Recently I was troubleshooting a customer you wasn’t able to get documents from SAP Document Center displayed for certain users in SAP Jam Collaboration. So I digged a little bit more into the authorization concepts of SAP Document Center, and with that also into those of HCP – on which
SAP Document Center is built.
User roles in SAP Document Center
Now you have to define who of your users should have access to SAP Document Center.
Document Center comes with 4 pre-defined roles:
– sharing user
To manage those roles go to your HANA Cloud Platform (HCP) cockpit and navigate into the role configuration for your Document Center application.
In your free HCP trial account you will find Document Center in your list of Services and from there click Assign Roles & Set Destinations.
If you have a productive Document Center application you might find it also under Applications > Subscriptions.
Assign users to roles
To each role you can now either assign invidual users who are known in HCP. You probably will do that for the Administrator role, or maybe to the analyst role.
But the User and the Sharing User roles you usually want to give to all your users of Document Center.
Therefore the easiest way is to assign a group to that role. You can also create a brand new group right from the assign-screen – which I have done in this case.
Assign people to groups
Now the last step is to assign people to this group.
In our case the customer wanted to allow all of his employees to access Document Center. (Which content they can access in Document Center doesn’t depend on this and can be defined on each document individually.)
To achieve this we can assign a default group to all users who are accessing Document Center through the SAP HANA Cloud Platform Identity Authentication service of HCP.
You can do this in the Trust configuration under the Security settings in HCP.
Here you find our primary identity provider. In your HCP trial this is the SAP ID Service. In your productive setup it’s most likely your HCP Cloud Identity Authentication service with a URL ending in accounts.sap.com.
If you click the link of your primary IdP you can now define a default group on the Groups tab (don’t pay attention to the details of my screenshot – I’m using multiple systems. Important is only the definition of the default group). Select the group that you defined in the earlier step above and which has already been mapped to the correct role.
Now you configured HCP and Document Center in a way that every user who signs on to Document Center through your primary IdP (=SAP ID Service or SAP HANA Cloud Platform Identity Authentication service) will automatically have the authorization to access Document Center itself.
Accessing SAP Document Center documents from within SAP Jam
The challenge now is if a user logs into SAP Jam and wants to see Document Center files embedded right there.
Because the integration between Jam and Doc Center is done via SAML assertions in this case the user doesn’t log on to Document Center via Cloud Identity anymore, but uses the assertion from SAML to authenticate himself against Document Center. Doc Center will recognize the user, but won’t find any authorization for this user to access the application. Therefore the user won’t see any documents from Document Center within the SAP Jam UI.
To solve this we also need to assign users the required group (and through that the role) when they access Document Center through Jam.
If you followed Jens Koster’s blog you should see a second identity provider in your list of Trusted Identity Providers in HCP and it should be your SAP Jam tenant (see screenshot above).
Just repeat the previous step, click on the link of Jam as the IdP and assign the same group as default group – et voila: The group will also be assigned to the user if he accesses Document Center from within Jam and with that he can see documents from Document Center and all connected cloud and on-premise repositories right within Jam.