Show TOC

Procedure documentationEnabling Security in ACC Locate this document in the navigation structure

 

You use this procedure to set up a secured ACC landscape.

Note Note

You need to ensure that your landscape is secured by all other aspects of security, besides the security provided by ACC.

End of the note.

There are four scenarios in which you can enable or set ACC security:

Scenario

Action

Setting permissions at ACC Application level

Allow users to perform operations across all the pools within the ACC landscape. Authorizations are based on the permissions, actions, and roles defined in the user management engine (UME).

For more information, see Permissions, Actions, and UME Roles

Setting permissions at Entity level

Allow users to perform operations on specific pools in the ACC landscape.

Authorizations are based on the permissions defined in ACC.

Enabling ACC Network security

Support communication needs without allowing unauthorized access to the network.

Enabling ACC Database Connection security

Allow only authorized access to the database, using a default data source that is created during the installation of Java EE Engine.

Note Note

You need to specify the credentials only once during the creation of the data source, which is used for initialization and for the authentication of all physical connections to the database.

The ACC uses a self-defined data source alias (jdbc/SAP/BC_ITSAM_ACI) on this data source, which is automatically created during the installation of the ACC.

End of the note.

Prerequisites

Note Note

The following prerequisites are applicable only for setting permissions at the entity level:

End of the note.

  • You have created the groups and assigned appropriate ACC roles and users to the groups.

    More information: Managing Users, Groups, and Roles

  • You have selected the Enable ACC authorization configuration option during the configuration of ACC.

Note Note

  • The ACC authorizations override the UME authorizations for a given pool and are unaffected by changes in the UME authorization settings.

  • If the ACC permissions are configured on a pool, the groups have only the explicitly granted authorization.

  • All the permissions are granted to the SUPER_ADMIN role.

End of the note.

Procedure

Setting Permissions at the ACC Application Level

Verify whether the ACC specific actions, permissions, roles, and groups listed in the below tables are set appropriately as per your requirement, in the UME:

For more information about creating these roles and groups in UME, see: Managing Users, Groups, and Roles

Requirements

Permissions

Action Names

To view the state, configuration, activities status, logs of services/resources/virtual resources.

Service,Resource,VirtualResource(Observe)

Observation

To perform custom operations on services/resources with permissions set as “None”

Service, Resource(SafeCustomOperation)

Operation

To perform start/stop operations on services

Service(Start,Stop)

To perform prepare/unprepared/setperferredResouce operations on AC enabled services

Service(Prepare,UnPrepare, SetPreferredResource)

To perform custom operations on services/resources with permissions set as “Normal”

Service,Resource(NormalCustomOperation)

To perform operations (suspend, resume, retry, cancel, and remove) that control the activity

Activity(Operate)

To execute operations on service and resource using the integrated task planning

Service, Resource (Schedule)

TaskScheduling

To perform operations on more than one system at a time

MultipleSystem(Operate)

MultipleSystemOperations

To handle erroneous operations (clear alerts, forced star /stop services)

Service(ForcedPrepare, ForcedUnPrepare, ForcedStart,ForcedStop)

ForcedOperations

To perform custom operations on services/resources with permissions set as “Forced”

Service,Resource(ForcedCustomOperation)

To perform custom operations on services/resources with permissions set as “Critical”

Service,Resource(CriticalCustomOperation)

CriticalOperations

To perform operations (activate/deactivate/suspend/migrate) on virtual entities

VirtualResource(Activate,DeactivateSoft, DeactivateHard,Suspend,Migrate)

VirtualResourceOperations

To handle erroneous operations (forced activate/deactive/suspend/migrate) on virtual entities

VirtualResource(ForceActivate, ForceDeactivateSoft, ForceDeactivateHard, ForceSuspend,ForceMigrate)

ForcedVirtualResourceOperations

To handle erroneous operations (clear alerts, clear notes and suppress validation warnings) on service/resource/virtual system

Service,Resource, VirtualResource (ClearAlerts,ClearNotes, SuppressValidationWarnings)

ExceptionHandling

To provide a new application server on a system and provide virtual systems

ApplicationServer,VirtualResource(Provision)

LandscapeProvisioning

To add, edit, remove, or import the configuration of services.

Service(configure)

LandscapeConfiguration

To add, edit, remove, or import the configuration of resources.

