Configure the administrative rights for the SSP Business Data Catalog
Administrators of the Shared Service Provider of the Office SharePoint Server 2007 farm must have permissions to both the Business Data Catalog service and the SSP administration pages for the Business Data Catalog. Use the following procedure to configure these permissions.
1. Use the following steps to open the administration page for the SSP:
a. In Office SharePoint Server 2007, on the top link bar, click Application Management.
b. On the Application Management page, in the Office SharePoint Server Shared Services section, click Create or configure this farm’s shared services.
c. On the Manage this Farm’s Shared Services page, click the link for the SSP that you want to open.
You can also access the SSP by clicking the link to the SSP home page in the Quick Launch.
2. On the SSP home page, in the Business Data Catalog section, click Business Data Catalog permissions.
3. On the Manage Permissions: Business Data Catalog page, click Add Users/Groups.
4. On the Add Users/Groups: Business Data Catalog page, in the Choose Users section, enter the name or account of the user that you want to add.
5. In the Choose Permissions section, select the permissions for the user. It is common for the Business Data Catalog manager to select all permissions.
· Edit: Select this permission to enable users to import application definitions and add, edit, or delete application definitions, business data types, and data fields for business data types.
· Execute: Select this permission to enable users to change the properties of business data.
· Selectable in Clients: Select this permission to enable users to refer to business data types and fields in Office SharePoint Server lists, Web Parts, sites, and client applications.
· Set Permissions: Select this permission to enable users to configure permissions for other users.
6. Click Save.
Configure access to the SSP pages of the Business Data Catalog
Administrators who manage the Business Data Catalog must have access to the SSP pages for the Business Data Catalog. This access is in addition to the separate permissions to the Business Data Catalog service. To access the SSP home page, an account must be a member of the Site Collection Administrators group.
By default, the account used to set up the SSP is a member of the Site Collection Administrators group. For the first SSP in the initial deployment, this is the account that was used to install Office SharePoint Server 2007. If that same account is used to administer the SSP, no additional steps are necessary. In most organizations, SSP administration will be delegated to one or more additional users. The account used to set up the SSP can be used to add other accounts to the Site Collection Administrators group.
Use the following procedure to configure access to the SSP pages.
1. Use the following steps to open the administration page for the SSP:
a. In Office SharePoint Server 2007, on the top link bar, click Application Management.
b. On the Application Management page, in the Office SharePoint Server Shared Services section, click Create or configure this farm’s shared services.
c. On the Manage this Farm’s Shared Services page, click the link for the SSP that you want to open.
You can also access the SSP by clicking the link to the SSP home page in the Quick Launch.
2. On the SSP home page, on the Site Actions menu, click Site Settings.
3. On the Site Settings page, in the Users and Permissions section, click Site collection administrators.
4. On the Site Collection Administrators page, in the Site Collection Administrators section, do the following:
a. Type the name or account that you want to add to the Site Collection Administrators group.
b. Click the Check Names icon. If the name or account is found in directory services, it will appear as a link in the text box.
c. If the name or account was not found, or if you want to search for more users, click the Browse button.
d. On the Select People dialog box, in the Find box, type part or all of the user's name or account name, and then press ENTER. All accounts that match appear in the text box.
e. Select one or more accounts that you want to add, and then click Add.
f. When you are finished adding SSP site collection administrators, click OK.
5. On the Site Collection Administrators page, click OK.
Configuring single sign-on for use with SAP
The Business Data Catalog connects to the SAP Web service using a mapped SAP account. Mapping Office SharePoint Server 2007 users to SAP accounts is managed in the SSO definitions of Office SharePoint Server 2007. The SSO definitions map groups of users to individual SAP accounts. An Office SharePoint Server 2007 user who is not mapped to an SAP account will not be able to retrieve business data. Single sign-on supports basic (form) authentication (Enterprise JavaBeans) as well as Windows authentication.
Configuring SSO to work with SAP Enterprise consists of the following five steps:
1. Configure the single sign-on service in Windows Server Management Console.
2. Configure the Office SharePoint Server 2007 settings for single sign-on.
3. Set the encryption key for the other front-end Web servers.
4. Define the single sign-on parameters of the SAP application.
5. Map Windows accounts to the SAP login information.
Configure and start the single sign-on service
Follow these steps to configure Microsoft Single Sign-On (SSOSrv) on the Windows server.
Important: The single sign-on service account must meet all of the following criteria:
ü Be a domain user account. It cannot be a group account.
