Security

SAP Control Center can authenticate user logins through an LDAP server, through the operating system, or both.

SAP Control Center can be configured to authenticate through any LDAP server that supports the inetOrgPerson (RFC 2798) schema.
When SAP Control Center authenticates through the operating system, it uses the operating system of the SAP Control Center server machine (not the client).

Although you can create native user accounts in SCC, this approach to authentication is not recommended. It is simpler and safer to configure SCC to authenticate using existing LDAP, Windows, or UNIX login accounts.

SAP strongly recommends that you use a common authentication provider for SCC and for SAP database products managed by SCC. A common authentication provider ensures that single sign-on works for users of SAP Control Center and its managed servers.

SCC requires each authenticated login account to have a predefined role. When a login is authenticated, roles for the login are retrieved by the security module and are mapped to SCC predefined roles. Authorization is resolved through the mappings between the security module native roles and SCC roles. You can enable mappings by creating a “sybase” group in your operating system or LDAP server and adding all SCC users, or by modifying the SCC role-mapping.xml file to configure the mapping of native roles to SCC roles. The security module authenticates the logins and authorizes access to managed resources.

SAP Control Center provides a set of predefined login modules for authentication. All login modules are defined in the <install_location>/SCC-3_3/conf/csi_config.xml file. The syntax is defined by the SAP Common Security Infrastructure (CSI) framework. You can configure the different login modules to customize security strength. The login modules are:

Preconfigured user login – defines a user name, password, and a list of roles. The default user name is sccadmin; its password is configured during installation and its native role is SCC Administrator, which maps to sccAdminRole. You can create additional accounts by adding preconfigured user login modules to csi_config.xml. However, SAP does not recommend the use of preconfigured user login modules for authentication in production environments.
NT proxy login – delegates authentication to the underlying Windows operating system. When you log in to SCC through an NT Proxy Login module, enter your user name in the format username@nt-domain-name. For example, user@sap. Windows authentication is enabled by default, but it requires some configuration after an upgrade from SCC 3.2.5 or earlier.
UNIX proxy login – delegates authentication to the underlying UNIX or Linux operating system using Pluggable Authentication Modules (PAM). When you log in to SCC through a UNIX PAM, enter your UNIX user name and password. UNIX authentication is enabled by default, but it requires some configuration.
LDAP login – delegates authentication to an LDAP server you specify. When you log in to SCC through an LDAP server, enter your LDAP user name and password. LDAP authentication is not enabled by default; you must configure the login module.