Show TOC

Procedure documentationConfiguring SLD User Authorizations Locate this document in the navigation structure

 

Functions in the SLD are protected from unauthorized access. For this purpose, you can find several AS Java security roles and User Management Engine (UME) actions that are assigned to different SLD functions. Before you can use SLD, you have to map these roles and actions to individual users or user groups.

We recommend that you use user groups and map them to the appropriate UME roles instead of assigning them to individual users. Users that belong to a particular group receive all permissions that are granted to the group.

We recommend that you use the following user groups that correspond to the identically- named UME roles:

UME Role/User Group

Permissions

SAP_SLD_GUEST

Read access to SLD data

SAP_SLD_SUPPORT

Read-only access to all SLD data and UIs, including the Administration area (used for SAP support)

SAP_SLD_CONFIGURATOR

Create, modify, and delete CIM instances of the Landscape Description and Name Reservation subsets (includes all read permissions).

SAP_SLD_DATA_SUPPLIER

Create, modify, and delete CIM instances of the Landscape Description subset as a data supplier without access to the SLD UI.

SAP_SLD_DEVELOPER

Create, modify, and delete CIM instances of the Name Reservation subset (includes all read permissions).

SAP_SLD_ORGANIZER

Create, modify, and delete all types of CIM instances (includes all read permissions).

SAP_SLD_ADMINISTRATOR

Administrative tasks (includes all other roles)

The following table lists the SLD user authorizations along with their recommended SLD user group and UME role:

UME Role/User Group

J2EE Security Role/UME action

SAP_SLD_GUEST

LcrUser

SAP_SLD_SUPPORT

LcrUser

LcrSupport

SAP_SLD_CONFIGURATOR

LcrUser

LcrInstanceWriterLD

LcrInstanceWriterNR

SAP_SLD_DATA_SUPPLIER

DataSupplierLD (this is not a UME action)

SAP_SLD_DEVELOPER

LcrUser

LcrInstanceWriterNR

SAP_SLD_ORGANIZER

LcrUser

LcrInstanceWriterCR

LcrInstanceWriterLD

LcrInstanceWriterNR

LcrInstanceWriterAll

SAP_SLD_ADMINISTRATOR

LcrUser

LcrInstanceWriterCR

LcrInstanceWriterLD

LcrInstanceWriterNR

LcrInstanceWriterAll

LcrClassWriter

LcrSupport

LcrAdministrator

DataSupplierLD

Note Note

You have to create these user groups with the appropriate tool for your user store (J2EE, ABAP or LDAP). If the UME is used with an ABAP-based system as the back-end data source, all these groups except for SAP_SLD_DATA_SUPPLIER and SAP_SLD_SUPPORT already exist. SAP NetWeaver Application Server ABAP (AS ABAP) contains these default user roles. End of the note.

End of the note.

If the UME is used with an ABAP-based system as the back-end user storage, then these groups already exist. ABAP user roles appear as user groups on the AS Java side. SAP NetWeaver Application Server ABAP (AS ABAP) contains these default user roles.

If you have the authorization to create user groups as a local AS Java administrator, the SLD user groups are created by the standard SLD configuration described below.

If your LDAP user store is configured in a way that no user groups can be created by the local UME, you must first create the user groups listed above.

Note Note

If you want to set up SLD security for test purposes, you can simply use an AS Java administrative user which also has administrative permissions for SLD by default.

End of the note.

Procedure

  1. Log on to the J2EE Engine Visual Administrator as a user with administration rights.

  2. Choose   Services   Data Supplier.  

  3. Choose Assign User Groups to Roles.

    The SLD configuration service performs the default mappings of user groups to J2EE security roles.

More Information

Managing Users, Groups, and Roles.