How-to Guide

SAP NetWeaver 7.0

How To…
setup NWDI
Permissions
and Roles
Version 1.20 – April 2007

Applicable Release:
SAP NetWeaver 7.0 - Unified Life_Cycle Management
© Copyright 2007 SAP AG. All rights reserved. contained in this document serves informational
purposes only. National product specifications may vary.
No part of this publication may be reproduced or
transmitted in any form or for any purpose without the These materials are subject to change without notice.
express permission of SAP AG. The information These materials are provided by SAP AG and its affiliated
contained herein may be changed without prior notice. companies ("SAP Group") for informational purposes
only, without representation or warranty of any
Some software products marketed by SAP AG and its kind, and SAP Group shall not be liable for errors or
distributors contain proprietary software components of omissions with respect to the materials. The only
other software vendors. warranties for SAP Group products and services are those
that are set forth in the express warranty statements
Microsoft, Windows, Outlook, and PowerPoint are accompanying such products and services, if any.
registered trademarks of Microsoft Corporation. Nothing herein should be construed as constituting an
additional warranty.
IBM, DB2, DB2 Universal Database, OS/2, Parallel
Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, These materials are provided “as is” without a warranty
iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent of any kind, either express or implied, including but not
Miner, WebSphere, Netfinity, Tivoli, and Informix are limited to, the implied warranties of merchantability,
trademarks or registered trademarks of IBM Corporation fitness for a particular purpose, or non-infringement.
in the United States and/or other countries. SAP shall not be liable for damages of any kind including
without limitation direct, special, indirect, or
Oracle is a registered trademark of Oracle Corporation. consequential damages that may result from the use of
these materials.
UNIX, X/Open, OSF/1, and Motif are registered SAP does not warrant the accuracy or completeness of
trademarks of the Open Group. the information, text, graphics, links or other items
contained within these materials. SAP has no control
Citrix, ICA, Program Neighborhood, MetaFrame, over the information that you may access through the
WinFrame, VideoFrame, and MultiWin are trademarks use of hot links contained in these materials and does not
or registered trademarks of Citrix Systems, Inc. endorse your use of third party web pages nor provide
any warranty whatsoever relating to third party web
HTML, XML, XHTML and W3C are trademarks or pages.
®
registered trademarks of W3C , World Wide Web SAP NetWeaver “How-to” Guides are intended to
Consortium, Massachusetts Institute of Technology. simplify the product implementation. While specific
product features and procedures typically are explained
Java is a registered trademark of Sun Microsystems, Inc. in a practical business context, it is not implied that those
features and procedures are the only approach in solving
JavaScript is a registered trademark of Sun Microsystems, a specific business problem using SAP NetWeaver. Should
Inc., used under license for technology invented and you wish to receive additional information, clarification
implemented by Netscape. or support, please refer to SAP Consulting.
Any software coding and/or code lines / strings (“Code”)
MaxDB is a trademark of MySQL AB, Sweden. included in this documentation are only examples and
are not intended to be used in a productive system
SAP, R/3, mySAP, mySAP.com, xApps, xApp, and other environment. The Code is only intended better explain
SAP products and services mentioned herein as well as and visualize the syntax and phrasing rules of certain
their respective logos are trademarks or registered coding. SAP does not warrant the correctness and
trademarks of SAP AG in Germany and in several other completeness of the Code given herein, and SAP shall
countries all over the world. All other product and not be liable for errors or damages caused by the usage of
service names mentioned are the trademarks of their the Code, except if such damages were caused by SAP
respective companies. Data intentionally or grossly negligent.
1 Scenario......................................................................................................... 2
2 Introduction .................................................................................................... 3
3 Technical mapping......................................................................................... 7
3.1 UME Actions........................................................................................... 7
3.2 J2EE Security Roles ............................................................................... 9
3.3 DTR Permissions.................................................................................... 9
3.4 Track-specific Authorizations................................................................ 12
4 The Step By Step Solution........................................................................... 13
4.1 Check and edit UME settings ............................................................... 13
4.2 Set J2EE Security Roles....................................................................... 16
4.3 Check and edit DTR Permissions ......................................................... 17

