To prevent role mapping leaks between multiple tenant domains, configure domains and assign shared security configurations.
For example, a company named "Acme" has two separate divisions, HR and
sales. The employees in each division use different mobile applications. In this case,
SAP recommends using two domains in
SAP Control Center to simplify the management of packages, users,
applications and related artifacts.
Acme implements separate domain
administrators for each domain, but is using a single "acme" security configuration due
to the way the corporate LDAP directory is configured. This configuration includes an
LDAPLoginModule provider that uses this
URL:
ldap://ldap.acme.com
As a result, all employees of all domains
are authenticated by the same LDAP server, and authorized by the same set of groups and
roles.
Note: Because domain administrators are authenticated from the same acme
LDAP repository via the admin security configuration on the default domain, those
role mappings can "leak" between domains. Consequently, a domain administrator
assigned to one domain gets granted access to another. This side-effect is
undesirable and should be avoided.