Start of Content Area

Background documentation Authorizations  Locate the document in its SAP Library structure

Applications and components deployed on the J2EE Engine can use the following approaches to authorization checking:

·        Assign activities to individual users based on roles

·        Control the use of objects using Access Control Lists (ACLs).

In addition, applications deployed on the J2EE Engine can implement authorization checking using one of the following methods:

      Declarative - An application running on the J2EE Engine declares its protected resources and the roles authorized for access. When a protected resource of this component is accessed, the container where the component runs performs the authorization based on this declaration.

      Programmatic – An application running on the J2EE Engine checks whether a caller of an Enterprise Java Bean or a Web resource has a specific role. In this case, the authorization check is specified in the component’s application code and is carried out by the application and not the container where it is running.

Role Based Authorization Approaches

On the J2EE Engine, a security role represents an abstract logical group of users that is defined for a specific application components by the J2EE Engine administrator. The AS-Java can use two distinct types of role based authorization approaches to control access to protected resources.

      J2EE roles

J2EE roles are security roles that are constructed according to the J2EE specification. They support both declarative and programmatic authorization checks. When using the declarative approach, the information is stored in deployment descriptors for the application. Alternatively, with the programmatic approach, the information is stored in the application code. To manage these roles you use the Visual Administrator tool of the J2EE Engine

J2EE roles are suitable for purely static, activity-related access control. This concept is based on the assignment of authorizations by activity (for example, the activity Financial Accountant), but not by instances (for example, by Cost Centers). For the examples, this means that all users assigned to the Financial Accountant role can post to all cost centers.

      UME  roles

The User Management Engine (UME) authorization concept extends the possibilities provided by the J2EE roles. UME roles are used by default on the J2EE Engine and it only supports a programmatic approach to authorization checking. To manage these roles you use the UME Administration Console of the Web Admin tool of the AS-Java.

The advantage of using UME  roles is that administration is more flexible because you can consolidate permissions into actions, which are then grouped into roles and assigned to users. Therefore, the utilization of this concept allows you to assign authorizations both by activity and by instances. For example, this means that users assigned to the Financial Accountant role can only post to specific determined by you cost centers. In addition, when using UME roles, you can perform more complex checks than those supported when using J2EE security roles, such as using wildcards in the authorization check.

J2EE roles on the J2EE Engines are used purely declaratively. UME roles and the corresponding UME APIs are used for programmatic access control. For more information, see Architecture of Security Roles in the Administration Manual.

Standard Roles and Actions

For more information about the standard UME actions and the roles for the AS-Java, see:

      Standard Roles

      Permissions, Actions and UME Roles

      Standard UME Actions

Access Control Lists

ACLs are suitable for protecting a large number of objects (that is, instances). In this case, you define an access control matrix that contains a subject (a role), a predicate (type of access), and the resource to be protected. Only users that are mapped to at least one of these roles can access this resource.

On the J2EE Engine, you use the Protection Domains and Policy Configuration in the Security Provider service to define ACLs. For more information, see Managing Protection Domains and Managing Resources in the Administration Manual.

 

See also:

Administration Manual

      User Management of the Application Server Java

      Resource Management

      Security Roles Management

Development Manual

      Using Security Roles and Security Role References

      Specifying the Security Methods to Use for an Application

SAP NetWeaver Security Guide

      Deployment Authorizations When Using Deploy Service

 

 

End of Content Area