Entering content frame

Component documentation Users and Authorizations on the J2EE Engine Locate the document in its SAP Library structure

Purpose

Use the user administration tools to assign the required authorizations to administrators and end users using user accounts. You can use the Visual Administrator of the SAP J2EE Engine to allow a user general access to a J2EE application or to log on to the SAP J2EE Engine, or you can use the user and role concept of the User Management Engine (UME) to implement refined access to SAP applications that use programmatic authorization checks. The UME also has a user management administration console for managing user accounts.

To set up your authorization concept on the SAP J2EE Engine, first create user accounts. You then assign authorizations using J2EE standard methods or SAP’s extended methods. There are two types of authorizations: On one hand, you can assign activities to individual users based on roles, and on the other, you can control the use of objects using access control lists.

Possible authorization checks:

·        Activity-related access control with J2EE security roles for applications (J2EE standard)

The developer defines these role in the development descriptors for his or her application. The administrator maps the users to the corresponding roles.

·        Instance-related access control with roles (UME roles)

Using these roles, you specify which activities a user can execute on the SAP J2EE Engine. You can also specify which instances a user can access.

·        Instance-related access control with access control lists

Access control lists are suitable for protecting a very large number of objects (that is, instances). In this case, you define an access control matrix that contains a subject (role), a predicate (type of access), and the object (instance to be protected). Only users that are mapped to at least one of these roles can access this resource. There are two ways to use the access control lists:

¡        J2EE server roles (SAP J2EE Engine)

The developer or administrator defines the role using the corresponding API, the administrator uses the Security Roles tab page in the Visual Administrator to map users to the role. The administrator also manages the authorizations for accessing resources by assigning roles in the corresponding access control lists (in Resource Management).

¡        UME access control lists

These access control lists contain users and user groups instead of roles. They can only be administered in the application context.

Integration

The primary method for managing users on the SAP J2EE Engine is by using the Security Service in the Visual Administrator. In addition to the user administration functions, this service also provides the following related functions:

·        Managing User Stores

·        Mapping Users and Groups

·        Resource Management

·        Structure linkManaging Authentication Modules

·        Structure linkManaging Login Sessions

·        Structure linkManaging Protection Domains

·        Structure linkManaging Cryptography Providers

 

 

Leaving content frame