It is possible to restrict individual CMIS methods for users accessing the API directly through a two-level permission concept:
-
Access to the CMIS repository is restricted by galaxy cmisRepositories (with its functions create, read, update, delete & execute): Internally it grants permission to the mapped document type of this CMIS repository.
Access to CMIS repositories must be granted via the AdminClient. See the user manual [UM AdminClient], section “User, role, and group maintenance > Roles management > SAP”.
-
Respective web service operations must be granted for each CMIS method. There is a web service operation that can be used to access or restrict each CMIS method, e.g., operation cmisCreateDocument for method createDocument.
This can be done via the AdminClient according to section “User, role, and group maintenance > Roles management > Web service access permissions”.
The resulting role needs to merge the permissions from both previous bullet points.
Minimal role for CMIS initialization (example)
For SAP BTP and on-premise scenarios, a technical CMIS user is required to initialize CMIS repositories.
This includes:
-
creating the default folder structure
-
creating CMIS secondary types
-
accessing and creating CMIS object types
-
executing the CMIS setup logic triggered by SAP (Communication Arrangement or report CMIS_REPOSITORY_SETUP)
To support this, the following minimal permission set must be assigned to the ImageMaster user provided to SAP.
This role contains only the permissions required for successful CMIS initialization and avoids granting unnecessary access.
The following access must be granted to a single CMIS repository (CR):
-
create
-
read
-
update
-
delete
-
execute
This is configured via Roles → SAP → CMIS repository (type: CMIS repository).
The following CMIS web service operations must be permitted:
-
cmisCreateDocument
-
cmisGetRepositoryInfo
-
cmisGetRepositories
-
cmisCreateType
-
cmisGetTypeChildren
-
cmisGetTypeDefinition
-
cmisQuery
-
cmisGetObject
-
cmisCreateFolder
These operations form the minimal set needed for SAP to create types, create folders, check repository info, and trigger the setup.
Examples:
Below is a complete SOAP role definition that can be imported via the ImageMaster Integration Webservice.
The following code snippet shows an example for a role that is able to create a CMIS document (operation cmisCreateDocument for method createDocument()):
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:ns="http://www.tsystems.com/ima9/integrationws/messaging/201101">
<soap:Body>
<ns:createRole>
<role name="cmisAccessOneCRRole">
<combinator>union</combinator>
<constituents>
<roles/>
<rights>
<right outcome="permitted">
<query>restrict(=(ima:cmisRepository:name(const("A1")),ref("cmisRepositories")),galaxy(cmisRepositories))</query>
<functions>
<function>read</function>
<function>create</function>
<function>update</function>
<function>delete</function>
<function>execute</function>
</functions>
</right>
<right outcome="permitted">
<query>restrict(=(ima:webservice:operationName(ref("ops")), const("cmisCreateDocument")), project(["ops", ref("webservice:operations")], galaxy(webservice:operations)))</query>
<functions>
<function>execute</function>
</functions>
</right>
</rights>
</constituents>
<description>AccessRole for CMIS interface to create a document</description>
</role>
</ns:createRole>
</soap:Body>
</soap:Envelope>
The following role is a minimal set of permissions, that are necessary in order to execute the CMIS setup (triggered when the Communication Arrangement is stored in BTP):
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"
xmlns:ns="http://www.tsystems.com/ima9/integrationws/messaging/201101">
<soap:Header/>
<soap:Body>
<ns:createRole>
<role name="cmisMinimalAccessCRZ1">
<combinator>union</combinator>
<constituents>
<roles/>
<rights>
<right outcome="permitted">
<query>
restrict(=(ima:cmisRepository:name(const("Z1")),ref("cmisRepositories")),galaxy(cmisRepositories))
</query>
<functions>
<function>read</function>
<function>create</function>
<function>update</function>
<function>delete</function>
<function>execute</function>
</functions>
</right>
<right outcome="permitted">
<query>restrict(=(ima:webservice:operationName(ref("ops")),
const("cmisCreateDocument")), project(["ops",
ref("webservice:operations")], galaxy(webservice:operations)))
</query>
<functions>
<function>execute</function>
</functions>
</right>
<right outcome="permitted">
<query>restrict(=(ima:webservice:operationName(ref("ops")),
const("cmisGetRepositoryInfo")), project(["ops",
ref("webservice:operations")], galaxy(webservice:operations)))
</query>
<functions>
<function>execute</function>
</functions>
</right>
<right outcome="permitted">
<query>restrict(=(ima:webservice:operationName(ref("ops")),
const("cmisGetRepositories")), project(["ops",
ref("webservice:operations")], galaxy(webservice:operations)))
</query>
<functions>
<function>execute</function>
</functions>
</right>
<right outcome="permitted">
<query>restrict(=(ima:webservice:operationName(ref("ops")),
const("cmisCreateType")), project(["ops",
ref("webservice:operations")], galaxy(webservice:operations)))
</query>
<functions>
<function>execute</function>
</functions>
</right>
<right outcome="permitted">
<query>restrict(=(ima:webservice:operationName(ref("ops")),
const("cmisGetTypeChildren")), project(["ops",
ref("webservice:operations")], galaxy(webservice:operations)))
</query>
<functions>
<function>execute</function>
</functions>
</right>
<right outcome="permitted">
<query>restrict(=(ima:webservice:operationName(ref("ops")),
const("cmisGetTypeDefinition")), project(["ops",
ref("webservice:operations")], galaxy(webservice:operations)))
</query>
<functions>
<function>execute</function>
</functions>
</right>
<right outcome="permitted">
<query>restrict(=(ima:webservice:operationName(ref("ops")),
const("cmisQuery")), project(["ops", ref("webservice:operations")],
galaxy(webservice:operations)))
</query>
<functions>
<function>execute</function>
</functions>
</right>
<right outcome="permitted">
<query>restrict(=(ima:webservice:operationName(ref("ops")),
const("cmisGetObject")), project(["ops",
ref("webservice:operations")], galaxy(webservice:operations)))
</query>
<functions>
<function>execute</function>
</functions>
</right>
<right outcome="permitted">
<query>restrict(=(ima:webservice:operationName(ref("ops")),
const("cmisCreateFolder")), project(["ops",
ref("webservice:operations")], galaxy(webservice:operations)))
</query>
<functions>
<function>execute</function>
</functions>
</right>
</rights>
</constituents>
<description>Minimal technical role for one content repository 'Z1' for technical CMIS user</description>
</role>
</ns:createRole>
</soap:Body>
</soap:Envelope>