Access rights

 

+
Search Tips   |   Advanced Search

 


Overview

The following table lists the minimum role assignment that is necessary to perform a sensitive operation. A role combines a set of permissions (role type) with a specific WebSphere Portal resource. Roles are denoted as RoleType@Resource.

Some roles are required on virtual resources; other roles must be on resource instances.

Users might also have access rights for some operations through ownership of resources.

Resource Sensitive Operation Sensitive Operation Description Required role assignment
Pages Traverse a page View the navigation of a page P User@P or @ some child resource of P
View a page View the content of a page P, including page decoration and potentially the portlets on that page. The portlets on a page are protected separately. User@P
Modify a page Includes...

  • Change the layout
  • Add/remove a markup
  • Add/remove a locale
  • Add/remove attributes

...to/from a page P

For shared pages: Editor@P

For private pages: Privileged User@P

Customize a shared page Create a private, implicitly derived copy of a shared page P Privileged User@P
Add a root page Create and add a new top level page P For shared pages: Editor@Pages

For private pages: Privileged User@Pages

Pages is a virtual resource

Add a page Create a new page under a given Page P For shared pages: Editor@P

For private pages: Privileged User@P

Create a derived page Create a new page underneath P1 that is explicitly derived from page P2 New page is private: Privileged User@P1 + Privileged User@P2 + Security Administrator@P2

New page is shared: Editor@P1 + Editor@P2 + Security Administrator@P2

Delete a page Delete a page P and all descendant pages, including further subpages and the portlets on those pages Manager@P
Move a page Move page P1 to a new parent page P2 For shared pages: Manager@P1 + Editor@P2

For private pages: Manager@P1 + Privileged User@P2

Lock and unlock the contents of a page Lock or unlock the contents of a shared page P Editor@P
Portlets on pages View a portlet on a page View a portlet PO on page P User@P + User@PO
Configure an installed portlet Entering the configure mode of a portlet PO and modify its configuration Manager@PO
Modify a portlet on a page Entering the edit mode of a portlet PO on page P and modify its configuration

If P is a shared page and the user has no Editor role for this page, then modify the configuration of the portlet results in the creation of an implicitly derived copy of page P.

Editor@P + Editor@PO

Or

Privileged User@P + Privileged User@PO

Modify page content Add/remove a portlet PO to/from a page P

If P is a shared page and the user has no Editor role for this page, then modify the content of P results in the creation of an implicitly derived copy of page P.

For shared pages: Editor@P + User@PO

Or

For private pages: Privileged User@P + User@PO

Restricting the content of a page Add/remove a portlet from the Allowed Portlet List of a page Editor@P + User@PO
Portlets View an installed portlet View the portlet definition information of a portlet PO User@PO
Modify an installed portlet Includes...

...to/from/of the portlet PO

For add/remove locales and setting default locale: Editor@PO

For modify settings: Manager@PO

Duplicating an installed portlet Create a new installed portlet based on an existing portlet PO that is part of a portlet application PA. Editor@Portlet Applications + User@PO+ User@PA

Portlet

Applications is a virtual resource

Delete an installed portlet Delete an installed portlet PO and remove all corresponding portlet entities from all pages within the portal Manager@PO
Enable/disabling an installed portlet Temporarily disabling a portlet PO Manager@PO
Provide portlet
(on the Producer side)
Provide portlet PO as a WSRP service Editor@WSRP_Export and Editor@PO

WSRP_Export is a virtual resource

Withdraw portlet
(on the Producer side)
Withdraw portlet PO from WSRP service Manager@WSRP_Export and Editor@PO

WSRP_Export is a virtual resource

Integrate a portlet
(on the Consumer side)
Integrate the portlet of a WSRP Producer PR into the portal If no portlet application exists for the group of portlets:

Editor@Portlet Applications and User@PR

Portlet

Applications is a virtual resource

If a Portlet Application PA already exists for the group of portlets:

Editor@PA and User@PR

Delete an integrated portlet
(on the Consumer side)
Delete an integrated WSRP portlet PO contained in the portlet application PA from the portal If this is the last portlet in the portlet application: Manager@PA

If more than portlets reside in the portlet application: Manager@PO

Portlet Applications View a portlet application View the portlet application definition information for a portlet application PA User@PA
Modify a portlet application Includes

to/from/of the portlet application PA
Editor@PA
Duplicating a portlet application Create a new portlet application based on an existing portlet application PA Editor@Portlet Applications + User@PA Portlet

