SUP Roles to Support EIS Operations: SUP DCN User and SUP Push User

SUP DCN User and SUP Push User roles are the mechanisms by which illicit EIS DCN or push notification operations are prevented. Like other built-in platform roles, SUP DCN User and SUP Push User are logical roles that are available to all new security configurations.

Before any DCN event is submitted, the person or group mapped to this role must be authorized (after first being authenticated) by a security provider defined as part of a named security configuration. Submitted DCN events that require authorization include:

Cache updates
Operation performance

The SUP Push user role is mandatory; with this role the EIS cannot deliver push notifications to SAP Mobile Server for a registered application connection. Before any push event is submitted by the EIS, the authenticated user performing the push must be authorized by being in the SUP Push User logical role. Push events that require authorization include:

Triggering a Hybrid App package

You can choose different physical role mapping targets to authorize, or authenticate and authorize EIS events using the logical roles. Depending on the authorization method used, the implementation varies:

Certificate authorization – SAP recommends that you use CertificateValidationLoginModule for maximum security. CertificateValidationLoginModule validates the user certificate passed during mutual certificate authentication. Unlike other methods, it confers no physical roles; therefore, the platform administrator must create a logical role mapping. Typically, the user has a certificate that includes a Subject distinguished name containing a common name (cn=TechnicalUser), so it creates a logical role mapping between the logical role and user:TechnicalUser in the CN. To implement certificate authorization, see Setting Up Authorization with Certificate Validation in Security.

Note: While explicitly mapping a certificate user name for SUP Push User role in SAP Control Center, ensure there is a space after every comma. Example: user: CN:PushTest, OU=SSL Server, O=SAP-AG, C=DE”. If you are using push notification with strong mutual authentication, you can only use the Admin security configuration. Ensure you add a CertificateValidationLoginModule to the Admin security configuration and use it as the default security configuration in the push-enabled domain. If any other security configuration is used, a user not in Required role error is generated in the client log.
Technical user authorization – If the role cannot be mapped to a real user in the security repository of the configured security provider used by the security configuration, you may need to create a new technical user or use an existing technical user for EIS operation role mappings. In this case, no authentication is required as the user is not a real user in the traditional sense. To implement technical user authorization, SAP recommends that you create a security configuration that includes an LDAP provider. To implement technical user authentication, see Setting Up Authorization with a Technical User Role Stored in a Repository in Security.
Real user authorization – (Applies only to DCN) if the role must be mapped to a real user, you can authenticate and authorize the user mapped to the SUP DCN User role. You can also use PreconfiguredUserLogin module to perform HTTP Basic authentication, where the module extracts the user information from the request parameter in a URL. To implement real user authentication, see Setting Up Authorization with PreConfiguredUserLogin Values in Security.

Once you have multiple providers configured, especially when implementing authorization with single sign-on, you can stack them so they are processed in correct order.