profile photo Former Member
      Former Member

      Hello Akash:

        my gateway system is install in a abap system,and gw is 2.0 sp08.

        can we use the uss following your blog?

        I don't see two odata services in the system.

      /IWBEP/USERREQUESTMANAGEMENT and /IWBEP/USERMANAGEMENT

      thank you very much,

      lexian

      Author's profile photo Martin Bachmann
      Martin Bachmann

      Hi,

      did you already try to activate the services? More here: Activate and Maintain Services - SAP NetWeaver Gateway - SAP Library

      Martin

      Author's profile photo Former Member
      Former Member

      Hello Martin:

         Thank you for giving me good suggestion,now I have found two odata services /IWBEP/USERREQUESTMANAGEMENT and /IWBEP/USERMANAGEMENT.

         Our gateway is not a single system,we installed it on SAP NetWeaver as ABAP(a business suit system),is it allowed?is it suitable for this blog?

         Could someone give me some reply?

         Thank you very much,

         lexian.

      Author's profile photo Martin Bachmann
      Martin Bachmann

      Hello Lexian,

      in general here you can find the so called 'System Landscape Recommendation talking about the pros and cons of every deployment option:

      System Landscape Recommendations for SAP NetWeaver Gateway - Landscape Governance - SCN Wiki

      But having GW on top of an ECC system makes sense and is done often.

      Only remark I have: when using the B2C User Management option often it is for an external facing scenario. Often the GW system then is deployed stand-alone in the DMZ.

      Hope this helps,

      Martin

      Author's profile photo Former Member
      Former Member

      Hello everyone:

      do we need to create odata services in SEGW.

      we have active the two odata services with

       SAP NetWeaver  Gateway  OData Channel  Administration  General Settings  Activate and Maintain Services  .

      Thank you very much,

      lexian.

      Author's profile photo Aakash Raj
      Aakash Raj
      Blog Post Author

      Hi Lexian,

      No, you do not have to create any new service. The two services which you activated are only required to cover all the functionality.

      Best regards,

      Aakash

      Author's profile photo Former Member
      Former Member

      Hello Aakash:

         Thank you for your reply.

         Could you please tell me your email,I have some other problems to ask you.

         Best wishes for you.

         lexian

      Author's profile photo Aakash Raj
      Aakash Raj
      Blog Post Author

      Hi Lexian,

      If you have any question you can ask them in our Gateway SCN community page: SAP Gateway where many experts will be able to answer them! Alternatively, if you have any business scenario for your company then you can raise an OSS ticket as well.

      Thanks,

      Aakash

      Author's profile photo Siva rama Krishna Pabbraju
      Siva rama Krishna Pabbraju

      Nice work Akasah...!!

      Author's profile photo vivek gaurav
      vivek gaurav

      Hi Aakash,

                Both the services are very useful for many of app..

                Thanks for giving so useful information...

      Regards

      Vivek

      Author's profile photo ' Pavan ' Golesar
      ' Pavan ' Golesar

      Excellent post!

      Thanks.

      --Pavan G

      Author's profile photo ' Pavan ' Golesar
      ' Pavan ' Golesar

      I have posted in SCN discussion.. Kindly update..

      User Self Service forgot password

      Thanks

      Author's profile photo Former Member
      Former Member

      Hi, Question about SAP MCF and Security Policy

      Parameter LOGIN/PASSWORD_CHANGE_WAITTIME = 0

      Thanks

      Author's profile photo Suman Biswas
      Suman Biswas

      Hi Akash,

      I am implementing SAP MCF and I have a question.

      For the very first step,  of just receiving an email for user online registration, is maintaining user category in spro mandatory?

      As a part of MCF, as per documentation it seems only business agreement and email is mandatory ( userrequestmanagement is replaced with service crm_utilities_umc_urm ). but when I try to create an online account, it gives me an error in /iwbep/error_log saying " configuration of user category is missing " even though I have maintained it in SPRO.

      Any ideas? I am a bit confused because in the template application there is no option to maintain user category while creating an online account for existing customer.

      Author's profile photo Maksim Kuzmin
      Maksim Kuzmin

      Good day!

      Not only do the setting SPRO.

      You must pass the application value.

      In your case you need to edit ExistingSignUp.controller.js.

      Add to the parameters passed var oNewAccount = {:

      UsrCategory: "your category from SPRO",

      This parameter passed to the OData.

      Author's profile photo Maksim Kuzmin
      Maksim Kuzmin

      I have a question for the MCF.

      User after registration created in SAP ERP and the SAP Gateway system.

      In the SAP ERP system had been deactivated password - as it should be.

      When I try to log in under a user-created application

      I get a message that the password is deactivated and further data is not tightened. How do I solve this problem?

      Author's profile photo Former Member
      Former Member

      Hi,
      I have a questions for Security Question customization:
      - In user registration we need to provide a list of security questions. Then the questions and answer should be encrypted and store in oData service of MCF
      - In reset password function end-users should provide answer to question before submitting request to reset password.

      So is it possible to enhance  /IWBEP/USERMANAGEMENT, /IWBEP/USERREQUESTMANAGEMENT services to do this requirement?

      Best Regards,
      Phuong

      Author's profile photo Parth Budhiraja
      Parth Budhiraja

      Hi  Aakash,

      Very well explained!!

      I am trying to achieve User Self Registration via Fiori Launchpad (Logon page). Is there any way out to achieve this functionality by extending our Logon page, putting up a "Register Now" button on Fiori Launchpad Logon page and then calling up our Custom UI5 app (where user can input the details).

       

      Regards

      Parth

      Author's profile photo Sapna Agarwal
      Sapna Agarwal

      Hi Akash,

       

      Very nice document.

      But for reset password the odata links are not working.

      Can you pls let me knw if we need to do any config to set teh activation link values

       

      Author's profile photo Arun Singh
      Arun Singh

      Hi Akash,

      Very Informative blog.

      Can you please provide details related to MCF SAP Standard App for sign-up and login.

      Regards

      Arun

      Author's profile photo Farzana Mushtaq
      Farzana Mushtaq

      Hi Akash

       

      From where to get test application which you are using.

      Author's profile photo Farzana Mushtaq
      Farzana Mushtaq

      Can any one confirm project name against odata USERREQUESTMANAGEMENT within SEGW

      Author's profile photo Yevgen Trukhin
      Yevgen Trukhin

      It is not visible via SEGW, it is code based implementation pre-SEGW.