SAP Basis Tech Supports

Symptom
After the upgrade of your system, you get an authorization error when you start a JEE application on the AS Java. Check for the root cause of the error. Depending on the application, it is displayed either in the browser window or it is logged only in the default trace file of the AS Java.
You find an exception message similar to the following:
“JmxSecurityException: Caller <username> not authorized, required
permission missing (javax.management.MBeanPermission …)”, and <username> is not one of your business users.
Other terms
Run-as, RunAs, permission error, missing authorization, update, Netweaver PI, Business By Design, BYD, double stack
Reason and Prerequisites
This problem only occurs in dual-stack systems (AS Java and AS ABAP), such as SAP Netweaver PI or SAP Business ByDesign.
This problem is caused by the “runAs” concept of JEE
applications. This concept enables an application ( or part of an application) that requires a certain JEE role for execution, can run under this role, even if the logged-in user does not have this role.
For this process, the system searches for and selects a user with this role. If no user exists with this role, the system generates a user.
However, some applications have additional authorizations checks under the runAs user, which fail for generated users.
Normally the system does not require the user generation fallback, because the applications ensure that there is always a user with the required roles.
However the problem is the update procedure in dual-stack systems (to 7.10 and 7.1 EHP1). There the persistency is switched to database-only mode. During this process the normal users are not available and therefore new users are generated.
Solution
Before the upgrade
Execute the following steps before you upgrade your double stack system to SAP NetWeaver 7.1 or SAP Enhancement Pack 1 for SAP NetWeaver 7.1:
1. Log on to identity management and create a user with the ‘Security Policy’: ‘Internal Service User’.
Any username will do.2. Assign the user to the UME role “Administrator”.
You only need this user during the upgrade process. You can delete it afterwards.
Note:
If you upgrade to SAP Enhancement Pack 1 for SAP Netweaver 7.1 and the SAP emergency user “SAP*” exists as a normal database user in the ABAP back end, you must assign the user to the UME role “Administrator”, too.
After the upgrade
If you did not apply the solution before the upgrade process, execute the following steps, depending on the <username> in the exception text.
The <username> is 12 characters long and has a random series of characters:
As the problem probably occurs for more than one application, delete all the generated run-as users at once.
To identify these users, search for all UME database users in the NetWeaver identity management application. The users you are looking for have the following characteristics:
They are not one of your business users.The username is a random series of characters, 12 characters long and has a random series of characters.They have no other attributes maintained (like first name, last name, and e-mail address).
It is safe to delete these users. Afterwards please restart the AS Java.
Note:
If the application that has the authorization problem is the identity management application, activate the emergency user to execute the steps above.
The instructions how to do this can be found on the SAP Help Portal, in the troubleshooting section for the User Management of the AS Java.
After deleting the users, deactivate the emergency user again before you restart the AS Java.
The <username> is ‘SAP*’:
SAP* was selected as a run-as user when the AS Java was in emergency user mode. In this mode this user has all JEE authorizations. After disabling the mode, the run-as entry stayed.
Normally this is not a problem, because the SAP* does not exist
and therefore a new run-as user is selected. But if SAP* exists as a normal ABAP user, it does not have any permissions on the Java side by default.
To solve this problem, assign SAP* the Administrator UME role with the identity management application.
This is not a problem from security side, because the emergeny user is supposed to have all authorizations anyways.