Authorizations
SAP NetWeaver Mobile uses the authorization concept provided by SAP NetWeaver. Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver AS Security Guide ABAP and SAP NetWeaver AS Security Guide Java also apply to the SAP NetWeaver Mobile.
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role maintenance, use the profile generator (transaction PFCG) when using ABAP technology and the User Management Engine’s user administration console when using Java.
Access to data and applications on the mobile client is controlled by user-specific data filtering based on the SAP authorization concept.
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role maintenance, use the profile generator (transaction PFCG) when using ABAP technology and the User Management Engine’s user administration console when using Java.
More information:
Changing
Standard Roles
Standard Roles
This table shows the standard roles that are used in SAP NetWeaver Mobile.
Role |
Description |
SAP_DOE_ADMINISTRATOR |
Role for administrators of the Data Orchestration Engine (DOE). With this role, administrators can access the SAP NetWeaver Mobile Administrator of the DOE.
In addition to this role, you must also have the SAP_BC_BASIS_ADMIN role assigned to the administrator. |
SAP_DOE_TECH_ADMIN |
Role for DOE administrators. With this role, administrators can access the following DOE functions: ● Deleting data stored in the DOE ● Activating and generating the data objects.
In addition to this role, you must also have the SAP_BC_BASIS_ADMIN role assigned to the administrator. |
SAP_DOE_DEVRE |
Role for DOE administrators. With this role, the administrators can perform the functions required for device reassignment. |
SAP_DOE_DEVELOPER |
Role for developers working on the Data Orchestration Workbench and the SAP NetWeaver Developer Studio. With this role, developers can access and create data objects, distribution models, and back-end adapters in the Data Orchestration Workbench. With this role, developers using the SAP NetWeaver Developer Studio can access the data objects in the DOE and import them to the Developer Studio.
In addition to this role, you must also have the SAP_BC_DWB_ABAPDEVELOPER role assigned to the developer. |
SAP_DOE_BASIS_DEVELOPER |
Role for developers. With this role, developers can reprocess the queues in the DOE and transport software packages across landscapes.
In addition to this role, you must also have the SAP_BC_DWB_ABAPDEVELOPER role assigned to the administrator. |
SAP_DOE_SYNC_ROLE |
Role for users who synchronize their client devices with the DOE. |
With the SAP_DOE_ADMINISTRATOR and the SAP_BC_BASIS_ADMIN roles assigned to a user, the user can administer all devices in the DOE. However, to restrict a user to a specific set of devices in the DOE, you must use the MMW_ADM_DS authorization object. This is particularly useful if you want a user to administer devices that belong to a particular region only. With this authorization object, you must specify the device values - Attribute name, Authorization Value and Custom Group. The user can administer devices that match only the specified values.
To use the authorization object, follow the steps below:
...
1. Create a custom role for all administrators that manage a particular set of devices.
2. Copy the SAP_DOE_ADMINISTRATOR role to the custom role.
3. Remove the MMW: Admin Full Authorization field from the custom role.
4. Add the MMW_ADM_DS authorization object to the custom role.
5. Enter the device-specific values for the authorization object.
More Information
Assigning Application - Related Authorization to Client Users