Administrator

Mapping Logical Roles to Physical Roles in XML Files

Administrators can define SAP Mobile Platform logical roles. Users' physical roles are derived from your identity management back-end systems. You can map logical roles to physical roles either using Management Cockpit or by editing an XML file.

Context

This topic describes how to map logical roles to physical roles by editing the appropriate <profile-name>-role-mapping.xml file.

A common implementation example is using the Directory Service (LDAP/AD) authentication provider in an SAP Mobile Platform security profile, and mapping to the LDAP groups to which a user belongs. Each LDAP group has a physical role attributed to the authenticated user in SAP Mobile Platform.

To enforce runtime policy, SAP Mobile Platform uses HttpServletRequest.isUserInRole(logicalRole). The CSI uses the role-mapping configuration to run isUserInRole to see if the user is granted any of the physical roles defined in the role-mapping for the security profile. Role mapping is particularly important for the Admin security configuration where authorized users must be mapped to the Administrator logical role. In other security profiles, it is important to map Impersonator and Notification User roles, depending on your scenario.

Security profiles are persisted in files that are located in the <SMP_HOME>\Server\configuration\com.sap.mobile.platform.server.security\CSI directory. To map a logical role to the appropriate physical role for a security profile, edit the corresponding <profile-name>-role-mapping.xml file.

Upon installation, the default authentication provider grants the Administrator role to the smpAdmin user. To make your system production ready, add an authentication provider to the Admin security profile that authenticates against your identity management system (such as LDAP for Active Directory). To do this, you must:
  • Determine the physical role names detected by your identity management system; for example, the names of LDAP groups to which the user belongs, and
  • Select the appropriate logical role in SAP Mobile Platform.

To map a logical role to physical roles on your back-end security system, edit the <profile-name>-role-mapping.xml file. The following steps describe how to map the Administrator logical role:

Procedure

  1. Open the admin-role-mapping.xml file, which by default contains:
      <?xml version="1.0" encoding="UTF-8" ?> 
    - <rm:Mappings xmlns:rm="http://www.sybase.com/csi/3.1/mapping">
      - <DefaultMapping>
          <LogicalName>Administrator</LogicalName> 
          <MappedName>Administrator</MappedName> 
        </DefaultMapping>
        <!--  Avatar Deployer Role Mappings  --> 
      - <DefaultMapping>
          <LogicalName>NodeManager.deploycontent</LogicalName> 
          <MappedName>Administrator</MappedName> 
        </DefaultMapping
      - <DefaultMapping>
          <LogicalName>GenerationAndBuild.generationandbuildcontent</LogicalName> 
          <MappedName>Administrator</MappedName> 
        </DefaultMapping>
      - <DefaultMapping>
          <LogicalName>IntegrationOperationServer.read</LogicalName> 
          <MappedName>Administrator</MappedName> 
        </DefaultMapping>
      - <DefaultMapping>
          <LogicalName>Developer</LogicalName> 
          <MappedName>Developer</MappedName> 
        </DefaultMapping>
      - <DefaultMapping>
          <LogicalName>Helpdesk</LogicalName> 
          <MappedName>Helpdesk</MappedName> 
        </DefaultMapping>
      - <DefaultMapping>
          <LogicalName>Notification User</LogicalName> 
          <MappedName>Notification User</MappedName> 
        </DefaultMapping>
      - <DefaultMapping>
          <LogicalName>Impersonator</LogicalName> 
          <MappedName>Impersonator</MappedName> 
        </DefaultMapping>
      </rm:Mappings>
    
  2. Map the required physical roles to the corresponding logical roles. For example, if you have a physical role called SysAdmin in your LDAP environment, map SysAdmin to the Administrator logical role:
    <DefaultMapping>
       <LogicalName>Administrator</LogicalName>
       <MappedName>Administrator</MappedName> 
       <MappedName>SysAdmin</MappedName>
    </DefaultMapping>
    
  3. Save the file changes.