AppsFreedom – SAP- Security Configuration
The appsFreedom Platform generates full-featured, enterprise level mobile & web apps, called Freedom Apps for all major mobile operating systems and form factors. AppsFreedom is a platform that allows for complete app development and management. AppsFreedom can be used to develop SAP mobile applications. This document explains configuration of authentication and authorization within the application. For users to perform their task in mobile applications that integrate with SAP they need to have their back-end security in SAP.
AppsFreedom app connects to AppsFreedom Manager suite on the cloud server to retrieve data and finally transmits the data to SAP for further processing. A series of apps are designed on Freedom Manager suite that are then displayed on the user’s handheld device to perform actions based on the authorizations.
The below picture explains connection between AppsFreedom and SAP.
The user interface for Security administrators will be via a weblink that connects to AppsFreedom Manager suite deployed on AppsFreedom private cloud infrastructure. The following is the webscreen and the WebURL to launch into AppsFreedom.
In the above screen, the following information needs to be entered into the Tenant ID Field: XXXXXX
In the next sections, I will be explaining about the mode of authentication used and the respective suite to grant authorizations to the users.
Users sign in to the Web link using their LDAP credentials as the AppsFreedom is authenticated via LDAP . For LDAP to work, users need to be manually created in the application as the nightly file feed feature is not available for AppsFreedom application. Initial mass user creation is done by AppsFreedom, and moving forward every new individual needs to be manually created in AppsFreedom for LDAP. SSO is also possible with Appsfreedom. This approach shall be in place, until AppsFreedom comes out with the new release supporting the acceptance of nightly file feed job that updates new users from LDAP to the AppsFreedom without any manual intervention.
Users in AppsFreedom are provided access via Role Based Access Controls approach. The Access can be divided into two modules:
- Platform Users
- Apps Users
Platform Users in AppsFreedom comprise of technical users that consist of basis, security and developers in the pool. Platform users gain access to develop apps, control and administer Freedom Manager from deployment standpoint, administer security controls on User creation, Role management, creation of business users and groups for certain apps etc. The following screens depict the settings that Security adminstrators would be able to perform from administrator standpoint.
Once logged into the AppsFreedom, user needs to click on the ‘Platform Configurator’ to launch the module.
On the screen, click on ‘Platform User’ to view the list of Platform Users. Click on ‘Create User’ to input the details for new user on the platform configurator.
Once all the fields are completed, click on ‘Create’ to create a new user in the Platform Configurator. Please remember that only Technical users need to be created in the Platform Configurator and not Business users.
Once the Platform User has been created, select on the new user created. A tab opens at the bottom highlighted in RED. Select ‘Assigned Roles’ on the tab and click on ‘Add’ to add the roles to the selected user.
Select a role from the list and click ‘Save’ to finish the activity of assigning the role to the user.
The Platform Configurator allows users to Create custom roles and assign specific authorizations to the role based on the technical requirements. Below screen depict the Role creation and assignment of authorizations to the role.
To create a custom role, click on ‘Create Role’. A window pops-up asking to input a Role name and its description. The below screenshot depicts the fields.
Once the information is entered, click on ‘Save’ to complete the role creation.
Select on the new role on the radio button. A tab opens at the bottom with the following fields highlighted in RED. Select ‘Assigned Access’ and click on ‘Update’ to open up the selection of authorizations needed to assign authorizations to the role.
The below screen opens once the user clicks on ‘Update’.
Authorizations can be selected at header level (ex: Platform Configurator) and a list of authorizations would drop down allowing user to select activities that a custom role would need to have based on the requirements. Once the selections are complete, user can then hit ‘Save’ to complete the assignment of authorizations to the custom role.
The new role will now be populated under the list, when assigning roles to new / exisiting users.
Apps Users are Business Users accessing the Apps on the handheld / Desktop to run the applications for day to day operations. Business Users need to be created solely under App Library and assigned to Business Groups that contains a list of Apps that the certain Business group would be using them. The below section details the creation of users, creation of business groups and assignment of users to business groups.
To create users in the AppsFreedom, please navigate to the App Library and select ‘Business User’ on the top bar to display the business users tab.
Once selected, click on ‘Create Users’ tab to open a pop-window to enter the details.
Click on ‘Create User’ for new user creation. A pop-window opens prompting user to enter the details of the new user.
Once the details are entered, click on ‘Create’ to finish the activity.
Business Groups consist of an app (or) a combination of apps based on the requirements. Business Groups are named in accordance with the SAP Security roles description to match the user base to the assignment of Apps required for Business use. Users who have access to a specific security role in SAP would get the business group in AppsFreedom (named like SAP Security role) that contains Apps as per business requirement. Apps are designed by development team on Freedom Manager and are then activated for use in assignment to Business Groups / Users. To maintain consistency, all apps are assigned to Business Groups that are in turn assigned to the Business Users. The below screenprints depict the creation of Business Groups and assignment of Apps to the Business Groups.
Select ‘Business Groups’ on the tab and click on ‘Create group’.
A pop-up window opens to enter the details of the Business Group.
Once the information is entered in the given fields, click on ‘Create’ to complete the activity.
Select on the newly created Business Group and click on ‘Assigned Roles’ displayed at the bottom of the page highlighted in RED.
‘Mobile Users’ role need to be assigned to the Business Group inorder to make the Apps for ‘Mobile Use’ only. Only users who have handheld devices can access the apps that are classified as Mobile Users.
On the next tab ‘Assigned Users’, click on Add to assigned Business Users to the selected Group.
On the next tab ‘Available Apps’, assigned apps that the business group needs to have access to based on the requirements
Click on ‘Add’ to add the listed Apps to the groups.
Once selected, click on ‘Save’ to complete the activity.