Access to SAP content repositories on the ImageMaster side is protected by active SAP certificates. You can configure the allowed operations (create, read, update, delete) for each SAP certificate to provide a more granular permission model and increased flexibility in access control for content repositories. This way, you can grant a specific SAP system read-only access to a content repository, while allowing other SAP systems (SAP certificates) to also create new content in the repository. An SAP certificate can be assigned to multiple ImageMaster roles via the AdminClient. The roles then decide about the permissions which are granted in ImageMaster via the certificate. If a certificate does not have an explicit role assigned, it has full access to the content repository (default behavior).
This configuration is per content repository. This means, if a certificate is known to content repository A1 and B1 and has a dedicated role for content repository A1, then for B1 the certificate will have all access rights regardless what is defined in the role. However, for that case a role can be defined which includes all content repositories and the permissions for that. This role then must be assigned to the certificate for every content repository.
The content repository supports multiple ImageMaster document types, allowing different document types to be used for storing documents based on the certificate utilized.
These roles can be created and maintained in AdminClient (see section “User, role, and group maintenance > Roles management > SAP” in the user manual [UM AdminClient]).
Two example SOAP requests to create SAP-related roles are shown below. While the first example role only refers to content repository A1, the second refers to the repositories A1 and B1.
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:ns="http://www.tsystems.com/ima9/integrationws/messaging/201101">
<soap:Body>
<ns:createRole>
<role name="contSrvRESTAccessOneCRRole">
<combinator>union</combinator>
<constituents>
<roles/>
<rights>
<right outcome="permitted">
<query>restrict(=(ima:contentRepository:name(const("A1")),
ref("contentRepositories")
),
galaxy(contentRepositories))</query>
<functions>
<function>read</function>
</functions>
</right>
</rights>
</constituents>
<description>AccessRole for SAP certificate</description>
</role>
</ns:createRole>
</soap:Body>
</soap:Envelope>Figure 394: Example role that grants read permission on one content repository
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:ns="http://www.tsystems.com/ima9/integrationws/messaging/201101">
<soap:Body>
<ns:createRole>
<role name="contSrvRESTAccessOneCRRole">
<combinator>union</combinator>
<constituents>
<roles/>
<rights>
<right outcome="permitted">
<query>restrict(or(=(ima:contentRepository:name(const("A1")),
ref("contentRepositories")),
=(ima:contentRepository:name(const("B1")),
ref("contentRepositories"))
),
galaxy(contentRepositories))</query>
<functions>
<function>read</function>
</functions>
</right>
</rights>
</constituents>
<description>AccessRole for ARL REST interface</description>
</role>
</ns:createRole>
</soap:Body>
</soap:Envelope>Figure 395: Example role that grants read permissions on two content repositories