ü Be an Office SharePoint Server 2007 farm account.
ü Be a member of the local Administrators group on the encryption-key server. (The encryption-key server is the first server on which the SSO is created.)
ü Be the same as the Office SharePoint Server 2007 single sign-on administrator account, or be a member of the same administration group that the SSO administrator belongs to.
ü Have the “Log on As a Service” user rights assignment in local security policy settings.
1. On the computer running Office SharePoint Server 2007, click Start, point to Control Panel, point to Administrative Tools, and then click Computer Management.
2. In the Computer Management console, expand Services and Applications, and then click Services.
3. Right-click Microsoft Single Sign-On Service, and then click Properties.
4. On the General tab, change the Startup type to Automatic.
5. On the Log On tab, under Log on as, select This account and enter the account login name of the single sign-on service account, using the form domain/username.
6. In Password, enter the password of the single sign-on service account.
7. In Confirm password, retype the same password.
8. On the General tab, under Service status, click Start.
Figure 2 - Single sign-on service
Configure single sign-on settings in Office SharePoint Server
Follow these steps to configure the Office SharePoint Server 2007 single sign-on definitions:
1. On the Central Administration home page, on the top link bar, click Operations.
2. On the Operations page, in the Security Configuration section, click Manage settings for single sign-on.
3. On the Manage Settings for Single Sign-On page, in the Server Settings section, click Manage server settings.
4. On the Manage Settings for Single Sign-On page, in the Account name box in the Single Sign-On Administrator Account section, enter the single sign-on administrator account name by using the form domain/group or domain/username.
The single sign-on administrator account specifies the set of people who can create, delete, or modify application definitions. The administrator account can also back up the encryption key.
If a group is specified, all users who are added to the group for administering single sign-on must be members of the local Administrators group on the encryption-key server. Do not make this account a member of the local Administrators group on the encryption-key server.
The first server that has Microsoft Single Sign-On (SSOSrv) enabled becomes the encryption-key server. The encryption-key server generates and stores the encryption key. The encryption key is used to encrypt and decrypt the credentials that are stored in the SSO database.
Enable encryption
1. In Central Administration, on the top link bar, click Operations.
2. On the Operations page, in the Security Configuration section, click Manage settings for single sign-on.
3. On the Manage Settings for Single Sign-On page, in the Server Settings section, click Manage encryption key.
Create a new encryption key
1. On the Manage Encryption Key page, in the Encryption Key Creation section, click Create Encryption Key.
2. On the Create Encryption Key page, select Re-encrypt all credentials by using the new encryption key check box, and then click OK.
Important
If you do not re-encrypt the existing credentials with the new encryption key, then users must retype their credentials for individual application definitions, and administrators must retype group credentials for group application definitions.
Manage enterprise application definition for SAP
1. In Central Administration, in the Quick Launch, click Operations.
2. On the Operations page, in the Security Configuration section, click Manage settings for single sign-on.
3. On the Manage Settings for Single Sign-On page, click Manage settings for enterprise application definitions.
4. On the Manage Enterprise Application Definitions page, click New Item to create a new single sign-on definition for the SAP application.
5. On the Create Enterprise Application Definition page, in Display Name, enter the name of the application that users will see when prompted for their SAP credentials.
6. In the Application Name box, enter the name of the single sign-on application.
7. In the Contact e-mail address box, enter the e-mail address of the person who is responsible for this single sign-on definition.
8. In the Account type section, select Group if you want to map a group of users to a single SAP account, or select Individual if every user will map to a unique SAP account.
9. Do not make any other selections. However, select Windows authentication only if your SAP Enterprise Portal uses Windows authentication (that is, you are not required to enter a user name and password when you open the SAP portal page).
10. Click OK.
Specify user account mapping for SAP applications
1. In Central Administration, in the Quick Launch, click Operations.
2. On the Operations page, in the Security Configuration section, click Manage settings for single sign-on.
3. On the Manage Settings for Single Sign-On page, click Manage account information for enterprise application definitions.
4. On the Manage Account Information for an Enterprise Application Definition page, in the Enterprise Application Definition section, select the SAP application you defined in the previous step.
5. In User account name, enter the domain/user logon for the SAP account mapping, and then click Set.
6. On the Provide SAP Account Information page, enter the user name and password, and then click OK.
You do not have to know the Office SharePoint Server user password.
No comments:
Post a Comment