Gathering Provider Group Information

Production environments rely on a production-grade security provider (commonly an LDAP directory) to authenticate administrators. To map the SAP Mobile Platform default logical roles to the corresponding physical roles in the security provider, you must understand how the provider organizes users.


SAP Mobile Platform cannot query all supported enterprise security servers directly; for successful authentication, you must know the physical roles that your back-end systems require.


You can map a logical role to one or more physical roles. You can also map multiple logical roles to the same physical role. If a role does not exist, you can also add or delete names as needed.

Consider which users need to be in the Administrator, Developer, Helpdesk, Impersonator, and Notification User roles, then identify or create groups in your provider that correspond to these roles.


  1. Evaluate existing groups.
    If there are existing groups that seem to already contain the right subjects that correspond to Administrator, Developer, Helpdesk, Impersonator, and Notification User, you can use those groups. The names need not be exact, as you can map them manually to address any differences.
  2. If required, have your LDAP administrator:
    • Create new LDAP groups that will correspond to and be mapped to SAP Mobile Platform logical roles.
    • Use LDAP tools to add users to those LDAP groups so that when the LDAP users authenticate to SAP Mobile Platform (with theDirectory Service (LDAP/AD) provider configured) the corresponding physical roles are attributed to them and the logical role mapping can grant appropriate access.
  3. Add subjects to these groups to assign SAP Mobile Platform corresponding permissions.
  4. Determine what values are needed for the authentication provider properties in SAP Mobile Platform.
    For example, for an LDAP authentication provider you need values for the providerURL, serverType, bind user, bind password, search base and so on.