Anda di halaman 1dari 2

Additional Information for Enterprise Search Security Issues

You will find the current version of the SAP NetWeaver Enterprise Search Security Guide on
SAP Help Portal http://help.sap.com/nwes70

This note describes new delta information to be added to the Enterprise Security Guide.
Additional Roles for users created during installation
a) Search_Conn (requires modifications)
The following roles must be assigned to the Search_Conn user on the ABAP part of the
application server:

• SAP_ESH_RFC_ENDUSER

• SAP_ESH_ADMIN

• S_BI-WX_RFC

See also description for user Search_Conn in the next paragraph.

b) Search_Admin (requires modifications)


The Search_Admin user is based on the SAP* super user and has by default the same
privileges. To operate properly the following composite roles should also be assigned in the
ABAP user store:

• SAP_ESH_RFC_ENDUSER

• SAP_ESH_ADMIN

c) Extraction user (no modifications required)


An extraction user is created automatically in the Enterprise Search ABAP system, when a
back end system is initially connected for data extraction. The user is required for the RFC
connections between the back-end systems and the Enterprise Search ABAP system that are
used for data extraction. The extraction user is assigned to the profile S_BI_WHM_RFC
(needed for extraction of business data from the back-end system) and to the role
SAP_ESH_ADMIN (needed for transfer of permission data from the back end system).

Maintaining Service User "Search_Conn"


To check the status of a search object connector within the administration cockpit the system
uses the service user Search_Conn to call to the back-end system. That is why on the back-
end systems a user named Search_Conn must exist, too. If it does not exist, create the user
Search_Conn in the respective user management of the back-end system.

Find this also described in the documentation, e.g.


for R/3 back-end systems:
http://help.sap.com/saphelp_nwes70/helpdata
/EN/b1/7e3601074c483dbb72849e5feb9dca/frameset.htm
or for ERP 6.0 (ERP 2005) back-end systems:
http://help.sap.com/saphelp_nwes70/helpdata
/EN/c2/ca580ac3284abe8470e2b09eca9b16/frameset.htm

The service user Search_Conn is also used for the connection between the ABAP and Java
stack of Enterprise Search and for the connection between ABAP and TREX.
If you change the password for the service user Search_Conn, which was set initially during
installation, you must change the password manually at the following locations:

• Inside Java and ABAP user management. Use the same password for

o user management of Java stack -> URL shortcut /useradmin

o user management of ABAP stack -> transaction SU01

• Update all locations where the password for Search_Conn is used. Use the same
password within

o SICF -> Service "esh_adm_smoketest_files"

o SM59 -> "ESH_APPL_CCMS"

o SM59 -> "ESH_APPL_WS_CONNECTORS"

o SM59 -> "ESH_APPL_WS_QSDISPATCHERN"

o TREX Admin tool: "TREX Admin RFC"

Use always the same password for the service user Search_Conn. If the new password is not
changed at all locations then the user will be locked after several background log-on activities
with an old password.