-1-
1 Scenario
The SAP NetWeaver Development Infrastructure1 serves as base for realising a
comprehensive software development process, comprising development of several
components, activating components for shared usage, up to consolidation, testing and
deployment.
• All development objects (sources, table definitions, Web Dynpro definitions etc.)
are stored and versioned in the Design Time Repository (DTR)
• Central builds and the resulting archives are provided by the Component Build
Service (CBS)
• The Name Server is the naming authority ensuring unique names (e.g. for
development components (DCs), database tables, Java packages etc.)
• The Change Management Service (CMS) is providing software logistic
functionality and is controlling the development landscape
• The SAP NetWeaver Developer Studio (NWDS) is installed on the developer
desktop and provides an integrated development environment for development
using NWDI

Compare help.sap.com, for a short description of the development steps using NWDI:
http://help.sap.com ÆDocumentation ÆSAP NetWeaver Æ SAP NetWeaver 2004s Æ
English Æ SAP Library
Æ SAP NetWeaver Library
Æ Administrator’s Guide
Æ Technical Operations Manual for SAP NetWeaver
Æ Administration of SAP NetWeaver Systems
Æ AS Java (Application Server for Java)
Æ Software Logistics
Æ Development Infrastructure (DI)
Æ SAP NetWeaver Development Infrastructure
Æ Development Scenarios with the NWDI

The intention of this guide is to show a sample how you can expand the initial security
configuration of the NWDI, which is done by the template installer during the setup
phase, to adapt it to your business needs. With the installation of the usage type DI
(Development Infrastructure) and the post-installation step using the DI template with the
Template Installer, the NWDI is ready to use with a preconfigured track, users, groups
and roles. This guide introduces additional logical roles involved for NWDI based
software development, describes the tasks covered by each role and explains the
needed permissions. Help is given to check and if necessary to adopt the various user,
group and roles settings to your specific installation.

1 For this official name, two abbreviations are currently in use: JDI (Java Development
Infrastructure) and NWDI (NetWeaver Development Infrastructure). Therefore you can find both
abbreviations in parallel.

-2-
2 Introduction
Assume your team wants to extend a Product by a new feature. The initial installation of
NWDI and basic configuration steps are supposed to have been done already. For
implementing the new product feature, a single CMS Track has to pass through. Figure 1
illustrates the activities and attached systems of a CMS Track.

Figure 1 CMS track structure.

During development, five major roles have to be occupied:

• Software Architect
As a result of designing the software architecture he defines the Product version,
included Software Components to be developed, required Software Components
and their dependencies. He uses mainly the System Landscape Directory.
• Landscape Administrator
He sets up the initial environment for developing a Product, comprising name
reservations, Track definitions and Development Configurations. The Landscape
Configurator part of CMS is used for these purposes.
• Transport Manager
He is responsible for transporting the according deliveries between the logical
systems that built up the track. In our scenario, he would start with importing the
necessary sources and archives in the Development System. Later on, he
imports the Development Components in the Consolidation and Test System.
Besides this, he is responsible for assembling components to the new Product
version. The Transport Studio of CMS is his preferred tool.
• Member of Development Team
Based on the imported Development Configuration, team members create and
implement Development Components (DCs) as part of the changeable Software
Components of the Product or change existing ones. Typically developers pass
the steps Design Æ Implementation Æ (Unit) Testing for each Development
Component in a local environment. Then they activate their changes in order to
make them useable for further development steps. Builds and deployments in a
central development environment ensure an ongoing integration of all changes
made by development team members. When the feature is implemented and

-3-
 tested in the Development System, the corresponding Development Components
are released for import in the Consolidation system. The NetWeaver Developer
Studio is the developer’s main tool for these tasks.
• Quality Manager
The quality manager assures that the new product conformsProduct confirms to
the requested quality standards. He is responsible for Product consolidation and
for final approval before product delivery. For approval of the product shipment
the Transport Studio of CMS is used.

Figure 2 assigns the mentioned roles to the process steps while passing a CMS Track.

Figure 2 Java Software Lifecycle Management with the SAP NWDI

-4-
The following table describes the tasks for each identified role in more detail. Please
note: The column “Involved systems” summarizes all systems that are called directly as
well as implicitly while processing the tasks. In accordance, the column “needed
privileges” lists privileges needed not only by the role itself but also needed by internal
system users (e.g. service users like NWDI_CMSADM).

