Enabling Authorization of EIS Operations

All EIS operations must be authorized before the event is processed. SAP Mobile Server authorizes these insertion events using either SUP DCN User or SUP Push User role and a security configuration that names the security provider that performs the authorization function.

1. Create an authorization provider for the selected security configuration.
   To choose which type of provider you require, review the types documented in SUP Roles to Support EIS Operations: SUP DCN User and SUP Push User. Then follow the instructions in the corresponding Setting Up Authorization topic.
2. Ensure that you stack the provider in the order required by your environment.
   This is especially required in SSO-enabled environments. See Stacking Providers to Authenticate using SSO Before Authorizing.

• SUP Roles to Support EIS Operations: SUP DCN User and SUP Push User
  SUP DCN User and SUP Push User roles are the mechanisms by which illicit EIS DCN or push notification operations are prevented. Like other built-in platform roles, SUP DCN User and SUP Push User are logical roles that are available to all new security configurations.
• Setting Up Authorization with a Technical User Role Stored in a Repository
  Before any EIS event is submitted, the technical user mapped to either the SUP DCN User or SUP Push User role must be authorized by a security provider you define as part of a named security configuration.
• Setting Up Authorization with Certificate Validation
  (Recommended) Before any event is submitted to the SAP Mobile Platform runtime, the subject of the certificate's CN that is mapped to the logical role must be authorized, and with Certificate Validation, authenticated. SAP recommends using a CertificateValidationLoginModule for mutual authentication. The following steps describe how to implement the recommendation and offers maximum DCN or Push security.
• Setting Up Authorization with PreConfiguredUserLogin Values
  Before any EIS event is submitted to SAP Mobile Server, the person or group mapped to the SUP DCN User role must be authorized and authenticated. You can use the PreConfiguredUserLogin module with HTTP Basic authentication for this purpose.
• Stacking Providers for DCN SSO Authentication
  (Applies only to DCN events) Stack DCN providers with SSO providers to authenticate the SUP DCN User logical role with the SSO mechanisms. The users must be authenticated before they can be authorized.