Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
Jitendra_Kansal
Product and Topic Expert
Product and Topic Expert


Hello SMP Administrators,

Let me start with an example. There are 3 users: A, B &C . SAP Mobile Platform administrator wants to grant admin role to user A, read-only access role (ie.Helpdesk) to user B and notification role to user C. He find this task very easy & simple. He logins to admin cockpit, adds two authentication providers System Login (Admin only) in admin security profile, provides Administrator and Helpdesk roles for A & B respectively. For User C, he adds a new System Login authentication provider but in Notification security profile. His job is done. User A got admin access to Admin cockpit, User B read access and User C can get notification via SMP.



Now, SMP Administrator has asked to grant admin roles to 3 more users, read-only access role to 10 more users and notification role to 20 more users.

But this time SMP administrator doesn't want to repeat what he has done before. He doesn't want to do it manually and wants to do it in a general way so that if in future, he gets any more requests for granting roles, he doesn't have to do much on SMP. He came to know that there is LDAP setup installed at organization. Could be like below:



He thought of implementing LDAP/AD authentication provider in SMP security profile and mapping to the LDAP groups to which a user belongs.

 

Implementing LDAP/AD authentication provider in SMP Admin security profile:



  1. Login to Admin Cockpit > Settings > Security profiles > Admin (Cannot be deleted) > Edit

  2. Add a new authentication provider "Directory Serive (LDAP/AD)"


(below settings are as per above LDAP setup..there could be changes as per yours)


Creating Users & groups in LDAP


1. I have added user a, b & c and created 3 different groups smp_admin_grp, smp_helpdesk_grp & smp_notification_grp.

2. Assigned a , b & c as uniqueMember in respective groups.



Modifying admin-role-mapping xml file


All predefined logical roles are there in SMP admin-role-mapping.xml file. Now we need to map newly created physical roles to predefined logical roles. Open admin-role-mapping.xml file can be found under C:\SAP\MobilePlatform3\Server\configuration\com.sap.mobile.platform.server.security\CSI .

Alert : Take a backup of same file before modifying it.

Map physical roles to predefined logical roles (as highlighted in bold)
<?xml version="1.0" encoding="UTF-8"?>

<rm:Mappings xmlns:rm="http://www.sybase.com/csi/3.1/mapping">

<DefaultMapping>

<LogicalName>Administrator</LogicalName>

<MappedName>Administrator</MappedName>

<MappedName>smp_admin_grp</MappedName>

</DefaultMapping>

<!-- Avatar Deployer Role Mappings -->

<DefaultMapping>

<LogicalName>NodeManager.deploycontent</LogicalName>

<MappedName>Administrator</MappedName>

</DefaultMapping>

<DefaultMapping>

<LogicalName>GenerationAndBuild.generationandbuildcontent</LogicalName>

<MappedName>Administrator</MappedName>

</DefaultMapping>

<DefaultMapping>

<LogicalName>IntegrationOperationServer.read</LogicalName>

<MappedName>Administrator</MappedName>

</DefaultMapping>

<DefaultMapping>

<LogicalName>Developer</LogicalName>

<MappedName>Developer</MappedName>

</DefaultMapping>

<DefaultMapping>

<LogicalName>Helpdesk</LogicalName>

  <MappedName>Helpdesk</MappedName>

    <MappedName>smp_helpdesk_grp</MappedName>

</DefaultMapping>

<DefaultMapping>

<LogicalName>Notification User</LogicalName>

<MappedName>Notification User</MappedName>

</DefaultMapping>

<DefaultMapping>

<LogicalName>Impersonator</LogicalName>

<MappedName>Impersonator</MappedName>

</DefaultMapping>

</rm:Mappings>

Note: For Notification user role, you have to add a new authentication provider in Notification (cannot be deleted) security profile > Add> Directory service (LDAP/AD)



Once done, open Notification-role-mapping.xml file (C:\SAP\MobilePlatform3\Server\configuration\com.sap.mobile.platform.server.security\CSI) and map notification physical role to logical role as highlighted below.
<?xml version="1.0" encoding="UTF-8"?>

<rm:Mappings xmlns:rm="http://www.sybase.com/csi/3.1/mapping">

<DefaultMapping>

<LogicalName>Administrator</LogicalName>

<MappedName>Administrator</MappedName>

</DefaultMapping>

<DefaultMapping>

<LogicalName>Developer</LogicalName>

<MappedName>Developer</MappedName>

</DefaultMapping>

<DefaultMapping>

<LogicalName>Helpdesk</LogicalName>

<MappedName>Helpdesk</MappedName>

</DefaultMapping>

<DefaultMapping>

<LogicalName>Notification User</LogicalName>

<MappedName>Notification User</MappedName>

<MappedName>smp_notification_grp</MappedName>

</DefaultMapping>

<DefaultMapping>

<LogicalName>Impersonator</LogicalName>

<MappedName>Impersonator</MappedName>

</DefaultMapping>

</rm:Mappings>

 

Impersonator Role:

This role establishes the trust relationship between the SAP Web Dispatcher (or any 3rd party reverse proxy) and SMP Server, allowing the server to accept and authenticate the user's public certificate presented in the SSL_CLIENT_HEADER over the SSL connection established by the reverse proxy. It also enables SAP Mobile Platform to trust SSL_CLIENT_CERT headers from network edge certificate authentication. Reference

 

Few things to know


1. By default, each logical role name is mapped to a physical role of the same name.

     <DefaultMapping>


     <LogicalName>Administrator</LogicalName>

     <MappedName>Administrator</MappedName>

     </DefaultMapping>


   2. By default, Admin security profile assigns smpAdmin user to the Administrator role. (Admin Cockpit credentials)

3. As per documentation,
SMP includes <MappedName>Administrator</MappedName> in admin-role-mapping.xml, if you do not have a physical role/group called Administrator, delete this mapping from file to avoid unnecessary authorization checks and improve performance.

I agree with this point. But imagine if i remove this default mapping and if LDAP server is down, i will not even able to login with smpAdmin. In my opinion, let it be there, no need to remove.

4. You can configure security profiles in Management cockpit but role-mapping configuration has to be done manually by editing .xml file.

5. In SMP cluster, you can configure security profile from any active node, once you are done with changes (either in Management cockpit or editing .xml file or both), CSI pushes this changes to the shared database, which then propagates the changes to the cluster nodes.

6. Helpdesk role is usually granted to analyze root causes of issues/problems. Cannot perform any administrator related tasks.

7. There are also predefined Integration Gateway roles and these roles are mapped to Administrator logical role. But there is no read-only access role defined for Gateway management cockpit.
<!-- Avatar Deployer Role Mappings -->

<DefaultMapping>

<LogicalName>NodeManager.deploycontent</LogicalName>

<MappedName>Administrator</MappedName>

<MappedName>smp_admin_grp</MappedName>

</DefaultMapping>

<DefaultMapping>

<LogicalName>GenerationAndBuild.generationandbuildcontent</LogicalName> in case of generate & deploy integration content to SMP

<MappedName>Administrator</MappedName>

<MappedName>smp_admin_grp</MappedName>

</DefaultMapping>

<DefaultMapping>

<LogicalName>IntegrationOperationServer.read</LogicalName> >>> needed in case of connecting to SMP server from eclipse kepler


<MappedName>Administrator</MappedName>

<MappedName>smp_admin_grp</MappedName>

</DefaultMapping>

8. The Developer role appears in the role-mapping.xml file, but is not implemented in SAP Mobile Platform.

I hope you find above information useful. Feel free to comment in case of any clarification and feedback.

CC: SAP for Mobile

Regards,

JK

2 Comments