Managing user roles when integrating SAP Document Center into SAP Jam Collaboration
Recently I was troubleshooting a customer you wasn’t able to get documents from SAP Document Center displayed for certain users in SAP Jam Collaboration. So I digged a little bit more into the authorization concepts of SAP Document Center, and with that also into those of HCP – on which
SAP Document Center is built.
User roles in SAP Document Center
First, you might want to check out this blog from my colleague Jens Koster because it describes in detail what to do to integrate SAP Jam and Document Center in general.
Now you have to define who of your users should have access to SAP Document Center.
Document Center comes with 4 pre-defined roles:
– user
– administrator
– analyst
– sharing user
To manage those roles go to your HANA Cloud Platform (HCP) cockpit and navigate into the role configuration for your Document Center application.
In your free HCP trial account you will find Document Center in your list of Services and from there click Assign Roles & Set Destinations.
If you have a productive Document Center application you might find it also under Applications > Subscriptions.
Assign users to roles
To each role you can now either assign invidual users who are known in HCP. You probably will do that for the Administrator role, or maybe to the analyst role.
But the User and the Sharing User roles you usually want to give to all your users of Document Center.
Therefore the easiest way is to assign a group to that role. You can also create a brand new group right from the assign-screen – which I have done in this case.
Assign people to groups
Now the last step is to assign people to this group.
In our case the customer wanted to allow all of his employees to access Document Center. (Which content they can access in Document Center doesn’t depend on this and can be defined on each document individually.)
To achieve this we can assign a default group to all users who are accessing Document Center through the SAP HANA Cloud Platform Identity Authentication service of HCP.
You can do this in the Trust configuration under the Security settings in HCP.
Here you find our primary identity provider. In your HCP trial this is the SAP ID Service. In your productive setup it’s most likely your HCP Cloud Identity Authentication service with a URL ending in accounts.sap.com.
If you click the link of your primary IdP you can now define a default group on the Groups tab (don’t pay attention to the details of my screenshot – I’m using multiple systems. Important is only the definition of the default group). Select the group that you defined in the earlier step above and which has already been mapped to the correct role.
Now you configured HCP and Document Center in a way that every user who signs on to Document Center through your primary IdP (=SAP ID Service or SAP HANA Cloud Platform Identity Authentication service) will automatically have the authorization to access Document Center itself.
Accessing SAP Document Center documents from within SAP Jam
The challenge now is if a user logs into SAP Jam and wants to see Document Center files embedded right there.
Because the integration between Jam and Doc Center is done via SAML assertions in this case the user doesn’t log on to Document Center via Cloud Identity anymore, but uses the assertion from SAML to authenticate himself against Document Center. Doc Center will recognize the user, but won’t find any authorization for this user to access the application. Therefore the user won’t see any documents from Document Center within the SAP Jam UI.
To solve this we also need to assign users the required group (and through that the role) when they access Document Center through Jam.
If you followed Jens Koster’s blog you should see a second identity provider in your list of Trusted Identity Providers in HCP and it should be your SAP Jam tenant (see screenshot above).
Just repeat the previous step, click on the link of Jam as the IdP and assign the same group as default group – et voila: The group will also be assigned to the user if he accesses Document Center from within Jam and with that he can see documents from Document Center and all connected cloud and on-premise repositories right within Jam.
Very helpful - thanks! In Jens' blog you can't test the connection successfully until you assign the group to the Jam entry in the HCP trust settings - so gotta have this blog - thanks, Christian!
Thanks for your post!
I am struggling with understanding the managing members part of Doc Center: Am I understanding your blog post correctly: users and sharing users do not have to exists in HCP and do not need a s-user? I am setting up Jam (through SuccessFactors Foundation) and Doc Center, and integration between these two. But when the integration between the two has been set up, will users be able to access Doc Center separately as well. Is the user management set up for Jam (in SF) also transferred to Doc Center? Or will they have to be set up in Hana Cloud Platform with their s-user also, in order to access Doc Center separately (and not through Jam)?
The integration is based on principal propagation, authentication is done once but authorization is done both in JAM and Document Center. In order to access content from or through Document Center the user must have at least the Document Center User Role and at least a read permission for the content he visualizes. These premises allow users to access content through standard Document Center clients or JAM.
Both JAM and Document Center requires an Identity Management. This can be a common one or if different, a trust needs to be configured, like in the example.
If you use different ones the users must to be maintained in both, if it is the same, only the correct role assignment needs to be maintained.
As a vision, the desire will be that in certain scenario the role assignment can be done automatically through JAM.
Hello Corneliu and thanks for your quick reply.
I have created a default user role (and group) for Document Center accessing and reading, but I have a hard time seeing how I will give people this role in the HCP if they do not have an s-user.
In this case SuccessFactors is working as the identity manager for Jam and I am guessing HCP for Document Center, as this is the only place where you can set it up. I am guessing this means that the users need to be in both HCP and SuccessFactors, if I am reading your comment correct?
But as of now I have tried to set up the trust and authentication in both to have them integrated, but it is just not working. It keeps saying: "Check Connection. You cannot currently access "SAP Document Center". Please contact your system administrator about you permission"..
Have you come across this issue previously?
Hi Olivia,
in a productive customer environment this is how it works:
Option 1: You can manually assign each user to the respective user role in the "Assign Roles" screen of Document Center (see my first screenshot in this blog).
Wen you want to do this in your HCP trial then of course you need to use s-users. In a productive environment, if you are using the HCP Identity Authentication service for user authentication, then your users will start with a P, e.g. P000001
Option 2: You assign a role to a user group in that same screen (see second screenshot in this blog). In this case you still need to assign that group to the users. The easiest way to do that is to follow my section "Assign People to Roles" in this blog.
Now, whenever a user logs on to Document Center, the system checks if he has the authorization (based on his assigned roles) to access the system. When he logs on for the very first time, his user is automatically created in Document Center and from then on can be seen in the admin panel of Document Center.
Hope that answers your question.