cancel
Showing results for 
Search instead for 
Did you mean: 

Orgchart security

Former Member
0 Kudos

Guys,

At the customer here we're implementing the Orgchart 3.0 SP2 solution.

Version 3.0 SP2

Build 0702028100

We're currently discussing the security options to use for Orgchart.

First the customer decided to opt for the anonymous access option, but this changed when they wanted to embed the application into the portal.

-Question is if anonymous access also suitable to use when accessed from inside the portal?

Or can it be embedded into the MSS portal as well?

-Does each authentication method requires a SAP_all communications user?

Next to this how does it works when the direct links to the application (admin console/orgchart) are being used with anonymous access?

I'm trying to figure out if someone or anyone  within the company server directly enters the links to the admin console and especially Orgchart

They can get full access to the appliation. Anyone experience with this?

The customer also has AD as an authentication on the portals side so will opt for this solution but really interested if someone can explain to me

when you would opt for anonymous access and how it works with accessing the links if it's embedded in the portal.

Apologies if this is also asked in another thread. I did a search but couldn't something similar to my question.

Regards,

C

Accepted Solutions (1)

Accepted Solutions (1)

lukemarson
Active Contributor
0 Kudos

Hi Carlos,

I hope to provide some useful inforamtion:

-Question is if anonymous access also suitable to use when accessed from inside the portal?

It doesn't really make a difference, since the user is authenticated when coming into the Portal. It depends on how you are going to use OrgChart. If you need an authentication method then it is advisable to use Portal authentication. It might be worth it anyway, since then unauthorized users cannot access the org chart.

-Does each authentication method requires a SAP_all communications user?

Again, it depends on what you are doing in terms of security. For role mapping and user identification then you need to have a user that can retrieve the user information and can also query the roles table (AGR_USERS). Usually I would say yes. The user doesn't have to have SAP_ALL, as long as it has sufficient authorizations to access this data.

Next to this how does it works when the direct links to the application (admin console/orgchart) are being used with anonymous access?

I'm trying to figure out if someone or anyone  within the company server directly enters the links to the admin console and especially Orgchart

They can get full access to the appliation. Anyone experience with this?

The application is always accessed by a direct link, even when embedded in the Portal (it uses a URL iView). The only difference with the other authentication method is that the user is not authenticated against an authentication source. They are just "logged in" to the application and get access to the data that the communications user has authorization to access. It means that anyone on the company network with the URL can access the application. If you plan to show non-sensitive data then there isn't really a problem, but if you add data that could be deemed sensitive by the company then you only want authorized people to access it. I have to say that none of my clients have used Anonymous authentication in Production. We always use either SAP Logon forms or SSO in the Portal.

The customer also has AD as an authentication on the portals side so will opt for this solution but really interested if someone can explain to me when you would opt for anonymous access and how it works with accessing the links if it's embedded in the portal.

How you are authenticated into the Portal isn't so important. If I were using the Portal then I wouldn't use anaonymous access, I would use SSO. This also means that the user can only access data that they are authorized to see (assuming you are using Live). If using Live then every backend call has an authorization check performed using the logged-in user's SAP user ID, as if they were trying to access the data in the backend. This includes the use of structural authorizations. For this reason it's probably advisable to use an authentication method, such as SSO.

Best regards,

Luke

Former Member
0 Kudos

Luke,

thanks a lot. This really gives more clarification on the matter.

Really appreciated.

Regards,

C

Answers (0)