Resource(configure)

To add, edit, remove or import the configuration of pools, networks, characteristics and virtual resources

VirtualResource,Pool,Network, Characteristic(configure)

To edit or import ACC configuration settings

ACC(Configure)

ACCConfiguration

To configure permissions on the pools managed within ACC. This permission also bypasses all authorization validation

ACC Authorization (Bypass, configure)

ACCAuthorizationConfiguration

To archive log data, retrieve log data from an archive, and delete log data

Log(Archive)

Archiving

The following table lists the default roles and groups and the associated action names for ACC:

Group Name

Role Name

Action Name

ACC_ADMIN

SAP_ACC_ADMIN

Operation, Observing, ForcedOperation VirtualResourceOperations ForcedVirtualResourceOperations MultipleSystemOperations, CriticalOperations, ExceptionHandling, TaskScheduling, Archiving, LandscapeConfiguration, LandscapeProvisioning

ACC_READONLY

SAP_ACC_READONLY

Observing

ACC_SUPERADMIN

SAP_ACC_SUPERADMIN

Operation, Observing, ForcedOperation VirtualResourceOperations ForcedVirtualResourceOperations MultipleSystemOperations, CriticalOperations, ExceptionHandling, TaskScheduling, Archiving, LandscapeConfiguration, LandscapeProvisioning, ACCConfiguration, ACCAuthorizationConfiguration

ACC_OPERATOR

SAP_ACC_OPERATOR

Observing, Operation, ForcedOperation, VirtualResourceOperations. ForcedVirtualResourceOperations, ExceptionHandling, TaskScheduling

ACC_CONFIGURATOR

SAP_ACC_CONFIGURATOR

Observation and LandscapeConfiguration

NWA_READONLY

Observing

NWA_SUPERADMIN

Observing, Operation, OperationExceptionHandling, Configuration, Archiving, ServerEnable, ServiceEnable, Schedule,CustomizeLink, VirtOperation, VirtObserving, VirtOperationException Handling, VirtConfiguration

ADMINISTRATOR

Operation, Observing, ForcedOperation VirtualResourceOperations ForcedVirtualResourceOperations MultipleSystemOperations, CriticalOperations, ExceptionHandling, TaskScheduling, Archiving, LandscapeConfiguration, LandscapeProvisioning, ACCConfiguration, ACCAuthorizationConfiguration

Note Note

You can create custom roles, and groups and assign actions to these roles and groups.

End of the note.
Setting Permissions at the ACC Entity Level

  1. Log on to the ACC application using the URL http://<host><port>/acc.

  2. Choose the Configuration tab page.

  3. Choose Authorizations.

  4. Choose Add.

  5. Select the required pool that is created in the UME, from the Add ACC Authorization Configuration pop up.

  6. Choose Next.

  7. Select one or more UME groups to assign them to the pool.

  8. If you want to create UME groups in the identity management application, choose Create UME groups.

  9. Choose Next.

  10. From the Permissions area, select the required permissions that need to be set for the selected pool-group combinations.

    Note Note

    Only the permissions that are relevant for performing operations at the pool level are used in setting the entity level authorization among the rest of the UME permissions listed above.

    To control the behavior of the ACC entity level authorizations, set the Enable Restrictive behavior of ACC authorization configuration flag accordingly when you configure ACC.

    • If the restrictive behavior flag is selected and if there are no authorization configured on the pool, no authorization is granted.

    • If the restrictive behavior flag is deselected and if there are no authorizations configured on the pool, authorization is granted based on the UME permissions.

    End of the note.

  11. Choose Save.

Enabling ACC Network Security

Verify the following to ensure the network security for ACC:

  • Availability of corporate LAN with firewall protection.

  • Usage of the following protocols for communication, as per the requirement:

    Requirement

    Protocol

    Security Mechanism

    To provide authentication, integrity, and privacy protection, using the default communication between the ACC and the Agent infrastructure.

    HTTP

    Without SSL (Default)

    To provide authentication, integrity, and privacy protection, using the optional communication between the ACC and the Agent infrastructure.

    HTTP

    SSL (Optional)

    To change the communication based on HTTP, SSL has to be configured in the manager system.

    To set a persistency layer for the UME user store.

    LDAP

    SSL

    To set an SAP-proprietary layer with the NI protocol.

    RFC

    SNC (Secure Network Communications)

    To connect to the database.

    JDBC

    Driver-dependent