Hello
SMP Administrators,
Let me start with an example. There are 3 users: A, B &C . SAP Mobile Platform administrator wants to grant admin role to user A, read-only access role (ie.Helpdesk) to user B and notification role to user C. He find this task very easy & simple. He logins to admin cockpit, adds two authentication providers
System Login (Admin only) in
admin security profile, provides
Administrator and
Helpdesk roles for A & B respectively. For User C, he adds a new
System Login authentication provider but in
Notification security profile. His job is done. User A got admin access to Admin cockpit, User B read access and User C can get notification via SMP.
Now, SMP Administrator has asked to grant admin roles to 3 more users, read-only access role to 10 more users and notification role to 20 more users.
But this time SMP administrator doesn't want to repeat what he has done before. He doesn't want to do it manually and wants to do it in a general way so that if in future, he gets any more requests for granting roles, he doesn't have to do much on SMP. He came to know that there is
LDAP setup installed at organization. Could be like below:
He thought of implementing
LDAP/AD authentication provider in SMP security profile and mapping to the LDAP groups to which a user belongs.
Implementing LDAP/AD authentication provider in SMP Admin security profile:
- Login to Admin Cockpit > Settings > Security profiles > Admin (Cannot be deleted) > Edit
- Add a new authentication provider "Directory Serive (LDAP/AD)"
(below settings are as per above LDAP setup..there could be changes as per yours)
Creating Users & groups in LDAP
1. I have added user
a, b & c and created 3 different groups
smp_admin_grp, smp_helpdesk_grp & smp_notification_grp.
2. Assigned a , b & c as
uniqueMember in respective groups.
Modifying admin-role-mapping xml file
All predefined logical roles are there in SMP admin-role-mapping.xml file. Now we need to map newly created physical roles to predefined logical roles. Open
admin-role-mapping.xml file can be found under
C:\SAP\MobilePlatform3\Server\configuration\com.sap.mobile.platform.server.security\CSI .
Alert : Take a backup of same file before modifying it.
Map physical roles to predefined logical roles (as highlighted in bold)
<?xml version="1.0" encoding="UTF-8"?>
<rm:Mappings xmlns:rm="http://www.sybase.com/csi/3.1/mapping">
<DefaultMapping>
<LogicalName>Administrator</LogicalName>
<MappedName>Administrator</MappedName>
<MappedName>smp_admin_grp</MappedName>
</DefaultMapping>
<!-- Avatar Deployer Role Mappings -->
<DefaultMapping>
<LogicalName>NodeManager.deploycontent</LogicalName>
<MappedName>Administrator</MappedName>
</DefaultMapping>
<DefaultMapping>
<LogicalName>GenerationAndBuild.generationandbuildcontent</LogicalName>
<MappedName>Administrator</MappedName>
</DefaultMapping>
<DefaultMapping>
<LogicalName>IntegrationOperationServer.read</LogicalName>
<MappedName>Administrator</MappedName>
</DefaultMapping>
<DefaultMapping>
<LogicalName>Developer</LogicalName>
<MappedName>Developer</MappedName>
</DefaultMapping>
<DefaultMapping>
<LogicalName>Helpdesk</LogicalName>
<MappedName>Helpdesk</MappedName>
<MappedName>smp_helpdesk_grp</MappedName>
</DefaultMapping>
<DefaultMapping>
<LogicalName>Notification User</LogicalName>
<MappedName>Notification User</MappedName>
</DefaultMapping>
<DefaultMapping>
<LogicalName>Impersonator</LogicalName>
<MappedName>Impersonator</MappedName>
</DefaultMapping>
</rm:Mappings>
Note: For Notification user role, you have to add a new authentication provider in Notification (cannot be deleted) security profile > Add> Directory service (LDAP/AD)
Once done, open Notification-role-mapping.xml file (C:\SAP\MobilePlatform3\Server\configuration\com.sap.mobile.platform.server.security\CSI) and map notification physical role to logical role as highlighted below.
<?xml version="1.0" encoding="UTF-8"?>
<rm:Mappings xmlns:rm="http://www.sybase.com/csi/3.1/mapping">
<DefaultMapping>
<LogicalName>Administrator</LogicalName>
<MappedName>Administrator</MappedName>
</DefaultMapping>
<DefaultMapping>
<LogicalName>Developer</LogicalName>
<MappedName>Developer</MappedName>
</DefaultMapping>
<DefaultMapping>
<LogicalName>Helpdesk</LogicalName>
<MappedName>Helpdesk</MappedName>
</DefaultMapping>
<DefaultMapping>
<LogicalName>Notification User</LogicalName>
<MappedName>Notification User</MappedName>
<MappedName>smp_notification_grp</MappedName>
</DefaultMapping>
<DefaultMapping>
<LogicalName>Impersonator</LogicalName>
<MappedName>Impersonator</MappedName>
</DefaultMapping>
</rm:Mappings>
Impersonator Role:
This role establishes the trust relationship between the SAP Web Dispatcher (or any 3rd party reverse proxy) and SMP Server, allowing the server to accept and authenticate the user's public certificate presented in the
SSL_CLIENT_HEADER
over the SSL connection established by the reverse proxy. It also enables SAP Mobile Platform to trust
SSL_CLIENT_CERT
headers from network edge certificate authentication.
Reference
Few things to know
1. By default, each logical role name is mapped to a physical role of the same name.
<DefaultMapping>
<LogicalName>Administrator</LogicalName>
<MappedName>Administrator</MappedName>
</DefaultMapping>
2. By default, Admin security profile assigns
smpAdmin user to the
Administrator role. (Admin Cockpit credentials)
3. As per
documentation,
SMP includes <MappedName>Administrator</MappedName> in admin-role-mapping.xml, if you do not have a physical role/group called Administrator, delete this mapping from file to avoid unnecessary authorization checks and improve performance.
I agree with this point. But imagine if i remove this default mapping and if LDAP server is down, i will not even able to login with smpAdmin. In my opinion, let it be there, no need to remove.
4. You can configure security profiles in Management cockpit but role-mapping configuration has to be done manually by editing .xml file.
5. In SMP cluster, you can configure security profile from any active node, once you are done with changes (either in Management cockpit or editing .xml file or both), CSI pushes this changes to the shared database, which then propagates the changes to the cluster nodes.
6. Helpdesk role is usually granted to analyze root causes of issues/problems. Cannot perform any administrator related tasks.
7. There are also predefined
Integration Gateway roles and these roles are mapped to Administrator logical role. But there is no read-only access role defined for Gateway management cockpit.
<!-- Avatar Deployer Role Mappings -->
<DefaultMapping>
<LogicalName>NodeManager.deploycontent</LogicalName>
<MappedName>Administrator</MappedName>
<MappedName>smp_admin_grp</MappedName>
</DefaultMapping>
<DefaultMapping>
<LogicalName>GenerationAndBuild.generationandbuildcontent</LogicalName> in case of generate & deploy integration content to SMP
<MappedName>Administrator</MappedName>
<MappedName>smp_admin_grp</MappedName>
</DefaultMapping>
<DefaultMapping>
<LogicalName>IntegrationOperationServer.read</LogicalName> >>> needed in case of connecting to SMP server from eclipse kepler
<MappedName>Administrator</MappedName>
<MappedName>smp_admin_grp</MappedName>
</DefaultMapping>
8. The Developer role appears in the
role-mapping.xml file, but is not implemented in SAP Mobile Platform.
I hope you find above information useful. Feel free to comment in case of any clarification and feedback.
CC:
Regards,
JK