SUP DCN User and SUP Push User roles are the mechanisms by which illicit
EIS DCN or push notification operations are prevented. Like other built-in platform roles,
SUP DCN User and SUP Push User are logical roles that are available to all new security
configurations.
Before any DCN event is submitted, the person or group mapped to this
role must be authorized (after first being authenticated) by a security provider defined
as part of a named security configuration. Submitted DCN events that require
authorization include:
- Cache updates
- Operation performance
The
SUP Push user role is mandatory; with this role the EIS cannot deliver push
notifications to SAP Mobile Server for a registered application
connection.
Before
any push event is
submitted by the
EIS, the authenticated user performing the push must be authorized by
being in the SUP Push User logical role. Push events that require authorization include:
- Triggering a Hybrid App
package
You can choose different physical role mapping targets to authorize, or
authenticate and authorize EIS events using the logical roles. Depending on the
authorization method used, the implementation varies:
- Certificate authorization SAP recommends
that you use CertificateValidationLoginModule for maximum security. CertificateValidationLoginModule validates the user certificate passed
during mutual certificate authentication. Unlike other methods, it
confers no physical roles; therefore, the platform administrator must
create a logical role mapping. Typically, the user has a certificate
that includes a Subject distinguished name containing a common name
(cn=TechnicalUser), so it creates a logical role mapping between the
logical role and user:TechnicalUser in
the CN. To implement certificate authorization, see Setting Up Authorization with Certificate
Validation in Security.
Note While explicitly mapping a certificate user name
for SUP Push User role in SAP Control Center, ensure there is a space after
every comma. Example: user: CN:PushTest,
OU=SSL Server, O=SAP-AG, C=DE”. If you are using
push notification with strong mutual authentication, you can only
use the Admin security configuration. Ensure you add a
CertificateValidationLoginModule to the Admin security configuration
and use it as the default security configuration in the push-enabled
domain. If any other security configuration is used, a user not in Required role error is
generated in the client log.
- Technical user authorization If the role cannot be mapped to a real user in the security
repository of the configured security provider used by the security
configuration, you may need to create a new technical user or use an
existing technical user for EIS operation role mappings. In this case, no
authentication is required as the user is not a real user in the traditional
sense. To implement technical user authorization, SAP recommends that you create a security
configuration that includes an LDAP provider. To implement technical user
authentication, see Setting Up Authorization with a
Technical User Role Stored in a Repository in Security.
- Real user authorization (Applies only to DCN) if the role must be mapped to a real
user, you can authenticate and authorize the user mapped to the SUP DCN User
role. You can also use PreconfiguredUserLogin module to perform HTTP Basic
authentication, where the module extracts the user information from the
request parameter in a URL. To implement real user authentication, see Setting Up Authorization with PreConfiguredUserLogin
Values in Security.
Once you have multiple providers configured, especially when implementing
authorization with single sign-on, you can stack them so they are processed in correct
order.