SAP EP – Netweaver Portal

Symptom

This note covers all information not included in the official “Implementing a Federated Portal Network” scenario documentation provided on SAP Help Portal at http://help.sap.com/saphelp_nw04s/helpdata/en/5b/9f2d4293825333e10000000a155106/frameset.htm. The information in this note includes known integration issues, workarounds, updated information and restrictions in SAP NetWeaver 7.0 (2004s).
This note is dedicated to cover all Remote Role Assignment issues in FPN. Please refer to note 880482 as the entry point for all other categories

Other terms

SAP NetWeaver Portal, federated portal network, federation, remote role assignment, portal federation, content federation, producer, consumer, FPN

Solution

Current considerations, workarounds & restrictions:
Remote roles cannot be displayed when using the “light framework page” (which is described more in detail in the IT scenario variant “Implementing an External-Facing Portal”).Anonymous users on the consumer must not be assigned to remote roles. This is due to the fact that anonymous guest users cannot use the FPN services that are included in low security zone (anonymous users reside in security zone: none).You should use one central user repository for all portals in your federation in order to take full advantage of RRA.
If you use multiple user repositories in your federated portal network (for example, consumer portal uses LDAP directory server and the producer portal ABAP CUA) then remote roles can be assigned to users only, not to groups. This is because the groups themselves and the users included might not be consistent in the federation, and thus a security risk might occur when remote roles are assigned to groups. In case you foresee these issues, you could consider using Remote Delta Links for roles instead and assign those RDL-roles then to groups on the consumer portal.Moving and renaming producer roles: If a consumer has assigned a remote role to users and this role is moved or renamed on the producer, then the remote role assignment on the consumer will be lost. In such an event, the consumer administrator needs to reassign the remote role to the users.When using a central Identity Management tool, some conflicts might occur when using RRA. When assigning a remote role to a user on the consumer portal, the same assignment automatically takes place on the producer portal for this user. This might conflict with the assignments done with the Identity Management tool. In case you encounter or foresee this issue in your landscape, you could consider using remote delta links (RDL) instead: Thus copy the remote role as an RDL to the PCD (Portal Content Directory) of the consumer portal and then assign this role to the consumers’ users with the help of the Identity Management tooThe remote role assignment feature may not work properly if a custom PCD filter is deployed, and the filter returns different nodes for different users. In such cases, an administrator can integrate remote content by using the remote delta link feature.

Solved restrictions
It is not possible to transport proxy-to-remote roles.
FIXED with SAP NetWeaver 7.0 SPS 09 : new UME based user interface for Remote Role Assignment is available and proxy-to-remote roles don’t have to be created anymore.Proxy-to-remote roles cannot be deleted using the portal UI, but only using the Identity Management dedicated interface.
FIXED with SAP NetWeaver 7.0 SPS 09.RRA supported only in cases where the producer and consumer are both running the same SPS version.
FIXED with SAP NetWeaver 7.0 SPS 09 by removing the need to create a proxy-to-remote role, and instead being able to directly assign users/groups to remote roles using the standard role assignment UI.The remote roles of a producer are not displayed in the User Administration of the consumer after restart of the server. There are two workaround for SAP NetWeaver 7.0 SPS 10 and SPS 09 available for this issue: 1. Give read permissions to group “Everyone” for the producer object on the consumer – then after server restart the producer will successfully be registered with UME. 2. Restart the com.sap.portal.ivs.global.gpnavigationconnector service once after each server restart to register the producers with UME.
FIXED with SAP NetWeaver 7.0 SPS 11.If one producer is down, the consumer cannot display any content (you might receive a blank screen with an error message).
FIXED: patches available for SAP NetWeaver 7.0 SPS 09, SPS 10 and SPS 11 – see note 1025374.If one producer portal is down, no remote content can be displayed at all (even if only one portal is down, all connected producer portals are affected).
FIXED: patch available for SAP NetWeaver 7.0 SPS 10 and SPS 11 – see note 1033804.In SAP NetWeaver 7.0 SPS16 and earlier, when a user administrator unassigns a remote role from a user in the consumer portal, there may be cases where the remote role is successfully unassigned in the consumer portal, but the local unassignment in the producer portal is incomplete. Workaround: Manually unassign the local role from the specific user at the producer portal. FIXED: This issue has been fixed as of SAP NetWeaver 7.0 SPS17