cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

sld roles for jdi developers

Go to solution
Former Member

on ‎12-14-2005 6:57 PM

0 Kudos

Hi,

we have the same ume (an abap system) for j2ee engines of JDI and SLD (they both are running on different machines). In the backend there is no role assigned to my user "X". In the UME, I assigned my username to JDI.Developers group (This group by default has JDI.Developer role and also LcrInstanceWriterNR).

I started my NWDS development configuration perspective and clicked on OFFLINE to login, i entered the username and password, I was able to login, but with a dialog with warning

"Name Server http://<servername>/sld/cimom is unreachable.

Landscape Directory <servername>:<serverport> HTTP response code: 403 Forbidden"

Since it was a warning, I ignored it and then clicked on import configuration now,and selected remote, a dialog popped up with the following exception.So, I think we need to assign some roles in SLD for this JDI developer. could you please let me know, what are those roles that should be assigned?

-

HTTP response code: 403 Forbidden

com.sap.lcr.api.cimclient.LcrException: com.sap.lcr.api.cimclient.CIMClientException: HTTP response code: 403 Forbidden

at com.sap.lcr.api.cimclient.HttpRequestSender.newClientException(HttpRequestSender.java:516)

at com.sap.lcr.api.cimclient.HttpRequestSender.processResponse(HttpRequestSender.java:407)

at com.sap.lcr.api.cimclient.HttpRequestSender.send(HttpRequestSender.java:581)

at com.sap.lcr.api.cimclient.CIMOMClient.sendImpl(CIMOMClient.java:195)

at com.sap.lcr.api.cimclient.CIMOMClient.send(CIMOMClient.java:147)

at com.sap.lcr.api.cimclient.CIMOMClient.enumerateInstancesImpl(CIMOMClient.java:436)

at com.sap.lcr.api.cimclient.CIMOMClient.enumerateInstances(CIMOMClient.java:740)

at com.sap.lcr.api.cimclient.CIMClient.enumerateInstances(CIMClient.java:983)

at com.sap.lcr.api.sapmodel.JavaCIMObjectAccessor.enumerateInstances(JavaCIMObjectAccessor.java:211)

at com.sap.lcr.api.sapmodel.SAP_DesignTimeConfigurationAccessor.enumerateInstances(SAP_DesignTimeConfigurationAccessor.java:168)

at com.sap.ide.eclipse.component.devconf.DevConfManager$3.run(DevConfManager.java:596)

at org.eclipse.swt.custom.BusyIndicator.showWhile(BusyIndicator.java:69)

at com.sap.ide.eclipse.component.devconf.DevConfManager.listRemoteDevConfNames(DevConfManager.java:590)

at com.sap.ide.eclipse.component.wizard.LoadDevConfPage.fillTable(LoadDevConfPage.java:225)

at com.sap.ide.eclipse.component.wizard.LoadDevConfPage$5.widgetSelected(LoadDevConfPage.java:281)

at org.eclipse.swt.widgets.TypedListener.handleEvent(TypedListener.java:89)

at org.eclipse.swt.widgets.EventTable.sendEvent(EventTable.java:81)

at org.eclipse.swt.widgets.Widget.sendEvent(Widget.java:840)

at org.eclipse.swt.widgets.Display.runDeferredEvents(Display.java:2022)

at org.eclipse.swt.widgets.Display.readAndDispatch(Display.java:1729)

at org.eclipse.jface.window.Window.runEventLoop(Window.java:583)

at org.eclipse.jface.window.Window.open(Window.java:563)

at com.sap.ide.eclipse.component.provider.actions.DevConfNewAction.run(DevConfNewAction.java:46)

at com.tssap.selena.model.extension.action.SelenaActionCollector$GenericElementActionWrapper.run(SelenaActionCollector.java:229)

at com.tssap.util.ui.menu.MenuFactory$MuSiAction.saveRunAction(MenuFactory.java:1425)

at com.tssap.util.ui.menu.MenuFactory$MuSiAction.run(MenuFactory.java:1391)

at com.tssap.util.ui.menu.MenuFactory$DelegateAction.processInternal(MenuFactory.java:616)

