Granting Initial Privileges (SAP Library - SAP Web AS for Java Applications)

Granting Initial Privileges

For the first authorizations, define two Access Control Lists:

· One ACL for the root directory (“/”)

This ACL contains the basic privileges for all users (read, change, check in).

· One ACL for the system directory

This ACL grants authorizations for administrators only.

Caution

The ACL for the root directory is essential: If you grant privileges only to inferior nodes, you lock the server for all users.

Procedure

...

1. Start the DTR Admin Plug-In.

2. In the repository browser, select the root node.

Note

Usually, this node is labeled <user> on <system>.

3. In the context menu, choose View Permissions.

The Permissions view of folder /ws appears.

4. To maintain authorizations for the root directory, enter its URL:

From the title bar of the Permissions view View Permissions for URL..., choose Menu This graphic is explained in the accompanying text .

Note

Usually, the proposed value is exactly the URL of the root directory (http://<server>:<port>/dtr/), so that you can just accept this value.

The Permissions view of the root directory appears.

5. In the Permissions view, choose Add Principal from the context menu.

A dialog window appears.

6. Make the following settings:

a. As the Principal Type, select ALL.

b. Select the following principles:

§ access

§ read

c. Confirm your settings with OK.

7. In the Repository Browser, navigate to the directory /ws/system.

8. In the context menu, choose View Permissions.

The Permissions view for /ws/system appears.

9. In the Permissions view, choose Add Principal from the context menu.

A dialog window appears.

10. Make the following settings:

a. As the Principal Type, select ALL.

b. Select the following privileges:

§ access

§ read

§ write

c. As the privilege type, select deny.

d. Confirm your settings with OK.

11. Again select Add Principal.

A dialog window appears.

12. Make the following settings:

a. As the principal type, select USER.

b. Enter the name of the administrator.

c. Select the following privileges:

§ access

§ read

§ write

d. Confirm your settings with OK.

13. Repeat these steps for all administrators.

14. To activate your changes, choose Activate all Changes This graphic is explained in the accompanying text .

15. Wait for five minutes until the changes take effect or open a browser window under the URL http://<DTR server>:<port>/dtr/sysconfig/support/AclRefresh and choose Refresh.

Emergency User Account

Consider the worst case: You accidentally set the permissions too restrictive, thus excluding all users or at least yourself. This implies that you do not have the authorization to undo these changes. In this case, you can use a special user account with all rights to all resources.

Maintain this user as follows:

· File /system/config/active/registry/repository.properties

· Property com.tssap.dtr.server.deltav.um.superadmin.name.

· The default value is superadmin.

If this default user does not yet exist in the user management system, all you must do is create it there.

Caution

We strictly advise against maintaining the password in the file repository.properties. The password should be stored only in the user management system.