Mapping SAP Control Center Roles to LDAP or OS Groups

To grant SAP Control Center privileges to users who are authenticated through LDAP or the operating system, associate roles used in SAP Control Center with groups in LDAP or the operating system.
Prerequisites
Task

You can configure SAP Control Center to enable users to authenticate through their local operating system or through an LDAP server. To make this type of authentication work, SCC roles must be mapped to groups that exist in the system providing authentication (LDAP or the operating system).

The sybase and SCC Administrator groups are convenient because they are predefined in role-mapping.xml. If you add sybase and SCC Administrator groups to your LDAP system and populate them with SCC users and administrators, you can skip to the next task—you do not need to complete the steps below.

The table lists default mappings of LDAP and OS groups to SCC roles. Login modules are defined in csi_config.xml.

Login Module OS Group SAP Control Center Roles
UNIX Proxy root uaAnonymous, uaAgentAdmin, uaOSAdmin
sybase uaAnonymous, uaPluginAdmin, sccUserRole
user uaAnonymous
guest uaAnonymous
NT Proxy Administrators uaAnonymous, uaAgentAdmin, uaOSAdmin
sybase uaAnonymous, uaPluginAdmin, sccUserRole
Users uaAnonymous
Guests uaAnonymous
LDAP sybase uaAnonymous, uaPluginAdmin, sccUserRole
SCC Administrator uaAnonymous, sccAdminRole
There are two ways to accomplish the mapping:
  • (Recommended) Add a “sybase” group and an “SCC Administrator” group to the operating system or LDAP server SAP Control Center is using to authenticate users, and add all users who need to access SAP Control Center to one or both groups.
  • Configure SAP Control Center to use existing groups in LDAP or the operating system by editing the role-mapping.xml file. This option is described here.
  1. If SAP Control Center is running, shut it down.
  2. In a text editor, open:

    <SCC-install-directory>/conf/role-mapping.xml

  3. Locate the sccUserRole section of the file:
    <Mapping>
    <LogicalName>sccUserRole</LogicalName>
    <MappedName>SCC Administrator</MappedName>
    <MappedName>SCC Agent Administrator</MappedName>
    <MappedName>sybase</MappedName>
</Mapping>
  4. Add a MappedName line for the LDAP or OS group you are using to authenticate SCC users. The sccUserRole section should look similar to this: 
    <Mapping>
    <LogicalName>sccUserRole</LogicalName>
    <MappedName>SCC Administrator</MappedName>
    <MappedName>SCC Agent Administrator</MappedName>
    <MappedName>sybase</MappedName>
    <MappedName>my_SCC_group</MappedName>
</Mapping>
  5. Locate the sccAdminRole section of the file:
    <Mapping>
    <LogicalName>sccAdminRole</LogicalName>
    <MappedName>SCC Administrator</MappedName>
</Mapping>
  6. Add a MappedName line for the LDAP or OS group you are using to authenticate SCC administrators. The sccAdminRole section should look similar to this: 
    <Mapping>
    <LogicalName>sccAdminRole</LogicalName>
    <MappedName>SCC Administrator</MappedName>
    <MappedName>my_SCC_admin_group</MappedName>
</Mapping>
  7. Save the file and exit.
  8. (LDAP only) Ensure that the roles defined in the LDAP repository match the roles defined in role-mapping.xml.
  9. In the <SCC-install-dir>\conf\csi_config.xml file, set the BindPassword and ProviderURL properties with values used in your deployment.
    Sybase recommends that you encrypt sensitive values before saving them in csi_config.xml.
  10. Start SAP Control Center.
Parent topic: Setting Up Security
Previous topic: Configuring an LDAP Authentication Module
Next topic: Encrypting a Password
Related concepts
User Authorization
Related tasks
Configuring Authentication for Windows
Configuring a Pluggable Authentication Module (PAM) for UNIX
Assigning a Role to a Login or a Group