cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Restricting MDM client access when LDAP is in use

Former Member

on ‎08-16-2010 11:32 AM

0 Kudos

Hi all,

I'm struggling a bit with MDM's security concept an hope you can help.

We're using LDAP integration so we don't need to create all users in MDM. Most users shall use the Portal with MDM iViews to access and maintain data. Very few users shall use rich clients, like Data Manager or Import Manager.

Some MDM WebServices run in the background of the portal process to automate some tasks, but still with the portal user authentification to make sure that the change tracking / user stamp fields are filled correctly.

I know that LDAP is either on or off, so if we use it, we must use it for both portal and rich client. This means, everybody with a Data Manager installation and MDMRoles in LDAP can log in to Data Manager and use it according to their role. This, we want to prevent, as Data Manager generally offers way more functionality than we want our endusers to have but which we cannot restrict in the role definition so as not to corrupt our portal integration (e.g. the Web Services need more functional rights than a Data Manager user shall have).

Of course we will restrict who gets an installation of Data Manager, but this is hardly enough to ensure security policy, if people simply install the client software themselves.

We already considered a firewall between client and server and only opening the port 20005 for select users (by fixed IP addresses), but that same port is used by Data Manager and Java API (meaning our portal / Web Services), so we would also restrict the portal access.

Is there a solution to grant portal access for basically everyone and rich client access for a select few while having LDAP in use?

Thanks a lot in advance!

Cheers

Christiane

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

former_member188878
Active Contributor
‎08-16-2010 12:32 PM
0 Kudos

Dear Christine,

Few inputs from my side that will help you out.

1.Create the approval process for installation of data manager for all the users-this will restrict the user from installing the software on to system.

2.You can also try out SAP IDM

Regards

Shankar

Show replies
Show replies
Former Member
‎08-16-2010 1:37 PM
0 Kudos

Hi Shankar,

thanks for your reply! I think your first point sounds promising, but I'm not too good in OS topics. Can you simply deny installationpriviledges for a single tool, not affecting the installation of other tools?

If you could clear that up, I'd be very grateful!

Thanks

Christiane

former_member205403
Active Contributor
‎08-16-2010 1:58 PM
0 Kudos

Hi,

I don't think you can restrict any OS user from installation of any specific tool. But you have to restrict users from installation of all new Tools.

do not grant Admin right to users on their machines and set up a process for installation of New Tools on users machine. Now when any MDM user need component installation then network/help desk can install new components on users machine.

Hope it is clear.

Best Regards,

Shiv

Former Member
‎08-17-2010 9:09 AM
0 Kudos

Hello

In one of our projects users were using Shopping tool for requesting installation of MDM tools/GUIs.

They will not have Admin rights on their machines/laptops.

Approval for MDM Data manager can have added check or approval required.

Software will be installed once approved automatically using bubble confirmation.

This also helps in ensuring the patch upgrades concistently to all MDM users.

Hope this helps-Ravi

Former Member
‎08-16-2010 11:55 AM
0 Kudos

Hi Christiane,

I think you can restrict more functionality of Data Manager for a LDAP User. For this user assign a role which do not have access to create data etc as per the Role assigned to that user of LDAP. I mean the user is able to perform operations in Data Manager according the groups he is member of (Roles in MDM). In MDM Console, You have Role table where you can see Table and Fields and Functions, here you can give access to none for the functions & table and Fields.

Please refer for more details Page no 4 onwards [Step-by-Step Process to Configure LDAP Support for MDM|http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/8054d5e1-1000-2c10-a09e-a168973f74b5?quicklink=index&overridelayout=true]

Just check and revert with result.

Hope it helps..

Regards,

Mandeep Saini

Show replies
Show replies
Former Member
‎08-16-2010 1:35 PM
0 Kudos

Hi Mandeep,

thanks for your swift reply!

I looked at the guide, but it seems to me that the role assignment you do in the directory applies to the user, not making a distinction between rich or thin client. So if I assign the user a role without write access, he also won't be able to edit in the portal.

I'm afraid I'll have to find a way to prevent Data Manager installation altogether to prevent unauthorized access.

Cheers

Christiane

Ask a Question