Applications is a virtual resource

Delete a portlet application Delete a portlet application and remove all corresponding portlets and portlet entities from all pages within the portal Manager@PA
Enable/disabling a portlet application Temporarily disabling the portlet application PA Manager@PA
WSRP Producers
(on the Consumer side)
Add Producer Add a remote WSRP Producer to the Portal Editor@WSRP_Producers

WSRP_Producers is a virtual resource

Edit Producer Edit the settings of a remote Producer PR Editor@PR
View Producer View the settings or display the list of portlets that are provided by a remote WSRP Producer PR User@PR
Delete Producer Delete a remote WSRP Producer from a the portal Manager@PR
Web modules Install a Web module Install a new portlet application WAR file Editor@Web Modules

Web Modules is a virtual resource

Updating a Web module This means updating a Web module WM by installing a corresponding WAR file Editor@Web Modules + Manager@WM
Uninstalling a Web module Uninstalling a Web module and remove all corresponding portlet applications and portlets from all pages within the portal Manager@WM + Manager @ all portlet applications contained in WM
Users Create a user Create a new user in the user registry Editor@Users

Users is a virtual resource

View a user View the user profile information of a user U (User@UG and U is a member of user group UG) or User@Users

Users is a virtual resource

Modify a user Modify the profile information of a user U (Editor@UG and U is a member of user group UG) or Editor@Users

Users is a virtual resource

Delete a user Delete a user from the user registry and delete all private pages created by this user Manager@Users

Users is a virtual resource

User groups Create a user group Create a new user group within the user registry Editor@User groups

User groups is a virtual resource

View a user group View the user group profile information of a user group UG User@UG
Modify a user group Modify the profile information of a user group UG Editor@UG
Add/remove a member Add an existing user U or a user group UG2 to an existing user group UG1 Security Administrator@Users + Editor@UG1

Users is a virtual resource

Delete a user group Delete a user group UG Manager@UG
URL mapping contexts Create a URL mapping context Create a new URL mapping context UMC Editor@URL Mapping Contexts

URL Mapping Contexts is a virtual resource

Traverse a URL mapping context The ability to traverse a URL mapping context due to a role assignment to some child context of UMC User@UMC or @ some child context of UMC
View a URL mapping context View the definition of a URL mapping context UMC User@UMC
Assign URL Create a mapping between a URL mapping context UMC and a portal resource R Editor@UMC + User@R
Modify a URL mapping context Change the properties of an existing URL mapping context UMC Editor@UMC
Delete a URL mapping context Delete a URL mapping context UMC and all of its child contexts Manager@UMC
Portal settings View portal settings View the current settings of the portal User@Portal Settings

Portal Settings is a virtual resource

Modify portal settings Modify the current settings of the portal Editor@Portal Settings

Portal Settings is a virtual resource

XmlAccess Run XML configuration interface commands The ability to execute commands via the XML configuration interface Security Administrator@Portal + Editor@XmlAccess

Portal and XmlAccess are virtual resource

Event handlers Manage event handlers Create, modify, and delete event handlers Security Administrator@Event Handlers

Event Handlers is a virtual resource

Access Control Administration View access control configuration View the access control configuration of a resource R If R is under internal portal protection: Security Administrator@R or Security Administrator@Portal

Portal is a virtual resource

If R is under external protection: Security Administrator@R or Security Administrator@Portal + Security Administrator@External Access Control

Portal and External Access Control are virtual resource

Create a role Create a new role of role type RT on resource R If R is under portal protection: Security Administrator@R + RT@R or Security Administrator@Portal

If R is under external protection: Security Administrator@R + RT@R or Security Administrator@Portal + Security Administrator@External Access Control

Portal and External Access Control are virtual resource

Delete a role Delete a role created from role type RT on resource R. All corresponding role mappings are also deleted. If R is under internal portal protection: Security Administrator@R + RT@R + Delegator role on all assigned principals or Security Administrator@Portal

If R is under external protection: Security Administrator@R + RT@R + Delegator role on all assigned principals or Security Administrator@Portal + Security Administrator@External Access Control

Portal and External Access Control are virtual resource

Create/delete a role assignment Create/delete a role assignment for user or group U created from Role Type RT on resource R If R is under internal portal protection: Security Administrator@R + RT@R + Delegator@U or Security Administrator@Portal