NWDI Role Tasks Involved systems Needed

privileges
Administrator initial setup & CMS Æ Landscape (write Domain
maintenance of CMS Configurator data in CMS)
Domain data2, Rescue
User
Software define Product version, SLD Æ Software write into the
Architect Software Components Catalog “Software
and dependencies Catalog” in SLD

Landscape define Tracks CMS Æ Landscape read, write track

Administrator Configurator information in
CMS
define Track authority CMS Æ Track assign
Authority permissions in
CMS
reserve Namespaces SLD Æ Name read, write
Reservation Namespaces in
SLD
Development import Development NWDS, SLD, CMS read SLD and
Team Configuration CMS data
synchronize sources NWDS, DTR read sources
from DTR

synchronize required NWDS, CBS read archives

archives from CBS
create and check in NWDS, DTR write, check in to
Development DTR, write name
Components reservation to
SLD
build / deploy /test locally NWDS, local J2EE administration of
Engine local engine
activate NWDS, DTR, CBS create build
requests

2
Note: Using the template installer will pre-configure the Domain ID, which cannot be changed
afterwards.

-5-
 test CMS, central access to
development system development
runtime system
release NWDS, CMS Create, release
requests
Transport Access to file system of CMS Æ Transport import in CMS
Manager CMS server Studio systems
Access to SAP Service
Marketplace
Check-in and import
required SCs into
Development System
import into Consolidation
System
Assemble Software
Component version
import into Test System
import into Production
System
Quality tests in Test System appropriate test tool Administration
Manager test CMS, central access to
Development System development
runtime system
Release NWDS, CMS create release
requests
Table 1 Involved systems and necessary privileges

-6-
3 Technical mapping
The NWDI roles and their privileges described in Table 1 must be mapped to technical
permission settings on several levels (UME Actions, J2EE Security Roles, DTR ACLs
and Track-specific ACLs). The following paragraphs give an overview of the settings that
have to be done. Chapter 4 gives a step by step solution for doing it.

Detailed information to the technical mappings can be found in

http://help.sap.com: ÆDocumentation ÆSAP NetWeaver Æ SAP NetWeaver 2004s Æ
English Æ SAP Library
Æ SAP NetWeaver Library
Æ Administrator’s Guide
Æ Technical Operations Manual for SAP NetWeaver
Æ Administration of SAP NetWeaver Systems
Æ AS Java (Application Server for Java)
Æ Software Logistics
Æ Development Infrastructure (DI)
Æ SAP NetWeaver Development Infrastructure
Æ Configuring the NWDI User Management

Note: Please keep in mind that this guide is based on a single-server installation (all
NWDI components and SLD on a single server). If the NWDI components or the SLD are
distributed on multiple servers a central user administration (CUA) is recommended.
Otherwise you need to setup the same credentials (same user with the same password)
with the appropriate permissions on all systems.

Note: The following permission settings are always based on UME Groups. Depending
on whether an SAP system, LDAP or database is used as user store, users and UME
Groups respectively SAP Roles must be created in different ways. For a detailed
description please see
http://help.sap.com: Æ Documentation ÆSAP NetWeaver Æ SAP NetWeaver 2004s Æ
English Æ SAP Library
Æ SAP NetWeaver Library
Æ SAP NetWeaver Security Guide
Æ User Administration and Authentication
Æ Integration of User Management in Your System Landscape

3.1 UME Actions

The permission concept of CBS, CMS and SLD is based on UME Actions that need to
be mapped to UME Roles. This has to be done using the Web-based User Management
Engine Administration Console (http://<server>:<port>/useradmin) that is part of the SAP
J2EE Engine.
Table 2 summarizes the mapping of identified NWDI Roles to necessary users and their
assigned UME Groups, UME Roles and UME Actions.

