Creating and Assigning a Security Configuration

Prepare a security configuration that one or more administrators can select as part of the application definition or connection template. The security configuration is used in different ways, depending on whether you are performing manual or automatic application user registration.

Create as many security configurations as needed, depending on the number of systems to be accessed. SAP recommends that you have as many connection templates as there are security configurations (a 1:1 ratio).

For manual registration – For manual registration, the security configuration is not used during the activation process. However, it is use after the application is activated to authenticate operations the application makes over the assigned connection.
For automatic registration – the security configuration you create authenticates the user identity, and passes an identity under which the user is registered and the session ID assigned. To use a security configuration for this method, ensure automatic registration is enabled in the connection template.
For role-based access – if applications have different security requirements, use logical roles to implement a more fine-grained control to applications. You can use role-based access control for both manual and automatic registration.

In SAP Control Center, create a security configuration at the cluster level. Add at least one security provider to it, setting the Control Flag attribute to an appropriate value for the number of providers you add.
The type of provider you choose depends on:
- The security repository you use in your production environment.
- Whether you need to support SSO and what type of credential will be passed.
- The EIS used. For example, SAP connections, SAP recommends that you use either a SAPSSOTokenLoginModule, a CertificateAuthenticationLoginModule, or a HttpAuthenticationLoginModule.
For details, see Creating a Security Configuration in SAP Control Center for SAP Mobile Platform.
Create and map the logical roles needed to control access to the application connections that are associated with this security configuration. If no mappings are created, all authenticated users can access the connection.
For Hybrid Apps, the logical role you define for the application should be the same logical role used for package deployment. The role chosen during package deployment allows the users who are authorized by the logical roles to install the package.
If you require any specific authentication cache behavior, click the Settings tab, and configure the properties as required.
Save the changes.
The security configuration now appears in the list of available security configurations when you configure properties for an application connection. Users can now access required connections only after being properly authenticated and appropriately authorized via the roles defined and mapped. Authentication allows the administrator to review:
- The users who are accessing an application and determine which security configuration was used to grant access to the application.
- The application connections that are actively used by users and what role was used to confer active status.
- The applications to which authenticated users have access. .