Hello,

I have EP 7 SPS13 set up to authenticate from LDAP. This works fine and has for a while.

Recently however (today in fact) I've discovered that end-users who do not have access to the content admin, system admin etc roles, are unable to use SSO to the back end. For instance, we have created some custom roles, eg "Employee" so that employees can login and have their own tab and do things like get their pay slip. The pay slip data comes from an R/3 system on the back. However, unless I give them authorization to content administration, or some admin roles, the function doesn't work. I see the message:

"Message: Connection to SAP system failed User is missing credentials

for connecting to alias QAS. Contact your system administrator."

...on the front end in the portal. Looking at the log viewer in Visual Administrator I'm see errors that say:

"ACCESS.ERROR: Authorization check for caller assignment to J2EE

security role [service.jms.default.authorization : administrators]

referencing J2EE security role [SAP-J2EE-Engine : administrators]."

I've tested out stripping all of my admin privledges from my LDAP account and just giving myself the content admin role and the employee role to see if the pay slip function worked... and it did. I take away the content admin role, pay slip doens't work.

My question is whether or not there is some action that I can single out and assign to a role so that these end-users can use SSO to the back end wihtout having to have content admin or some administrative role?

I've gone into Vis Admin>Security Provider>service.jms.default.authorization and added my LDAP account to the "administrators" security role since I assumed that's what it wanted, and still I'm having no luck.

Does anyone have any experience with this??

I'll award points for anything helpful.

Thanks!