Authentication and Authorization

Authentication

All server components involved in the development infrastructure use the user management functions of the J2EE Engine.

?     The DTR Server, the CBS Server, and the CMS Server use the User Management Engine (UME) for user management tasks.

?     The SLD Server and the Name Server use the user management functions configured in the J2EE Engine.

The standard user management setting in the J2EE Engine is UME. This means that, in most cases, both components use the same user management functions.

Authorizations

The DTR Server defines a range of privileges and combines them with Access Control Lists (ACLs) to control access to the resources managed in the DTR. In DTR you can specify which user should be allowed or denied to perform a certain task. To control access, the DTR defines a certain set of privileges, which you can then grant to or deny a user, who was authenticated by the User Management Engine (UME)..

The SLD Server and the Name Server have the same technical basis. You can operate these two functions in a single system or in separate systems. Both components use J2EE roles as an authorization concept. For more information on security roles in SLD, see SAP Service Marketplace at service.sap.com/sld ® Media Library ® Post-Installation Guide – System Landscape Directory.

The CBS Server and the CMS Server use UME roles as an authorization concept. For more information, see Roles in the Component Build Service and Roles in the Change Management Service.

Examples

The following examples are intended to illustrate the authorizations required by various user groups for the server elements of the NetWeaver Java development infrastructure. The activities shown for these user groups correspond largely to those activities that are encountered in practice. If you have other user groups, adapt the authorizations according to your requirements.

From Support Package 12 of SAP Web Application Server, you can use two special inheritance types in your DTR permission settings: final and ignore. These settings suppress the regular inheritance of access rights from a directory to its subdirectories. final specifies that the definition of the access rights for a directory level also applies unconditionally to all subdirectories. The DTR server ignores any access rights defined for subdirectories. ignore specifies that a subdirectory does not take any of its access rights from higher directory levels.

The description below assumes that you are not using this option. If you do decide to use the function, you must make appropriate adjustments, particularly for the CMS user and NWDI administrators.

The inheritance type finalDeny available in earlier releases becomes obsolete from SPS 11. The DTR server ignores finalDeny. If you use this inheritance type, replace it with a combination of final and deny after you import SPS 11.

Developer

Assume that a developer performs the following activities:

?     Creating and developing development components

?     Reserving names for development objects

?     Checking source code in and out

?     Activating changes in the DTR and triggering the central build process in the CBS

?     Releasing activities for transport

This means that a developer requires the following authorizations in the server elements:

Server Element

Authorizations

Name Server

LcrInstanceWriterNR

SLD

LcrUser

CBS

CBS.Developer

DTR

All authorizations as described under Authorizations for the DTR Client and access, read, write, and checkin for project-relevant workspaces

CMS

CMS.Display, CMS.ExportOwn

Project Manager

Assume that a project manager (including product managers, development managers, and quality managers) performs the following activities, in addition to normal development activities:

?     Creating and changing product information in the SLD

?     Entering reserved namespace prefixes on the Name Server

?     Creating and changing tracks for relevant projects in the CMS

?     Administering the activities of team members

?     Importing software components; transporting change requests; assembling software component versions; confirming the release of software component versions

This means that a project manager requires the following authorizations in the server elements:

Server Element

Authorizations

Name Server

LcrInstanceWriterNR and LcrInstanceWriterCR

SLD

LcrInstanceWriterCR and LcrInstanceWriterLD

CBS

CBS.xDeveloper, CBS.QM

DTR

All permissions for project-relevant workspaces (except adminX), as well as the permissions for developers

CMS

CMS.Administrate

Administrators of the Development Infrastructure

Administrators of the NetWeaver Java development infrastructure require the following authorizations:

Server Element

Authorizations

Name Server

LcrAdministrator

SLD

LcrAdministrator

CBS

CBS.Administrator

DTR

All permissions for the root directory and all its subdirectories

CMS

CMS.Administrate

CMS User

The central communication user for a CMS domain requires the following authorizations:

Server Element

Authorizations

Name Server

None

SLD

LcrInstanceWriterLD

CBS

CBS.Administrator

DTR

All permissions for the root directory and all its subdirectories, except for access and adminX

CMS

CMS.Administrate