CCDB SPML Java Extractor - Getting User and Group Information
How to set up SPML based extractors for CCDB
As of SAP Solution Manager 7.1 SP14 and 7.2 SP03 it is possible to retrieve user and role configuration via the SPML interface of a Java Application Server into CCDB of the SAP Solution Manager. However, since on J2EE side there is no standard role available which could be assigned to the collection user of the Solution Manager and the SPML service may has been disabled by the customer this data is not collected automatically.
This document describes how to setup SPML based extractors for CCDB.
UME role with SPML read action
All SMD agent users (naming pattern: SM_COLL_<SID of Solman>) who are logging on to JEE systems (which are connected to a SAP Solution Manager) need a SPML read authorization as described in SAP note 1647157 - How to Set up Access to the SPML Service on AS Java (find how to create manual below)
- Select search criteria "Role" in the upper part of the UI.
- Choose "Create Role".
- Enter the name of the new role in the "Unique Name" field on the tab "General Information".
- Navigate to the tab "Assigned Actions".
- Enter the search criteria "*spml*" in the "Get" field in the area "Available Actions" and choose the "Go" button.
- Add the UME action with the name "Spml_Read_Action" to the role.
- Save the new role by choosing the "Save" button.
CCDB template for config store based on SPML interface
You may add the following CCDB template definitions to the existing J2EE Engine Servercore 7.10 definitions (just add those definitions after the </Host> tag of the downloaded xml file).
<StoreGroup source="WS" name="SPML">
<Parameter value="SPML" name="Type"/>
<StoresDefinition>
<ConfigStore type="TABLE" subalias="JE045" name="sapGroupAllAssignedUsers:Administrators" alias="SPML"/>
<ConfigStore type="TABLE" subalias="JE045" name="sapGroupAllAssignedUsers:SAP_J2EE_ADMIN" alias="SPML"/>
<ConfigStore type="TABLE" subalias="JE046" name="sapGroupAllAssignedUsers:Guests" alias="SPML"/>
<ConfigStore type="TABLE" subalias="JE046" name="sapGroupAllAssignedUsers:SAP_J2EE_GUEST" alias="SPML"/>
<ConfigStore type="PROPERTY" subalias="JE148" name="sapUserProperties:Guest" alias="SPML"/>
<ConfigStore type="PROPERTY" subalias="JE148" name="sapUserProperties:J2EE_GUEST" alias="SPML"/>
<ConfigStore type="TABLE" subalias="JE085" name="sapRoleAllAssignedUsers:LcrAdministrator" alias="SPML"/>
<ConfigStore type="TABLE" subalias="JE085" name="sapRoleAllAssignedUsers:LcrInstanceWriterAll" alias="SPML"/>
<ConfigStore type="TABLE" subalias="JE085" name="sapGroupAllAssignedUsers:SAP_SLD_ADMINISTRATOR" alias="SPML"/>
<ConfigStore type="TABLE" subalias="JE085" name="sapGroupAllAssignedUsers:SAP_SLD_ORGANIZER" alias="SPML"/>
<ConfigStore type="TABLE" subalias="EP115" name="sapRoleAllAssignedUsers:pcd:portal_content/com.sap.pct/administrator/system_admin/com.sap.portal.system_admin_role" alias="SPML"/>
<ConfigStore type="TABLE" subalias="EP116" name="sapRoleAllAssignedUsers:pcd:portal_content/com.sap.pct/administrator/content_admin/com.sap.portal.content_admin_role" alias="SPML"/>
<ConfigStore type="TABLE" subalias="EP117" name="sapRoleAllAssignedUsers:pcd:portal_content/com.sap.pct/administrator/user_admin/com.sap.portal.user_admin_role" alias="SPML"/>
<ConfigStore type="TABLE" subalias="EP153" name="sapRoleAllAssignedUsers:pcd:portal_content/administrator/super_admin/super_admin_role" alias="SPML"/>
<ConfigStore type="TABLE" subalias="JE149" name="sapRoleAssignedActions:Everyone" alias="SPML"/>
<ConfigStore type="TABLE" subalias="JE149" name="sapRoleAssignedActions:Administrator" alias="SPML"/>
</StoresDefinition>
</StoreGroup>
You may delete config store definitions if you don't want to collect those information and you are not planning to SOS services for those systems.
