SAP Mobile Platform Logical Roles

SAP Mobile Platform defines a set of logical roles. To grant role-based access to SAP Mobile Platform, use Management Cockpit to map these logical roles to the physical roles that are defined in your identity management system.

Administrator Role

Administrators interact with SAP Mobile Platform to perform high-level management. The administrator can perform all administrative operations in Management Cockpit. To enable role-based access to Management Cockpit, map the SAP Mobile Platform Administrator logical role to physical roles that exist in your security repository used for authentication and authorization.

Helpdesk Role

Helpdesk operators interact with SAP Mobile Platform to review system information and determine the root cause of reported problems. Helpdesk operators have read-only access to all administration information in the Management Cockpit. They cannot modify anything in Management Cockpit, and cannot save changes made in dialogs or wizards.

Impersonator Role

The Impersonator role has a narrow and specific scope. The Impersonator role establishes the trust relationship between the reverse proxy and SAP Mobile Platform Server, allowing the server to accept and authenticate a user's public certificate presented in the SSL_CLIENT_HEADER over an SSL connection established by the reverse proxy. It also enables SAP Mobile Platform to trust SSL_CLIENT_CERT headers from network edge certificate authentication.

Notification User Role

The Notification User role also has a specific scope. It enables sending push notifications to applications. The Notification User role invokes SAP Mobile Platform capabilities to send notifications to clients. Administrators configure the Notification security profile to specify the authentication credentials required to send push notifications, and include any combination of authentication providers as needed. Administrators can configure the back end with a user X.509 certificate and connect to SAP Mobile Platform on its HTTPS listener configured to use mutual authentication (port 8082 by default). Once the Notification security profile is configured, you can map the Notification User logical role to the appropriate physical roles using Management Cockpit.

Integration Gateway Roles

Integration Gateway works with SAP Mobile Platform to manage OData services enabled using API Toolkit for SAP Mobile Platform (an Eclipse plug-in that is part of the Gateway Productivity Accelerator). API Toolkit for SAP Mobile Platform provides an environment to connect to different data sources (both SAP and non-SAP), and to create and deploy artifacts on SAP Mobile Platform Server. To generate and deploy content, toolkit users must have the appropriate SAP Mobile Platform Server role.
Role Required For
GenerationAndBuild.generationandbuildcontent Generate and build operations
NodeManager.deploycontent Deploy and undeploy content operations Read-only operations
By default, these roles are mapped to the Administrator logical role. The Integration Gateway roles are referred to as Avatar Deployer Role Mappings in the role-mapping.xml file. When performing role mapping, map the Integration Gateway roles (Avatar roles) to the appropriate physical roles required for the Admin security provider.