Configure security for an individual domain to meet the customer's security requirements.
Prerequisites
Before mapping and assigning administrator roles, ensure that you have set the SAP Mobile Platform administration and user roles and passwords required for SAP Control Center administrator login. See Enabling Authentication and RBAC for Administrator Logins in Security.
Task
Perform steps to appropriately configure domain security settings.
1. Choosing a Security Configuration
Select a security configuration that provides authentication and optionally authorization, attribution, or auditing services. You can assign as many security configurations as needed to a domain.
2. Assigning Domain Administrators to a Domain
Assign domain administration privileges to a domain administrator. You must be a platform administrator to assign and unassign domain administrators.
3. Mapping Roles for a Domain
Map logical roles to physical roles for a domain by setting the mapping state. Domain administrators map roles for the domains they control. Role mappings performed at the domain level are automatically applied to all domains that share the same security
configuration. Domain-level role mapping overrides mapping set at the cluster level by the platform administrator.
See also
• Creating and Enabling a New Domain on page 98
• Deleting a Domain on page 99
• Registering a Domain Administrator User on page 100
• Assigning Domain Administrators to a Domain on page 101
• Viewing Applications for a Domain on page 102
• Viewing Application Connections for a Domain on page 102
• Scheduling Accumulated Data Cleanup for Domains on page 104
• Domain Logs on page 108
• Checking Client Application Logs on page 158
• Connections on page 159
Choosing a Security Configuration
Select a security configuration that provides authentication and optionally authorization, attribution, or auditing services. You can assign as many security configurations as needed to a domain.
Only super administrators have privileges to create security configurations. Domain administrators can view a security configuration only after a super administrator has assigned it to the domain.
1. In the left navigation pane, navigate to Cluster > Domains > <DomainName> >
Security.
2. In the right administration pane, select the General tab and click Assign.
The Assign Security Configurations dialog appears.
3. Select one or more security configurations to assign to the domain by checking the box adjacent to the configuration name.
4. Click OK.
A message appears above the right administration pane menu indicating the success or failure of the assignment. If successful, the new security configuration appears in the list of security configurations.
5. To set the default security configuration for the domain, check the box adjacent to the configuration name and click Set Default.
6. To remove a security configuration, check the box adjacent to the configuration name and click Unassign.
You cannot remove a security configuration if:
• it is mapped to one or more MBO packages
• it is the default security configuration for the domain Administer
• it is used by an application connection templates.
Assigning Domain Administrators to a Domain
Assign domain administration privileges to a domain administrator. You must be a platform administrator to assign and unassign domain administrators.
Prerequisites
Ensure the user is already registered as a domain administrator in the Domain Administrators tab.
Task
1. In the left navigation pane, expand the Domains folder, and select the domain for which to assign domain administration privileges.
2. Select the domain-level Security folder.
3. In the right administration pane, select the Domain Administrators tab, and click Assign.
4. Select one or more administrator users to assign to the domain by checking the box adjacent to the user name.
5. Click OK.
A message appears above the right administration pane menu indicating the success or failure of the assignment. If successful, the new domain administrator appears in the list of users.
Mapping Roles for a Domain
Map logical roles to physical roles for a domain by setting the mapping state. Domain administrators map roles for the domains they control. Role mappings performed at the domain level are automatically applied to all domains that share the same security
configuration. Domain-level role mapping overrides mapping set at the cluster level by the platform administrator.
Prerequisites
SAP Mobile Platform cannot query all enterprise security servers directly; to perform authentication successfully know the physical roles that are required.
Task
1. In the left navigation pane of SAP Control Center, expand Domains > Domain name >
Security and select the security configuration to map roles for.
2. In the right administration pane, click the Role Mappings tab.
3. Select a logical role and select one of the following in the adjacent list:
State Description
AUTO To map the logical role to a physical role of the same name.
NONE To disable the logical role, which means that the logical role is not authorized.
MAP To manually map the logical role when the physical and logical role names do not match.
See Mapping a Physical Role Manually.
Mapping a Physical Role Manually
Use the Role Mappings dialog to manually map required physical roles for a logical role when physical and logical role names do not match. If names do not match, the AUTO mapping state does not work.
Prerequisites
SAP Mobile Platform cannot query all supported enterprise security servers directly; for successful authentication, you must know the physical roles your back-end systems require.
Task
You can map a logical role to one or more physical roles. You can also map multiple logical roles to the same physical role. If a role does not exist, you can also add or delete names as needed.
1. Review the list of existing physical role names that you can map to the logical role you have selected. If the list retrieved is too long to locate the name quickly, either:
• Click the banner of Available Roles list to sort names alphanumerically.
• Start typing characters in the box, then click the Search button to filter the available list.
2. If a role that you require still does not appear, enter the Role name and click the + button.
The role name appears in the Available roles list with an asterisk (*). This asterisk indicates that an available role was added by an administrator, not a developer.
3. To remove a role you no longer require from the Available roles list, select the name and click the x button adjacent to the Role name field.
The role is removed and can no longer be mapped to a logical role.
4. To map a logical role that appears in the text area of the Role Mappings dialog to a physical role:
a) Select one or more Available roles.
b) Click Add.
5. To unmap a role:
a) Select one or more Mapped roles.
b) Click Remove.
Administer
The roles are returned to the Available roles list.
6. Click OK to save these changes.
Once a logical role has been manually mapped, the mapping state changes to MAPPED. The roles you have mapped appear in the active Physical Roles cell for either a package-specific or server-wide role mappings table.
Mapping State Reference
The mapping state determines the authorization behavior for a logical name instance.
State Description
AUTO Map the logical role to a physical role of the same name. The logical role and the physical role must match, otherwise, authorization fails.
NONE Disable the logical role, which means that the logical role is not au-thorized. This mapping state prohibits anyone from accessing the resource (MBO or Operation). Carefully consider potential conse-quences before using this option.
MAPPED A state that is applied after you have actively mapped the logical role to one or more physical roles. Click the cell adjacent to the logical role name and scroll to the bottom of the list to see the list of mapped physical roles.