Arcana Document Server Access Management with Microsoft Entra Id #

In general, the UI components and the CMIS API of the Acana Document Server is secured by an OIDC authentication. With every subscription, two OIDC Registrations are created, one representing the application and one for authentication of the various clients, granting access to that application. This App-Registrations will either be installed during provisioning if you purchased a partner subscription and install in you own Azure-Tenant,
or copied into your tenant within the first Login to Arcana Document Server. The App-Registrations are named by the following scheme:

• arcana-<your subscription asset id>-app
• arcana-<your subscription asset id>-api

Picture1 shows the Authentication Scheme for Arcana Document Server:

User Access to Arcana Document Server #

By default, user access is enabled for all users in your organisation. However, it is possible to switch to an administrative assignment of the user being allowed to connect to a specific instance by simply checking the corresponding switch in the client registration. Afterwards, in Microsoft Entra Id configuration, you can assign specific user oder user groups to the application and provide then with the desired role.

Arcana Document Server Roles #

• cmis_reader
  • allowed to read, but not to change or create any items in the repository
• cmis_writer
  • like cmis_reader, but also allowed to write, create, checkin, checkout any items in the repository
• cmis_admin
  • like cmis_writer, but also allowed to change configuration data and to revert leftover checkedout items by other users to their original state.

Assigning Arcana Document Server Roles to Users or Groups #

Role assignment is also done in the Microsoft Entra Id configuration.  Locate the  enterprise application registration named
arcana-<your subscription asset id>-api .
In the Users and Groups configuration, simply add the desired user or a group along with the appropriate role and save the configuration.
The configured permission should be available within the next login to Arcana Document Server.

Creating a service user for Arcana Document Server #

For certain constellations, it is required to setup a connection to Arcana Document Server with a service user, i.e. when using SAP’s Business Technology Platform.
It is recommended to create a service principal, used together with the OIDC password grant flow to get a secure connection. SAP is passing the currently logged on user in a specific request header field. This header is detected automatically by the Arcana Document Server and treated as the current API user.