at com.tssap.util.ui.menu.MenuFactory$DelegateAction.access$100(MenuFactory.java:586)

at com.tssap.util.ui.menu.MenuFactory$DelegateAction$BusyProcessWorker.run(MenuFactory.java:716)

at org.eclipse.swt.custom.BusyIndicator.showWhile(BusyIndicator.java:69)

at com.tssap.util.ui.menu.MenuFactory$DelegateAction.process(MenuFactory.java:610)

at com.tssap.util.ui.menu.internal.MenuListenerFactory$ProcessAdapter.widgetSelected(MenuListenerFactory.java:172)

at org.eclipse.swt.widgets.TypedListener.handleEvent(TypedListener.java:89)

at org.eclipse.swt.widgets.EventTable.sendEvent(EventTable.java:81)

at org.eclipse.swt.widgets.Widget.sendEvent(Widget.java:840)

at org.eclipse.swt.widgets.Display.runDeferredEvents(Display.java:2022)

at org.eclipse.swt.widgets.Display.readAndDispatch(Display.java:1729)

at org.eclipse.ui.internal.Workbench.runEventLoop(Workbench.java:1402)

at org.eclipse.ui.internal.Workbench.run(Workbench.java:1385)

at com.tssap.util.startup.WBLauncher.run(WBLauncher.java:79)

at org.eclipse.core.internal.boot.InternalBootLoader.run(InternalBootLoader.java:858)

at org.eclipse.core.boot.BootLoader.run(BootLoader.java:461)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

at java.lang.reflect.Method.invoke(Method.java:324)

at com.sap.ide.eclipse.startup.Main.basicRun(Main.java:286)

at com.sap.ide.eclipse.startup.Main.run(Main.java:795)

at com.sap.ide.eclipse.startup.Main.main(Main.java:602)

-

Thank you

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

sid-desh
Advisor
Advisor
‎12-14-2005 9:13 PM
0 Kudos

Hi,

I was not able to get this statement:

<i>In the backend there is no role assigned to my user "X". In the UME, I assigned my username to JDI.Developers group (This group by default has JDI.Developer role and also LcrInstanceWriterNR).</i>

By backend do you mean the ABAP system which you use for user mgmt. If that is so in which user mgmt did you assign the JDI.Developer role to the user.

Please do let us know this.

Regards

Sidharth

Show replies
Show replies
Former Member
‎12-14-2005 9:59 PM
0 Kudos

HI Sidharth,

I have an ABAP system X, having users. NWDI and SLD which are running on two different j2ee instances are using system X as UME,i.e the users for this two j2ee instaces come from system X.

I think the following would help me to solve my problem.

1. where should the GROUPS JDI.Administrators and JDI.Developers be created? on the instance that has NWDI or the instance that has SLD. I created them on instance having NWDI.

2. Now the users are assigned to this two groups, JDI.Administrators and JDI.Developers.

3.Also I assigned this lcr* UME roles to the groups JDI.Administrators and JDI.Developers on the instance where JDI is installed. Am I right? should we also assign the same roles to these users on SLD j2ee engine or is it not required?

4. What roles should be assigned for all these users on the instance which has SLD?

Should I assign some roles such as "SLD_ORGANIZER","SLD_dEVELOPER" and "SLD_ADMINISTRATOR" on the instance where SLD is running for these particuar users.

could you please clarify this to me

Thank you

P.S:

IT would be great, if you can jsut let me know, like what roles should we assign for the developer and administrators on both instances of j2ee (NWDI AND SLD).

what are these particular roles used for "SAP_XI_CMS_SERV_USER", "SAP_CMS_ADMINISTRATOR". do they play any role in my configuration of JDI.

Message was edited by: Reddy

htammen
Active Contributor
‎12-15-2005 7:11 AM
0 Kudos

Hi Reddy,

if you use an ABAP system as datasource for the UMEs of your J2EE engines you should manage your users in this ABAP system.

You have to define roles in the user management of the ABAP system. These roles are assigned to users (also in ABAP system).

Then the roles are automatically mapped to UME groups in your J2EE engines.