-7-
NWDI Role User UME Group UME Role UME Actions
Administrator NWDI_ADM NWDI NWDI CBS.Administrator
(default user) .Administrators .Administrator CMS.Administrate
LcrInstanceWriterAll
Member of (default: NWDI NWDI CBS.Developer
development NWDI_DEV) .Developers .Developer (CBS.XDeveloper)
team CMS.Display
CMS.ExportOwn
(CMS.ExportForeign)
LcrInstanceWriterNR
Software NWDI NWDI CBS.Guest
Architect .Architects .Architect CMS.Display
LcrInstanceWriterCR
Landscape NWDI NWDI CMS.ConfigureDomai
Configurator .Configurators .Configurator n
CMS.CreateTrack
CMS.Display
CMS.ModifyTrack
CMS.UserAdmin
LcrInstanceWriterLD
LcrInstanceWriterNR
Transport NWDI NWDI CBS.Administrator
Manager .Operators .Operator CMS.CriticalFunctions
CMS.Display
CMS.Transport
Quality NWDI NWDI CBS.Guest
Manager .QManagers .QManagers CMS.Approve
CMS.Display
CMSAdmin NWDI_ NWDI NWDI CBS.Administrator
(technical CMSADM .CMSAdmins .CMSAdmin
user used by (default user)
CMS)
Table 2 Necessary users, UME Groups, Roles and Actions for NWDI

For the standard workflow, your named users are mapped to the necessary Groups as
needed. Besides this, there are two technical users that are used for special purposes
only; they are not mapped to named users.3
The NWDI_ADM user has all privileges and therefore can perform all tasks in the NWDI.
He is intended to be used for the initial setup of the NWDI and as an emergency user.
For your regular development cycle, you should not use the NWDI_ADM user to ensure
traceability. Instead the usage of dedicated admin users belonging to group
NWDI.Administrators enables you to decouple the J2EE Administrator user from the
applications itself. Furthermore dedicated admin users can be used for delegated
administration of Tracks (see chapter 3.4).
Another unnamed user which is required is the NWDI_CMSADM. This user is not
assigned to a real person, but intended to be used only internally by the CMS. He can
perform all actions in the DTR, CBS, and SLD that are required to configure the NWDI
and operate the CMS. He is also used for intra-component communication between
CBS, DTR and SLD.

3
If you used the Template Installer for the configuration of the NWDI, these users are already
created and assigned to the necessary groups. The settings should be checked either.

-8-
3.2 J2EE Security Roles
For the SLD, it is also necessary to set permissions enabled through J2EE Security
Roles. This has to be done in the Visual Administrator Tool. The permissions have to be
assigned for the application “sap.com/com.sap.lcr*sld”.

Table 4 shows the settings for the J2EE Security Roles.

UME Group Security Role

NWDI.Administrators LcrInstanceWriterAll
NWDI.Architects LcrInstanceWriterCR
NWDI.CMSAdmins LcrInstanceWriterLD
LcrInstanceWriterNR
NWDI.Configurators LcrInstanceWriterNR
LcrInstanceWriterLD
NWDI.Developers LcrInstanceWriterNR
Table 3 Necessary Java Security Role settings for SLD.
For an easier assignment, Table 4 shows the settings per security role.

Security Role UME Group

LcrInstanceWriterNR NWDI.Developers
NWDI.Configurators
NWDI.CMSAdmins
LcrInstanceWriterAll NWDI.Administrators
LcrInstanceWriterCR NWDI.Architects
LcrInstanceWriterLD NWDI.Configurators
NWDI.CMSAdmins
Table 4 Necessary Java Security Role settings for SLD.

3.3 DTR Permissions

The DTR permission concept based on ACLs (Access Control Lists) determine which
privileges a principal has with respect to a certain resource. Principals are users and
groups. DTR files, folders and workspaces are resources. Privileges include read and
write access to DTR, check in, and several administration privileges. To set DTR
permissions, the DTR admin plugin of the SAP NetWeaver Developer Studio is used.

For details about the DTR authorization, please refer to http://help.sap.com

Æ SAP NetWeaver Library
Æ Administrator’s Guide
Æ Technical Operations Manual for SAP NetWeaver
Æ Administration of SAP NetWeaver Systems
Æ AS Java (Application Server for Java)
Æ Software Logistics
Æ Development Infrastructure (DI)
Æ SAP NetWeaver Development Infrastructure
Æ Configuring the NWDI User Management
Æ User Authentication and User Authorization in the DTR

Please be aware that you may lock out the user you use to manage permissions, since
permissions are stored as versioned files in the DTR. If this occurs, please refer to the

-9-
section “User Management Steps after Installation Æ Editing the Emergency User” in the
“Configuring the NWDI User Management” section of the online documentation.

