Managing Roles and Permissions

Logical roles provide authorization for mobile business objects and operations during development.

The SAP Mobile Platform supports two types of roles:

• Logical roles – defined and used within the development environment to provide security to mobile business objects and MBO operations during development, and eventually mapped to physical roles during deployment. Mobile device users have no interaction with logical roles.
• Physical roles – enterprise-oriented and managed by the SAP Mobile Server administrator or through some other enterprise security provider. Physical roles control the access to the back-end data sources of an MBO during runtime.

When deploying MBOs to a SAP Mobile Server, you can map logical roles to existing physical roles that are located on the SAP Mobile Server. The mapping transfers authorization and other properties from the physical role to the logical role.

The need for role mapping exists because, in most cases, any role-based authorization used while developing an MBO is invalid once the MBO is deployed to the SAP Mobile Server, since it is likely the SAP Mobile Server uses a different security mechanism/set of roles, or the data source changes and uses different authorization than used during development.

If development and SAP Mobile Servers do use the same set of roles, you can map the logical role name directly to the physical role when deploying the MBO. See Packaging and Deploying Mobile Business Objects.

The Roles folder contains user-defined roles, that can be modified and reused.

Role assignments are not propagated from the mobile business object to the operations it contains. If you want to control access to any operation, you must explicitly set the appropriate role ( by default, if no role is assigned then the operation is assigned the role 'everybody' which allows unlimited access).

• Creating Logical Roles
  Use the New Role wizard to create a logical role in the Mobile Application project's Roles folder.
• Copy and Pasting Logical Roles
  Create a new logical role by copying and pasting an existing role.
• Modifying Logical Role Properties
  Modify common role properties from the role's Properties dialog box.
• Setting and Unsetting the Default Logical Role
  Optionally set a default role that is assigned to all mobile business objects and operations created from that point forward for the Mobile Application project.
• Assigning Roles to Mobile Business Objects and Operations
  Assign logical roles to mobile business objects and operations using the role's Properties dialog box.
• Finding Role References
  Locate mobile business objects and operations that the role references.
• Deleting a Logical Role
  Delete an existing logical role from the Roles folder.