Configuring SLD Security Roles


The SLD functions are protected from unauthorized access. There are several J2EE security roles and corresponding User Management Engine (UME) actions that are assigned to different SLD functions.

There is no corresponding UME action for the DataSupplierLD J2EE security role.

J2EE Security Roles and UME Actions



Read access to SLD data.


Read-only access to all SLD data and UI, including the Administration area (used for SAP support).


Create, modify and delete CIM classes (includes the LcrUser role).


Create, modify and delete CIM instances of the Landscape Description subset (includes the LcrUser role).


J2EE security role with no corresponding UME action

Create, modify and delete CIM instances of the Landscape Description subset as a data supplier without access to the SLD UI.


Create, modify and delete CIM instances of the Component Information subset (includes the LcrUser role).


Create, modify and delete CIM instances of the Name Reservation subset (includes the LcrUser role).


Create, modify and delete all types of CIM instances (includes the LcrUser, LcrInstanceWriterCR, LcrInstanceWriterLD, and LcrInstanceWriterNR roles).


Administrative tasks (includes all other roles).

Before you can use the SLD, you have to map these security roles and actions to individual users or user groups.

We recommend that you create user groups and map them to the appropriate security roles and actions instead of assigning them to individual users.

Users that belong to a particular group receives all permissions that are granted to the group. We recommend that you use the following user groups with the corresponding role assignment:

User Group

Assigned Security Role






LcrInstanceWriterLD and LcrInstanceWriterNR









You have to create these groups with the appropriate tool for your user store (J2EE, ABAP or LDAP). If the UME is used with an ABAP-based system as the back-end user storage, these groups already exist except for SAP_SLD_DATA_SUPPLIER and SAP_SLD_SUPPORT. (ABAP user roles appear as user groups on the J2EE side. SAP Web AS ABAP 6.40 and above contains these default user roles.)

If these groups exist, you can perform the mappings that are defined in the table above.

If you want to set up SLD security for test purposes, you only have to map the LcrAdministrator role to the SAP_SLD_ADMINISTRATOR group and assign an administrator user to this group.



       1.      In your Web browser, enter the URL of the Identity Management using the following pattern: http://<host>:<port>/useradmin.

       2.      Create UME roles and assign to them the corresponding UME actions.

The UME actions are already defined in the UME.

We recommend that you define these roles with the same name as the corresponding J2EE role. Associate each role with the corresponding UME action, for example the LcrUser role with the LcrUser action.

       3.      Create user groups and assign each new UME role to the appropriate user group as defined in the table above. For example, assign the SAP_SLD_GUEST group to the LcrUser UME role.

       4.      Assign users to the user groups.

       5.      Log on to the J2EE Engine Visual Administrator as an administrator.

       6.      Choose Services ® SLD Data Supplier.

       7.      Choose  Assign User Groups to Roles.

The SLD configuration service performs the default mappings of user groups to J2EE security roles.

For more information about managing security roles, see Managing Users, Groups, and Roles.