Default Logical Roles in SAP Mobile Platform

SAP Mobile Platform includes default logical roles. These logical roles are manually mapped to physical roles in your identity management system in order to grant role-based access to SAP Mobile Platform.

The available roles and capabilities are:

Administrator Role

Administrators interact with SAP Mobile Platform to perform high-level management. The administrator can perform all administrative operations in the SAP Mobile Platform Management Cockpit. To enable role-based access to the Management Cockpit, map the SAP Mobile Platform Administrator logical role to physical roles that exist in your security repository used for authentication and authorization.

Helpdesk Role

Helpdesk operators interact with SAP Mobile Platform to review system information to determine the root cause of reported problems. Helpdesk operators have read-only access to all administration information in the SAP Mobile Platform administration console. They cannot perform any modification operations on administration console tabs, and cannot save changes made in dialogs or wizards.

Developer Role

Developers interact with SAP Mobile Platform to develop applications. The developer can perform development operations in the SAP Mobile Platform Management Cockpit, including application development.

Notification User Role

The Notification User role is limited in scope. It enables sending push notifications to applications. The Notification User role invokes SAP Mobile Platform capabilities to send out notifications to clients. In SAP Mobile Platform, administrators configure the Notification security profile to determine the authentication credentials required to send push notifications. The administrator can update the Notification security profile to include any combination of authentication providers as needed. Administrators can configure the back end with a user X.509 certificate and connect to SAP Mobile Platform on its HTTPS listener configured to use mutual authentication (port 8082 by default). Once the Notification security profile is configured, you must edit the Notification-role-mapping.xml to map the Notification User logical role to the appropriate physical roles.

Impersonator Role

The Impersonator role has a narrow and specific scope. The Impersonator role establishes the trust relationship between the reverse proxy and SAP Mobile Platform Server, allowing the server to accept and authenticate the user's public certificate presented in the SSL_CLIENT_HEADER over the SSL connection established by the reverse proxy. It also enables SAP Mobile Platform to trust SSL_CLIENT_CERT headers from network edge certificate authentication.

Note The Impersonator and Notification User roles should be granted to the reverse proxy by mapping the corresponding role to the subjectDN from the certificate used by the reverse proxy to establish a mutual authentication SSL connection to SAP Mobile Platform Server. See Copy SubjectDN for Impersonator and Notification User Roles for information on capturing the SubjectDN in order to manually configure the corresponding role-mapping.xml file.

Integration Gateway Roles

Integration Gateway works with SAP Mobile Platform to manage OData services enabled using API Toolkit for SAP Mobile Platform (an Eclipse plug-in that is part of the Gateway Productivity Accelerator). API Toolkit for SAP Mobile Platform provides an environment to connect to different data sources (both SAP and non-SAP) and to create and deploy artifacts on SAP Mobile Platform Server. In order to generate and deploy content, toolkit users must have the appropriate role on SAP Mobile Platform Server.

Role	Required For
GenerationAndBuild.generationandbuildcontent	Generate and build operations.
NodeManager.deploycontent	Deploy and undeploy content operations.
IntegrationOperationServer.read	Read-only operations.

By default, these roles are mapped to the Administrator logical role. When performing role mapping, map the Integration Gateway roles (labeled as Avatar roles in the XML file) to the appropriate physical roles required for the Admin security provider.

Note The Developer role appears in the role-mapping.xml file, but is not implemented in SAP Mobile Platform. A user with a physical role mapped to this logical role is not granted any access to Management Cockpit. The Integration Gateway roles are referred to as Avatar Deployer Role Mappings in the role-mapping.xml file.