First, download the existing J2EE ENGINE SERVERCORE 7.10 definitions:
- Go to Solution Manager Administration work center,
- Select the Infrastructure scenario on the left,
- Click on the Content button and select the Root Cause analysis option.
On the tab "Stores", you can use the "browse" and "custom upload" buttons to upload the XMLs.
a) In tab "Tree View" it's possible to enter a filter, please enter: J2EE ENGINE SERVERCORE 7.10 (and press return).
b) Select the line which now displayed below the filter showing: J2EE ENGINE SERVERCORE 7.10
c) In tray Export export the XML using link: Export component.xml (Don't export complete xml!).
d) Load the xml file in an XML editor of your choice.
Edit the XML file and save it:
1. In the file search for tag </host> and enter your definitions right behind it and in front of the next <StoreGroup> tag
2. Save the file
Upload the XML file your Solution Manager system as follow:
- Go to Solution Manager administration work center,
- Select the Infrastructure scenario on the left,
- Click on the Content button and select the Root Cause analysis option.
- On the tab "Stores", you can use the "browse" and "custom upload" buttons to upload the XMLs.
a) In Upload: Click on button "Choose File" and select the XML file you've just saved.
b) Click on button "Custom Upload" to import it. - Before the new stores will be displayed in Change Reporting or CCDB admin two steps need to be performed:
a) the nightly store check job identifies the new store definitions and schedules per technical system of type Java a new extractor.
b) The next extrator after that will collect the config stores.
c) To be able to test your definitons you can run first a "Store Check" in CCDB admin / Techncial Systems / Expert functions for a technical system of type Java (this adds the new extractor) and trigger the extraction manual using CCDB admin / Techncial Systems "Execute Extractors" button.
Using SAP Solution Manager 7,2 Launchpad navigate to the group SAP Solution Manager Administration
- Make sure you see the tile: Templates – Root Cause Analysis.
Note: You can add tiles, by using the Launchpad function “Personalize Home Page” (available underneath your user profile in the top right hand corner).
2. Open the tile: Templates – Root Cause Analysis.
Remarks:
In case of an Support Package Upgrade which contains an updated version of the J2EE ENGINE SERVERCORE 7.10 definition the above mentioned steps needs to repeated.
Other J2EE ENGINE SERVERCORE definitions for higher versions are just references to 7.10 and don't need to be updated.
SPML Config Stores
Based on the config store defintions defined in the CCDB Template above you get the following config stores based on SPML:
sapGroupAllAssignedUsers:Administrators
Example content
ID(K) | USER_LOGON(D) | DISPLAY_NAME(D) | DATASOURCE(D) | VALID_UNTIL(D) | IS_LOCKED(D) | IS_SYSTEM_USER(D) | IS_PASSWORD_CHANGE_REQUIRED(D) |
USER.PRIVATE_DATASOURCE.un:Administrator | Administrator | Administrator, | PRIVATE_DATASOURCE | 25001231000000 | false | false | false |
USER.PRIVATE_DATASOURCE.un:j2ee_admin | j2ee_admin | Administrator, | PRIVATE_DATASOURCE | 25001231000000 | false | false | false |
sapGroupAllAssignedUsers:Guests
Example content
ID(K) | USER_LOGON(D) | DISPLAY_NAME(D) | DATASOURCE(D) | VALID_UNTIL(D) | IS_LOCKED(D) | IS_SYSTEM_USER(D) | IS_PASSWORD_CHANGE_REQUIRED(D) |
USER.PRIVATE_DATASOURCE.un:Guest | Guest | Guest, | PRIVATE_DATASOURCE | 25001231000000 | true | false | true |
sapGroupAllAssignedUsers:SAP_J2EE_ADMIN
Example content
sapGroupAllAssignedUsers:SAP_J2EE_GUEST
