Functions in the SLD are protected from unauthorized access. For this purpose, you can find several User Management Engine (UME) roles that are assigned to different SLD functions. Before you can use SLD, you have to map these roles and actions to individual users or user groups.
We recommend that you use user groups and map them to the appropriate UME roles instead of assigning them to individual users. Users that belong to a particular group receive all permissions that are granted to the group.
We recommend that you use the following user groups that correspond to the identically- named UME roles:
UME Role/User Group |
Permissions |
---|---|
SAP_SLD_GUEST |
Read access to SLD data |
SAP_SLD_SUPPORT |
Read-only access to all SLD data and UIs, including the administration area (used for SAP support) |
SAP_SLD_CONFIGURATOR |
Create, modify, and delete CIM instances of the Landscape Description and Name Reservation subsets (includes all read permissions). |
SAP_SLD_CONTENT_SYNC |
Synchronize SLD content changes with other SLD CIM namespaces. Includes complete read access to the SLD UI. |
SAP_SLD_DATA_SUPPLIER |
Create, modify, and delete CIM instances of the Landscape Description subset as a data supplier without access to the SLD UI. |
SAP_SLD_DEVELOPER |
Create, modify, and delete CIM instances of the Name Reservation subset (includes all read permissions). |
SAP_SLD_ORGANIZER |
Create, modify, and delete all types of CIM instances (includes all read permissions). |
SAP_SLD_ADMINISTRATOR |
Administrative tasks (includes all other roles) |
If the UME is used with an ABAP-based system as the back-end user storage, then these groups already exist. ABAP user roles appear as user groups on the AS Java side. SAP NetWeaver Application Server for ABAP (AS ABAP) contains these default user roles.
If you have the authorization to create user groups as a local AS Java administrator, the SLD user groups are created by the standard SLD configuration described below.
If your LDAP user store is configured in such a way that no user groups can be created by the local UME, you must first create the user groups listed above.
If you want to set up SLD security for test purposes, you can simply use an AS Java administrative user which also has administrative permissions for SLD by default.
Creating Standard SLD User Authorizations - Automatically
In your Web browser, enter the URL of the application using the following format: http://<host>:<port>/sld .
Log on as a user with administration rights for both AS Java and SLD.
Choose Perform Role Mapping on tab page Server Configuration .
and chooseThe system creates or completes the user group list and the mappings described above. If the group creation fails, create the groups manually and remap them to the appropriate roles.
Assign users to the groups as needed.
Creating SLD User Authorizations - Manually
In your Web browser, enter the URL of the Identity Management using the following format: http://<host>:<port>/useradmin .
Create user groups and UME roles of your choice and assign each UME role to the appropriate user group(s) as well as to the UME action(s). You can use the predefined UME roles as a template zo create your own UME roles (as descibed in the table above).
If you want to create a UME role for SLD content synchronization or for SLD administration, you need to assign the Destination_Service_Write_Permission UME action, which belongs to the tc~sec~destinations~service service, to your own UME role.
Assign users to the user groups.