SAP Sourcing/CLM 7 on the recommended application server SAP Netweaver, has always had support for Netweaver UME as an option for authentication. With the release of SAP Sourcing/CLM 7 SP3 and above on SAP Netweaver 7.3, that collusion has been further strengthened, with additional considerations to the way our customers would like to use the authentication options provided.
Again, at the expense of sounding repetitive, with the advent and furthering of using Netweaver UME for authentication, it is strongly recommended that our customers consider using Netweaver UME to provide authentication, even if the user data repository is an Active Directory. Using this method would allow greater extensibility, and flexibility as well as support for a wider range of Active Directories becomes available. This native support for Netweaver UME is a much better option than using the native support for a smaller range of Active Directories, currently provided in Sourcing/CLM.
The recommended landscape is visualized below, and as can be seen, the user repository options afforded by this setup are - Netweaver UME internal database and, Netweaver UME supported Active Directory. The latter is ideally recommended. This also means a combination of user repositories could be configured providing a physical separation between the purchaser and vendor users, which forms the crux of this article, so read on.
Figure 1: Recommended Landscape Setup
Before diving into the improved facilities provided with the Netweaver UME authentication option in SAP Sourcing/CLM 7 SP3+, a word of caution to the customers who have been using the Netweaver UME driver, and have recently upgraded to the SP3 release - there is an additional field, “External Role”, that has been introduced, which is mandatory, and has to be populated in the Directory Configuration for both Purchaser and Vendor.
Figure 2: Directory Configuration Sample
Caution: The roles assigned in Netweaver UME are not to be confused with the Profiles in Sourcing/CLM. There is no mapping between the roles in Netweaver UME being defined and referenced below, and Profiles. This blog is a pointer for the Authentication aspect only, and the authorization schemes in Sourcing/CLM which support the complex requirements and rigors of the application have not been changed at all. All the profiles will function as usual and will still need to be configured regardless of the authentication option or user data repository being used.
Let’s look at some really straightforward scenarios:
Scenario 1 – No logical partition between Purchaser and Vendor
If Netweaver UME is the authentication mechanism for both purchaser AND vendor and a separation between the purchaser and vendor users is not pertinent and important to your specific scenario, then the solution is simple. The value for the External Field should be set to “everyone” in both Purchaser and Vendor Directory Configurations (as shown in Figure 2 above).
This might be the solution for customers upgrading to the version 7 SP3 release.
Scenario 2 – Only Purchaser or Vendor on UME
If Netweaver UME is the authentication mechanism and will be used only for the purchaser OR vendor directory configurations only, then again the value for the External Role field will be “everyone” for the directory using Netweaver UME driver only (as shown in Figure 2 above). The directory not using Netweaver UME as the authentication driver does not need an entry for this field.
Onto the slightly more involved and advanced scenarios, which will support the situations that will is probably the most desirable, and probably mandated for compliance purposes for many of you; partitioning of the purchaser and vendor users, when only one user data repositories would be used.
Scenario 3 – Logical partition between Purchaser and Vendor
If Netweaver UME is the authentication mechanism for both purchaser AND vendor and a separation between the purchaser and vendor users is required then this section is for you. This scenario is the inverse of what is described in Scenario 1 above. The straightforward steps described below will guide you to achieve this objective.
This is also the setup that is the recommended mode for setting up users, and provides the most secure mechanism for managing users in Sourcing. This might also be the implied approach for most of the compliance regulations.
Step 1: Create a purchaser role in Netweaver UME. The value could be anything that is meaningful and relevant in your situation. In the example below, the Unique Name is defined as “biogenyx_buyside_role”
Figure 3: Unique Purchaser Role creation in Netweaver UME
Step 2: Create a vendor role in Netweaver UME. The value could be anything that is meaningful and relevant in your situation. In the example below, the Unique Name is defined as “biogenyx_sellside_role”
Figure 4: Unique Vendor Role creation in Netweaver UME
Step 3: Now, while configuring the purchaser Directory Configuration, ensure that the exact Unique Name defined for the role in Netweaver UME for purchaser users is entered in the External Role field as shown below:
Figure 5: Directory Configuration sample for purchaser
Step 4: Now, while configuring the vendor Directory Configuration, ensure that the exact Unique Name defined for the role in Netweaver UME for vendor users is entered in the External Role field as shown below:
Figure 6: Directory Configuration sample for vendor
The important thing that was mentioned above, is that the user authorization is still the domain of the Sourcing/CLM application, which means that the users need to exist in the Sourcing/CLM database. The synchronization of the user attributes between Netweaver UME and Sourcing/CLM database is crucial for the smooth functioning of the solution.
Of course we make the user synchronization process as seamless as possible, but there are multiple options which are available to ensure the synchronization suits your needs. One of the important tools that has now been made available in Sourcing, is the ability to export user information in the SAP Netweaver UME format, which allows for increased efficiency.
The options for synchronizing of users and detailed instructions for setting up and configuration, including attribute mapping as described in brief above are described in the Wave 7 SP3 Security Guide in the SAP Service Marketplace.