Table 5 summarizes the permission settings for DTR.

Principal Type Resource Right Privilege

NWDI.Administrators Group / grant All
/sysconfig privileges
/system-tools
Æ/administration
/ws/system
NWDI.CMSAdmins Group / grant All
/ws/system privileges
NWDI.Configurator Group /ws/system grant Access,
Read,
Write,
CheckIn
/act grant Read,
Write
/wr Grant Read,
Write
NWDI.Developers Group / grant Access,
Read
/act grant Write,
CheckIn
/vh grant Write
/wr grant Write
/ws grant Write,
CheckIn
/vcr grant Write
Table 5 DTR permissions for using NWDI

- 10 -
To make the assignment easier, Table 6 shows the privileges per resource.

Resource Inherit Principal Type Right Privileges

NWDI.Administrators Group grant All
NWDI.CMSAdmins Group grant All
Access,
/ws/system Ignore
Read,
NWDI.Configurator Group grant
Write,
CheckIn
/system-tools
Ignore NWDI.Administrators Group grant All
Æ/administration
/sysconfig Ignore NWDI.Administrators Group grant All
Write,
NWDI.Developers Group grant
/act Yes CheckIn
NWDI.Configurators Group Grant Read, Write
/vcr Yes NWDI.Developers Group grant Write
/vh Yes NWDI.Developers Group grant Write
NWDI.Developers Group grant Write
/wr Yes
NWDI.Configurators Group grant Read, Write
Write,
/ws Yes NWDI.Developers Group grant
CheckIn
Access,
NWDI.Developers Group grant
Read
/ Yes
NWDI.Administrators
Group grant All
NWDI.CMSAdmins
Table 6 DTR permissions by resource

Note: In order to grant permissions on Track level, you should grant the privileges “write”
and “checkIn” on all inactive Workspaces belonging to this Track. The pattern for the
inactive Workspaces is “/ws/<Trackname>/<SC-name>/<CMS-system>/inactive/”.
It is useful to create a UME Group for each Track and grant the permissions to the group
instead of single users.
This can also be used to prevent developers from accidentally working on the CONS
Development Configuration.

- 11 -
3.4 Track-specific Authorizations
In NetWeaver 7.0 and with NetWeaver’04 SPS15, it is possible to specify NWDI
permissions per CMS track. By assigning authorizations to tracks you define areas of
responsibilities for Administrators or Quality Managers.

Note: To restrict access on the DTR workspaces for developers, please use the DTR
ACLs to control the permissions there. With CMS authorizations, it is only possible to
control transports of Change Request, but not the access to a development
configuration.

The track-specific authorizations can be assigned using a separate UI that is started by

using the URL: http://<host>:<port>/webdynpro/dispatcher/sap.com/
tc~SL~CMS~tsawebui/CmsTrackAuthority

Figure 3: CMS Track Authority Web UI

For detailed information, please refer to the online documentation on http://help.sap.com:

ÆDocumentation ÆSAP NetWeaver Æ SAP NetWeaver 2004s Æ English Æ SAP
Library
Æ SAP NetWeaver Library
Æ Administrator’s Guide
Æ Technical Operations Manual for SAP NetWeaver
Æ Administration of SAP NetWeaver Systems
Æ AS Java (Application Server for Java)
Æ Software Logistics
Æ Development Infrastructure (DI)
Æ SAP NetWeaver Development Infrastructure
Æ Configuring the NWDI User Management
Æ Authorizations in Change Management Service
Æ Track-specific Authorizations

- 12 -
4 The Step By Step Solution
This chapter gives instructions to check and if necessary to create the settings described
above, based on an NWDI installed on a single server using the UME as user and group
store.4 For distributed installations or the usage of a central user and/or group
administration, you have to adopt the steps to your needs.

4.1 Check and edit UME settings

Log in to the UME User Administration GUI

1. Search for existing http://<hostname>:<port>/useradmin and enter the userid.
users Choose Go to start the search.

Log in to UME User Administration GUI

2. Create new users http://<hostname>:<port>/useradmin and choose Create User.

4
The configuration shown applies for SAP NetWeaver 7.0. The user interface for SAP
NetWeaver’ 04 looks different.

- 13 -
 Log in to UME User Administration GUI
3. Search for existing http://<hostname>:<port>/useradmin and select Group from the
groups list box. Enter your search criteria and choose Go.