If R is under external protection: Security Administrator@R + RT@R + Delegator@U or Security Administrator@Portal + Security Administrator@External Access Control

Portal and External Access Control are virtual resource

Create/delete a role block Create/delete a role block for all roles created from role type RT on resource RT If R is under internal portal protection: Security Administrator@R + RT@R or Security Administrator@Portal

If Ris under external protection: Security Administrator@R + RT@R or Security Administrator@Portal+ Security Administrator@External Access Control

Portal and External Access Control are virtual resource

Externalize/internalize resources Move a resource R back and forth from internal to external control. All public child resources of R move with it. Private resources cannot be externalized. Security Administrator@R + Security Administrator@External Access Control or Security Administrator@Portal + Security Administrator@External Access Control

Portal and External Access Control are virtual resource

Modify the owner of a resource Set user or group U1 as new owner of the shared resource R, where the old owner was U2 Delegator@U1, Delegator@U2, Manager@>R, and Security_Administrator@R
Property Broker Operate with Portlet ActionSets/PropertySets Operate with ActionSets/PropertySets for a portlet PO User@PO
Create/Updating/Delete a wire Create/Updating/Delete a wire from a portlet PO1 on Page P1 to a portlet PO2 on Page P2 Global wire: Editor@P1, User@PO1, Editor@P2, User@PO2

Personal wire: Privileged User@P1, User@PO1, Privileged User@P2, User@PO2

In order to update or delete a personal wire, the user must have the above role assignments and created the wire they are updating or delete.

Executing a wire Executing a wire from a portlet PO1 on Page P1 to a portlet PO2 on Page P2 Global wire: User@P1, User@PO1, User@P2, User@PO2

Personal wire: Privileged User@P1, User@PO1, Privileged User@P2, User@PO2

In order to execute a personal wire, the user must have the above role assignments and created the wire they are executing.

View a wire View a wire from a portlet PO1 on Page P1 to a portlet PO2 on Page P2 Global wire: User@P1, User@PO1, User@P2, User@PO2

Personal wire: Privileged User@P1, User@PO1, Privileged User@P2, User@PO2

In order to view a personal wire, the user must have the above role assignments and created the wire they are viewing.

Markups Manage Markups Create, delete, or modify a Markup Editor@Markups

Markups is a virtual resource

Manage Search Collections Create a new search index Create a new search index Editor@PSE_SOURCES

Manage Search Collections is a virtual resource

Web Clipping Create new clippings Create new clippings Editor@PORTLET_APPLICATION

Web Clipping is a virtual resource

Portal Document Manager (PDM) View, create and edit documents and folders View, create and edit documents and folders Editor@ICM_CONTENT
or
Editor@ICM_CONTENT_REPOSITORY

PDM is a virtual resource

Themes and Skins portlet Manage themes and skins View the portlet; delete, modify, and add themes and skins in the Themes and Skins portlet User@Themes and Skins portlet
Manage Clients portlet Manage clients View the portlet; delete, modify, and add clients in the Manage Clients portlet User@Manage Clients portlet
Unique Names portlet Manage unique names View the portlet; delete, modify, and add unique names in the Unique Names portlet User@Unique Names portlet
PSE Source Create a PSE Source Create a search collection Editor@PSE_SOURCE

PSE_SOURCE is a virtual resource

View a PSE Source View a search collection I User@I
Facilitate a PSE Source Using a search collection I User@I
Edit a PSE Source Edit a search collection I Editor@I
Delete a PSE Source Delete a search collection I Manager@I

 

Role Mappings and WSRP services

When security is not enabled in the Producer portal, anonymous users need the role mappings to access the remote portlets accordingly. Anonymous users can access and use the portal without authenticating with user IDs and passwords. When security is enabled in the Producer portal, the appropriate role mappings must be defined for the user who represents the Consumer portal.

 

Virtual Resources

To grant access to a virtual resource...

  1. Login to WebSphere Portal as the Portal Administrator.

  2. Navigate to...

    Administration | Access | Resource Permissions | Virtual Resources | resource_name

    For example...

    Administration | Access | Resource Permissions | Virtual Resources | ICM_CONTENT_REPOSITORY

  3. Add any required Users to the User Role and allow inheritance of the Role permission. To enable all Users, add the "All Authenticated Portal Users" group.

 

See also

 

WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.

 

IBM is a trademark of the IBM Corporation in the United States, other countries, or both.