Example content
sapGroupAllAssignedUsers:SAP_SLD_ADMINISTRATOR
Example content
Content of sapGroupAllAssignedUsers:SAP_SLD_ADMINISTRATOR
ID(K) | USER_LOGON(D) | DISPLAY_NAME(D) | DATASOURCE(D) | VALID_UNTIL(D) | IS_LOCKED(D) | IS_SYSTEM_USER(D) | IS_PASSWORD_CHANGE_REQUIRED(D) |
USER.PRIVATE_DATASOURCE.un:BBBBB | BBBBB | BBBBB, | PRIVATE_DATASOURCE | 25001231000000 | false | false | false |
sapGroupAllAssignedUsers:SAP_SLD_ORGANIZER
Example content
ID(K) | USER_LOGON(D) | DISPLAY_NAME(D) | DATASOURCE(D) | VALID_UNTIL(D) | IS_LOCKED(D) | IS_SYSTEM_USER(D) | IS_PASSWORD_CHANGE_REQUIRED(D) |
USER.PRIVATE_DATASOURCE.un:BBBBB | BBBBB | BBBBB, XXXX | PRIVATE_DATASOURCE | 25001230230000 | false | false | false |
sapRoleAllAssignedUsers:LcrAdministrator
Example content
sapRoleAllAssignedUsers:LcrInstanceWriterAll
Example content
sapRoleAllAssignedUsers:pcd:portal_content/administrator/super_admin/super_admin_role
Example content
ID(K) | USER_LOGON(D) | DISPLAY_NAME(D) | DATASOURCE(D) | VALID_UNTIL(D) | IS_LOCKED(D) | IS_SYSTEM_USER(D) | IS_PASSWORD_CHANGE_REQUIRED(D) |
USER.PRIVATE_DATASOURCE.un:Administrator | Administrator | Administrator, | PRIVATE_DATASOURCE | 25001231000000 | false | false | false |
sapRoleAllAssignedUsers:pcd:portal_content/com.sap.pct/administrator/content_admin/com.sap.portal.content_admin_role
Example content
sapRoleAllAssignedUsers:pcd:portal_content/com.sap.pct/administrator/system_admin/com.sap.portal.system_admin_role
Example content
sapRoleAllAssignedUsers:pcd:portal_content/com.sap.pct/administrator/user_admin/com.sap.portal.user_admin_role
Example content
sapRoleAssignedActions:Administrator
Example content
ID(K) | ACTION(D) |
ACTN.AUTH_DS.un:L$JPL_1 | ACTN.AUTH_DS.un:L$JPL_1 |
ACTN.AUTH_DS.un:L$JPL_10 | ACTN.AUTH_DS.un:L$JPL_10 |
ACTN.AUTH_DS.un:L$JPL_100 | ACTN.AUTH_DS.un:L$JPL_100 |
ACTN.AUTH_DS.un:L$JPL_100000 | ACTN.AUTH_DS.un:L$JPL_100000 |
ACTN.AUTH_DS.un:L$JPL_100001 | ACTN.AUTH_DS.un:L$JPL_100001 |
ACTN.AUTH_DS.un:L$JPL_100002 | ACTN.AUTH_DS.un:L$JPL_100002 |
sapRoleAssignedActions:Everyone
Example content
sapUserProperties:Guest
Example content
PARAMETER(K) | VALUE(D) |
datasource | PRIVATE_DATASOURCE |
displayName | Guest, |
id | USER.PRIVATE_DATASOURCE.un:Guest |
isLocked | true |
isPasswordChangeRequired | true |
isSystemUser | false |
sapUserProperties:J2EE_GUEST
Example content
Target Systems to validate config stores based on SPML interface
Validate that user Guest is locked
Example target system definitionen: Guest account islocked = true shall be validated as compliant, if Guest account isLocked = false then it's validated as non-compliant
Validate the users of group Administrators
Example target system definition:
One generic rule to validate all user as non-compliant (shown in detail).
Additional two specific rules as exceptions to validate user Administrator and DEVSUPPORT as compliant.
Usage in the Security Optimization Service
The data in the above stores is used in the following checks of the Security Optimization Service:
- Users of Standard User Group "Administrators" (JE045)
- Users of Standard User Group "Guests" (JE046)
- Guest User "GUEST" should be Locked (JE148)
- Critical UME Actions of Role "Everyone" (JE149)
- Users Authorized to Administer the SLD (JE085)
- Portal Super Administrators Found (EP153)
- Additional Portal Administrators Found (EP115)
- Additional Portal User Administrators Found (EP117)
- Additional Portal Content Administrators Found (EP116)
This page is part of the Application Operations Wiki. Notice that Application Operations itself is a use-case of SAP Solution Manager