Log in to UME User Administration GUI

4. Create new group and http://<hostname>:<port>/useradmin, select Group, enter a
assign users unique Name and click Save.

After creating a group, you can assign users by clicking the

Assigned Users tab.

- 14 -
 On the right side click the Go button to get a list of all available
users. Select one and choose Add. Finish with Save.

Log in to UME User Administration GUI

5. Search for existing http://<hostname>:<port>/useradmin and select Role.
roles

Log in to UME User Administration GUI

6. Create new role and http://<hostname>:<port>/useradmin and choose Roles. Click
assign group and the Create Role button. Enter a unique Name and choose Save.
actions

To assign groups choose the Assigned Groups tab. The same

applies for assigning Actions via the Assigned Actions tab.
Proceed as described in step 4.

- 15 -
4.2 Set J2EE Security Roles

Go to the Web AS installation directory and start <Web AS

7. Start J2EE Engine install directory>\<SID>\JC<instancenr>\j2ee\admin\go.bat.
Visual Administrator Choose Connect Æ Login Æ New and specify a connection to
your Web AS.

Use the new connection to login.

8. Check and edit Java On the left side, choose Server Æ Services Æ Security
security roles. Provider. Search the component of interest; this is
sap.com\com.sap.lcr*sld in our case (see Figure 4). Then click
on the tab “Security Roles” and choose the security role you
want to assign, e.g. LcrInstanceWriterNR. Search for the user or
group, that should be assigned, e.g. NWDI.Developers. Choose
Add and Save.

- 16 -
 Figure 4 Assign security roles using the Visual Administrator

4.3 Check and edit DTR Permissions

For managing DTR permissions (authorization) you need the

9. Activate DTR DTR admin plugin of the SAP NetWeaver Developer Studio.
plugin Make sure that the plugin is active: If necessary, rename the
plugin.xml.disabled file in the <SAPDEVSTUDIOHOME>
\eclipse\plugins\com.tssap.dtr.client.eclipse.admin\ to
plugin.xml.
Open the DTR perspective in NetWeaver Developer Studio
(Window Æ Open PerspectiveÆDesign Time Repository)

A DTR client represents a connection to a certain DTR server.

10. Create DTR client In order to create a DTR client, use the DTR perspective. This is
and log in. done using the context menu of item “OFFLINE” in the
Repository Browser Æ “Create Client”.
Enter the necessary data for your DTR.

- 17 -
 After that, you should be able to connect to the DTR, using the
same context menu. Problems may occur if you already have
created already another client. Check which client is selected for
login (click DTR Æ Select Client). In order to change the login
name, please close and re-open the NetWeaver Developer
Studio.

11. Connect to a In order to manage the permissions for a resource, click the
specific resource context menu of repository browser and choose View
Permissions from the title bar of the Permissions view, choose
Menu and select the URL using View Permissions for URL….

Enter the URL of the resource you want to edit, e.g.

http://<dtrhost>:<port>/dtr for root.

12. Grant permissions To edit permissions of an existing principal, right-click on the

to a resource principal and choose “Edit principal”. For a new principal,
choose “Add principal”.
Type in the desired principal (group or user name) and choose
the necessary type. Then select the privileges and the privilege
type.

- 18 -
 Press OK to confirm the principal.

13. Setting the “Ignore For some resources you should break the inheritance by setting
inheritance” flag the “Ignore inheritance” flag.
Use the “Ignore inheritance” button in the top bar of the
permissions view to set this flag for the selected resource.

14. Save the settings When you are finished with all configuration steps for this
for the folder resource, save the entries by pressing the “Save Changes”
button on the top bar of the permissions view.

15. Repeat steps 11 to Repeat the steps for all resources you want to set permissions
14 for all resources to.

- 19 -
16. Activate your When you are finished with your configuration steps, activate
changes the settings in the DTR. You do this via pressing the Activation
button in the top bar of the permissions view.

It might take a few minutes until the changes take effect.

Alternatively you can open a browser window using the URL
http://<DTR server>:<port>/dtr/sysconfig/support/AclRefresh
and choose “Refresh”.

- 20 -
www.sdn.sap.com/irj/sdn/howtoguides

- 21 -