You can now define JDI.Developer, JDI.Adminstrator ... roles in UME of the NWDI engine and assign this roles to the groups that come from the ABAP system.

Granting access to SLD functions is done via J2EE security. So you have to use Visual Admin to assign the LcrInstanceWriterNR, ... permission to the groups replicated from ABAP system.

Hope this helps

Helmut

sid-desh
Advisor
Advisor
‎12-15-2005 8:06 AM
0 Kudos

Hi,

Since all the users are being maintained centrally then all you have to do is create usres in the ABAP system and assign the roles there. There is no need to for you to create the users in the individual J2EE engines.

In the ABAP stack you can assign SLD_DEVELOPER and SAP_XI_CMS_SERV_USER to a user.

Hope this helps.

Regards

Sidharth

Former Member
‎12-15-2005 4:05 PM
0 Kudos

Hi Helmut & Sidharth,

Sorry for extending the thread, but I have few more questions. Please help me in this regard.

1. All the users are already in the ABAP System. I have only three users there, NWDI_DEV and NWDI_ADM. Please tell me what roles should I assign to these users in the ABAP system.

2. Where should I create the <b>Groups</b> "JDI.ADMINISTRATORS" AND "JDI.DEVELOPERS". It should be definetely in j2ee engine of JDI. am i right?

3. Where should I create the <b>roles</b> JDI.DEVELOPER AND JDI.ADMINISTRATOR. These should be created in j2ee eingine of JDI. am i right? and these roles should be assigned the actions

JDI.DEVELOPER :

CBS.Developer

CMS.Display

CMS.ExportOwn

JDI.ADMINISTRATOR:

CBS.Administrator

CMS.Administrate

4. In the j2ee engine of JDI, I will assign the groups JDI.Administrator and JDI.Developer to the security roles LcrInstanceWriterAll and LcrInstanceWriterNR. Am I right?

5. In the ABAP Backend system, I will assign

NWDI_DEV to SAP_SLD_CONFIGURATOR and

NWDI_ADM to SAP_SLD_ORGANIZER

as said in http://help.sap.com/saphelp_nw04/helpdata/en/4e/90a43f4aa1330ee10000000a114084/frameset.htm

are these roles enough in the ABAP backend system for these users or should I assign any other roles.

6. So, now where are the roles, SAP_XI_CMS_SERV_USER, SAP_CMS_ADMINISTRATOR that are in ABAP system being used by me? I didnt use it anywhere. Could you please let me know to which user NWDI_DEV/NWDI_ADM must these roles be assigned?

sorry for long list. would be great if you could comment on it.

Thank you

P.S: My Plan is to use this

user|abap backend role| nwdi j2ee engine| sld j2ee engine

nwdi_adm| sld_organizer| group jdi_administrators| nothing

nwdi_dev| sld_configurator| group jdi_developers| nothing

correct me If I am wrong?

Message was edited by: Reddy

sid-desh
Advisor
Advisor
‎12-15-2005 5:30 PM
0 Kudos

Hi,

Since you are using a central UME which is the ABAP system you have to create the users only there. Since the J2EE engines of SLD and JDI are using the ABAP system as UME they will connect to ABAP system to check for authorizations.

Now create the users in the ABAP system. Also create the roles and relevant groups using the URL http://<ABAPSystemHost>:5<InstanceNr>00/useradmin and also assign the SLD authorizations in this host (ABAP system host). Now SLD authorizations can be given using ABAP stack or Java stack (using Visual Admin).

Also please change the passwords of the user once.

I believe this will be sufficient.

Regards

Sidharth

Former Member
‎12-15-2005 9:42 PM
0 Kudos

hey sidharth,

your answer:

"Also create the roles and relevant groups using the URL http://<ABAPSystemHost>:5<InstanceNr>00/useradmin and also assign the SLD authorizations in this host (ABAP system host)"

sorry.. i didnt understand this..

when you create the roles "jdi.developer" and "jdi.administrator" in http://<ABAPSystemHost>:5<InstanceNr>00/useradmin, which means that they will be "ume roles".

how will the j2ee instance of jdi know these ume roles, although they are using same abap system for users.

i am not sure if i am clear

ok : let us do this way: it would be great if you could answer the folowing..just a one line answer would be okay..

i have an xi system (ABAP system (let us say, AB) and Java Instance (JC1) + SLD).

