Show TOC

Procedure documentationConfiguring SLD Security Roles Locate this document in the navigation structure

 

Functions in the SLD are protected from unauthorized access. For this purpose, you can find several AS Java security roles and User Management Engine (UME) actions that are assigned to different SLD functions. Before you can use SLD, you have to map these roles and actions to individual users or user groups.

We recommend that you use user groups and map them to the appropriate UME roles instead of assigning them to individual users. Users that belong to a particular group receive all permissions that are granted to the group.

We recommend that you use the following user groups that correspond to the identically- named UME roles:

UME Role/User Group

Permissions

SAP_SLD_GUEST

Read access to SLD data

SAP_SLD_SUPPORT

Read-only access to all SLD data and UIs, including the Administration area (used for SAP support)

SAP_SLD_CONFIGURATOR

Create, modify, and delete CIM instances of the Landscape Description and Name Reservation subsets (includes all read permissions).

SAP_SLD_CONTENT_SYNC

Synchronize SLD content changes with other SLD CIM namespaces. Includes complete read access to the SLD UI.

SAP_SLD_DATA_SUPPLIER

Create, modify, and delete CIM instances of the Landscape Description subset as a data supplier without access to the SLD UI.

SAP_SLD_DEVELOPER

Create, modify, and delete CIM instances of the Name Reservation subset (includes all read permissions).

SAP_SLD_ORGANIZER

Create, modify, and delete all types of CIM instances (includes all read permissions).

SAP_SLD_ADMINISTRATOR

Administrative tasks (includes all other roles)

The following table lists the SLD security roles along with their recommended SLD user group and UME role:

UME Role/User Group

J2EE Security Role/UME action

SAP_SLD_GUEST

LcrUser

SAP_SLD_SUPPORT

LcrUser

LcrSupport

SAP_SLD_CONFIGURATOR

LcrUser

LcrInstanceWriterLD

LcrInstanceWriterNR

SAP_SLD_CONTENT_SYNC

LcrUser

LcrContentSync

SAP_SLD_DATA_SUPPLIER

DataSupplierLD (this is not a UME action)

SAP_SLD_DEVELOPER

LcrUser

LcrInstanceWriterNR

SAP_SLD_ORGANIZER

LcrUser

LcrInstanceWriterCR

LcrInstanceWriterLD

LcrInstanceWriterNR

LcrInstanceWriterAll

SAP_SLD_ADMINISTRATOR

LcrUser

LcrInstanceWriterCR

LcrInstanceWriterLD

LcrInstanceWriterNR

LcrInstanceWriterAll

LcrClassWriter

LcrSupport

LcrAdministrator

DataSupplierLD

LcrContentSync

If the UME is used with an ABAP-based system as the back-end user storage, then these groups already exist. ABAP user roles appear as user groups on the AS Java side. SAP NetWeaver Application Server ABAP (AS ABAP) contains these default user roles.

If you have the authorization to create user groups as a local AS Java administrator, the SLD user groups are created by the standard SLD configuration described below.

If your LDAP user store is configured in a way that no user groups can be created by the local UME, you must first create the user groups listed above.

Note Note

If you want to set up SLD security for test purposes, you can simply use an AS Java administrative user which also has administrative permissions for SLD by default.

End of the note.

Procedure

Creating Standard SLD Security Roles - Automatically

  1. In your Web browser, enter the URL of the application using the following format: http://<host>:<port>/sld.

  2. Log on as a user with administration rights for both AS Java and SLD.

  3. Choose   Administration   Settings   and choose Perform Role Mapping.

    The system creates or completes the user group list and the mappings described above. If the group creation fails, create the groups manually and remap them to the appropriate roles.

  4. Assign users to the groups as needed.

Creating SLD Security Roles - Manually

  1. In your Web browser, enter the URL of the Identity Management using the following format: http://<host>:<port>/useradmin

  2. Create user groups and UME roles of your choice and assign each UME role to the appropriate user group(s) as well as to the UME action(s). You can use the predefined UME roles as a template to create your own UME roles, as descibed in the table above.

    Caution Caution

    If you want to create a UME role for SLD content synchronization or for SLD administration, you need to assign the Destination_Service_Write_Permission UME action, which belongs to the tc~sec~destinations~service service, to your own UME role.

    End of the caution.

  3. Assign users to the user groups.

More Information

Managing Users, Groups, and Roles.