SUP Roles to Support EIS Operations: SUP DCN User and SUP Push User
SUP DCN User and SUP Push User roles are the mechanisms by which illicit EIS DCN or push notification operations are prevented. Like other built-in platform roles, SUP DCN User and SUP Push User are logical roles that are available to all new security configurations.
Before any DCN event is submitted, the person or group mapped to this
role must be authorized (after first being authenticated) by a security provider defined
as part of a named security configuration. Submitted DCN events that require
authorization include:
- Cache updates
- Operation performance
The
SUP Push user role is mandatory; with this role the EIS cannot deliver push
notifications to SAP Mobile Server for a registered application
connection.
Before
any push event is
submitted by the
EIS, the authenticated user performing the push must be authorized by
being in the SUP Push User logical role. Push events that require authorization include:
- Triggering a Hybrid App package
You can choose different physical role mapping targets to authorize, or
authenticate and authorize EIS events using the logical roles. Depending on the
authorization method used, the implementation varies:
- Certificate authorization SAP recommends
that you use CertificateValidationLoginModule for maximum security. CertificateValidationLoginModule validates the user certificate passed
during mutual certificate authentication. Unlike other methods, it
confers no physical roles; therefore, the platform administrator must
create a logical role mapping. Typically, the user has a certificate
that includes a Subject distinguished name containing a common name
(cn=TechnicalUser), so it creates a logical role mapping between the
logical role and user:TechnicalUser in
the CN. To implement certificate authorization, see Setting Up Authorization with Certificate
Validation in Security.Note While explicitly mapping a certificate user name for SUP Push User role in SAP Control Center, ensure there is a space after every comma. Example: user: CN:PushTest, OU=SSL Server, O=SAP-AG, C=DE”. If you are using push notification with strong mutual authentication, you can only use the Admin security configuration. Ensure you add a CertificateValidationLoginModule to the Admin security configuration and use it as the default security configuration in the push-enabled domain. If any other security configuration is used, a user not in Required role error is generated in the client log.
- Technical user authorization If the role cannot be mapped to a real user in the security repository of the configured security provider used by the security configuration, you may need to create a new technical user or use an existing technical user for EIS operation role mappings. In this case, no authentication is required as the user is not a real user in the traditional sense. To implement technical user authorization, SAP recommends that you create a security configuration that includes an LDAP provider. To implement technical user authentication, see Setting Up Authorization with a Technical User Role Stored in a Repository in Security.
- Real user authorization (Applies only to DCN) if the role must be mapped to a real user, you can authenticate and authorize the user mapped to the SUP DCN User role. You can also use PreconfiguredUserLogin module to perform HTTP Basic authentication, where the module extracts the user information from the request parameter in a URL. To implement real user authentication, see Setting Up Authorization with PreConfiguredUserLogin Values in Security.