I have my NDI installed in j2ee instance JC2.

Now jsut tell me,

1. the users nwdi_Adm and nwdi_dev will be created on system AB?

2. where will you create roles jdi.developer, jdi.administrator? AB,JC1,JC2

3. where will you create groups JDI.DEVELOPERS and JDI.ADMINISTRATORS? AB,JC1,JC2

4. what SLD ROLES should be assigned to nwdi_adm, nwdi_Dev and on which system AB,JC1,JC2

Thank you

P:S: Sorry If I am not clear in explaingin my problem.

sid-desh
Advisor
Advisor
‎12-16-2005 12:03 AM
0 Kudos

Hi,

How will J2EE instance of JDI or J2EE instance of SLD understand what roles have been assigned to users.

--> They are using the same ABAP system as the user store and hence they will also recognise the roles.

Now to your questions:

1. the users nwdi_Adm and nwdi_dev will be created on system AB?

Yes

2. where will you create roles jdi.developer, jdi.administrator? AB,JC1,JC2

AB

3. where will you create groups JDI.DEVELOPERS and JDI.ADMINISTRATORS? AB,JC1,JC2

AB

4. what SLD ROLES should be assigned to nwdi_adm, nwdi_Dev and on which system AB,JC1,JC2

AB

All the answers assume that you are using the central user store i.e. the ABAP system. User Store or UME incorporates the creation of users and assigning them various roles.

Regards

Sidharth

htammen
Active Contributor
‎12-16-2005 3:40 AM
0 Kudos

Hi Sidarth,

I think I have to correct you.

Look at http://help.sap.com/saphelp_nw04/helpdata/de/49/9dd53f779c4e21e10000000a1550b0/frameset.htm

and

http://help.sap.com/saphelp_nw04/helpdata/de/4e/90a43f4aa1330ee10000000a114084/frameset.htm

Here are the details.

So the correct answers are:

1. the users nwdi_Adm and nwdi_dev will be created on system AB?

YES, but can also be created on system JC1 or JC2 if UME is configured accordingly.

2. where will you create roles jdi.developer, jdi.administrator? AB,JC1,JC2

JC2. These are the UME Roles, not the ABAP roles.

3. where will you create groups JDI.DEVELOPERS and JDI.ADMINISTRATORS? AB,JC1,JC2

AB as roles in transaction PFCG. Thats because your ABAP system is an XI system. These roles appear as groups in UME of the J2EE engines.

4. what SLD ROLES should be assigned to nwdi_adm, nwdi_Dev and on which system AB,JC1,JC2

Assign nwdi_Dev to group SAP_SLD_DEVELOPER and assign LcrInstanceWriterNR to this group if not already done during installation of SLD. You perform this action in Visual Admin.

nwdi_adm does not have to have any permissions in SLD.

The system for this is JC1.

@Reddy: I hope this clarifies your problems. Otherwise read the mentioned documenation carefully.

Best regards

Helmut

sid-desh
Advisor
Advisor
‎12-16-2005 8:19 AM
0 Kudos

Hi Helmut,

I am not sure because Reddy has already mentioned that they have a central UME. So for all users the authorization swill be checked in the XI system both in the Java stack (for JDI roles) and ABAP stack.

Hence all roles and users should be created there.

These are my first thoughts. Will try to go thru the links that you have provided and check.

Thanks

Regards

Sidharth

htammen
Active Contributor
‎12-16-2005 9:15 AM
0 Kudos

Hi Sidharth,

how can you define a central UME? As far as I know each J2EE engine has its own UME (it´s a service) and you can configure several UMEs against one central user store like a LDAP or an ABAP system.

Let´s assume it is possible to define the authorizations in the ABAP system. How does this system know which UME permissions (e.g. CMS.Administrate) or J2EE application roles (e.g. LcrInstanceWriterNR) are available at the J2EE engines?

