Mapping a Logical Role to a Physical Role

SAP Mobile Platform uses a role-based-access-control (RBAC) security model. SAP Mobile Platform includes predefined logical roles, and uses HttpServletRequest.isUserInRole(logicalRole) for its policy enforcement points in the runtime. Physical roles assigned to a user come from the customer's identity management back-end systems.

The most common example is the LDAP groups a user belongs to when using the Directory Service (LDAP/AD) authentication provider. Each LDAP group becomes a physical role attributed to the authenticated user in SAP Mobile Platform.

The CSI then uses the role-mapping configuration to convert the isUserInRole() check to see if the user is granted any of the physical roles defined in the role-mapping for the security profile. Role mapping is particularly important for the Admin security configuration where authorized users must be mapped to the Administrator logical role. Additionaly, in other security profiles, it is important to map Impersonator and Notification User roles.

The security profiles are persisted in files that are located in SMP_HOME\Server\configuration\com.sap.mobile.platform.server.security\CSI. To map a logical role to the appropriate physical role in the underlying security provider in a given security profile, you must manually edit the corresponding <Security_Profile_name>-role-mapping.xml file.

Note: The Management Cockpit always authenticates against the Admin security profile and requires that the user be granted Administrator role to successfully log into the Management Cockpit.
     
Upon installation, the default authentication provider assigns the smpAdmin user to the administrator role. To make your configuration production ready, you must add an authentication provider to the Admin security profile that authenticates against your identity management system (such as LDAP for Active Directory). To do this, you must:
  • Determine the physical role names detected by your identity management system (iDMS), for example, the names of LDAP groups to which the user belongs
  • Select appropriate logical roles in SAP Mobile Platform
Note: In order for administrators to access SAP Mobile Platform Server, you must map the default SAP Mobile Platform logical roles to the corresponding physical roles in the Admin security provider. You perform the mapping for the Admin security profile manually by editing the SMP_HOME\Server\configuration\com.sap.mobile.platform.server.security\CSI\admin-role-mapping.xml file. To map logical roles to physical roles, perform the following steps which use the Administrator role as an example.
  1. Navigate to the admin-role-mapping.xml file, which by default appears as:
      <?xml version="1.0" encoding="UTF-8" ?> 
- <rm:Mappings xmlns:rm="http://www.sybase.com/csi/3.1/mapping">
  - <DefaultMapping>
      <LogicalName>Administrator</LogicalName> 
      <MappedName>Administrator</MappedName> 
    </DefaultMapping>
    <!--  Avatar Deployer Role Mappings  --> 
  - <DefaultMapping>
      <LogicalName>NodeManager.deploycontent</LogicalName> 
      <MappedName>Administrator</MappedName> 
    </DefaultMapping
  - <DefaultMapping>
      <LogicalName>GenerationAndBuild.generationandbuildcontent</LogicalName> 
      <MappedName>Administrator</MappedName> 
    </DefaultMapping>
  - <DefaultMapping>
      <LogicalName>IntegrationOperationServer.read</LogicalName> 
      <MappedName>Administrator</MappedName> 
    </DefaultMapping>
  - <DefaultMapping>
      <LogicalName>Developer</LogicalName> 
      <MappedName>Developer</MappedName> 
    </DefaultMapping>
  - <DefaultMapping>
      <LogicalName>Helpdesk</LogicalName> 
      <MappedName>Helpdesk</MappedName> 
    </DefaultMapping>
  - <DefaultMapping>
      <LogicalName>Notification User</LogicalName> 
      <MappedName>Notification User</MappedName> 
    </DefaultMapping>
  - <DefaultMapping>
      <LogicalName>Impersonator</LogicalName> 
      <MappedName>Impersonator</MappedName> 
    </DefaultMapping>
  </rm:Mappings>
    Note: Each logical role name is mapped to a physical role of the same name. By default, the Admin security profile assigns the smpAdmin user to the Administrator role.
  2. Edit the file to assign your required physical roles to the corresponding logical roles. For example, if you have a physical role of Engineering in an LDAP environment, edit the mapping file to assign the mapped name of Engineering to the appropriate logical role: 
    
      <DefaultMapping>
            <LogicalName>Administrator</LogicalName>
            <MappedName>Administrator</MappedName>
            <MappedName>Engineering</MappedName>
      </DefaultMapping>
    Note: If there is no physical role or group called Administrator, the mapping should be deleted so that an extra role check can be avoided to speed up the authorization checks.
  3. Save the file.
  4. Restart the server.
  5. Login to the Management Cockpit to verify the configuration.
    Note: Be sure to understand your groups of users so you map only the roles intended for the security profile. Mapping large groups risks including more users than necessary in your security profile. To mitigate this risk, consider using the UserRoleAuthorizer feature to provide improved security by defining a specific user, and not a group, in LDAP. This technique is required for certificate-based authentication.
Parent topic: Role Mapping
Related concepts
Default Logical Roles in SAP Mobile Platform
Single Sign-on Integration Across Client Applications
LDAP Role Computation
Role Mapping
UserRoleAuthorizer Provider
X.509 User Certificate Provider
Related tasks
Creating and Configuring Security Profiles
Enabling OCSP
Related reference
No Authentication Challenge Configuration Properties
System Login (Admin Only) Configuration Properties
Populate JAAS Subject From Client Configuration Properties
X.509 User Certificate Configuration Properties
HTTP/HTTPS Authentication Configuration Properties
Directory Service (LDAP/AD) Configuration Properties