The ABAP system doesn´t have a connection to the J2EE engines. It goes the other way round. The UME of the J2EE engines gets the data from the ABAP system.

Regards

Helmut

If you could define all authorizations from the ABAP system this system would have to know which

sid-desh
Advisor
Advisor
‎12-16-2005 9:33 AM
0 Kudos

Hi Helmut,

1. Lets say in the ABAP Host i go and create roles JDI.Developer and group JDI.Developers using http://<ABAPHost>:50000/useradmin

2. This group JDI.Developers will become a role in the ABAP stack.

3. Now i create user X and assign him the roles JDI.Developers and SLD_* in the ABAP stack.

4. When i try to login to SLD (which is hosted on a different J2EE Engine for eg JC1) using the user X in my opinion the authentication and authorization of this user will be done against the user store of the ABAP system. Now since i have assigned some SLD role in the ABAP stack it should be able to login. I have not done anything in JC1 and it uses the user store of the ABAP system.

What do you think.

Regards

Sidharth

htammen
Active Contributor
‎12-16-2005 10:19 AM
0 Kudos

Hi Sidharth,

I think that there are at least two errors in your thoughts.

1. I´ve never called an application http:// security roles.

Regards

Helmut

Answers (1)

Answers (1)

Former Member
‎12-16-2005 4:04 PM
0 Kudos

Hi Helmut and Sidharth,

Sorry for jumping in late into the discussion. Yes, that was the doubt that I was having, i.e. how come the UME roles will be visible in ABAP system. but it is clear now. Now it is clear to me what are the roles that I should assign and where.

Sidharth,

Thank you very much for your valuable replies which drove me in correct path.

Helmut,

Thank you too for explaining it clearly. one final comment on your answer to my question number:4

-

4. what SLD ROLES should be assigned to nwdi_adm, nwdi_Dev and on which system AB,JC1,JC2

Assign nwdi_Dev to group SAP_SLD_DEVELOPER and assign LcrInstanceWriterNR to this group if not already done during installation of SLD. You perform this action in Visual Admin.

nwdi_adm does not have to have any permissions in SLD.

The system for this is JC1.

-

1. In the installation doc, it was mentioned that nwdi_administrators group must be assigned to "LcrInstanceWriterAll". In our scenario, the user nwdi_adm belongs to group nwdi_Administrators. Shouldnt we assign this user to LCrInstanceWriterAll (SLD_ORGANIZER on AB) on JC1.

2. Also, there is no need to assign the security roles LcrInstanceWriterNR / LcrINstanceWriterALL on JC2. Am I right?

3. CMSadm, who belongs to group nwdi_Administrators should be assigned the role "LcrINstanceWriterAll" (SLD_ORGANIZER on AB) on JC1. am i right?

Thank you

P.S: I promise that this would be my final question.

Show replies
Show replies
htammen
Active Contributor
‎12-16-2005 5:07 PM
0 Kudos

Hi Reddy,

>1. In the installation doc, it was mentioned that nwdi_administrators group must be assigned to "LcrInstanceWriterAll". In our scenario, the user nwdi_adm belongs to group nwdi_Administrators. Shouldnt we assign this user to LCrInstanceWriterAll (SLD_ORGANIZER on AB) on JC1.

Leave it like it is. You need to have a person or group who is able to do SLD administration. This must not be the NWDI.Administrators but they can.

>2. Also, there is no need to assign the security roles LcrInstanceWriterNR / LcrINstanceWriterALL on JC2. Am I right?

YES. These roles are available here because the SLD application is automatically installed on each J2EE engine but the application is not running on JC2 and therefore you don´t have to do any configuration here.

>3. CMSadm, who belongs to group nwdi_Administrators should be assigned the role "LcrINstanceWriterAll" (SLD_ORGANIZER on AB) on JC1. am i right?

YES.

Regards

Helmut

Former Member
‎12-16-2005 8:11 PM
0 Kudos

Hi Helmut,

Thank you for the clarification. Now it is clear to me.

Thank you

P.S: trying to assign points, but getting an error message. I will try after some time and see if it works.

thank you helmut and sidharth for the help.

Message was edited by: Reddy

Ask a Question