WebSphere Portal Access rights

Access rights

+
Search Tips | Advanced Search

Overview

The following table lists the minimum role assignment that is necessary to perform a sensitive operation. A role combines a set of permissions (role type) with a specific WebSphere Portal resource. Roles are denoted as RoleType@Resource.
Some roles are required on virtual resources; other roles must be on resource instances.
Users might also have access rights for some operations through ownership of resources.

Resource Sensitive Operation Sensitive Operation Description Required role assignment
Pages Traverse a page View the navigation of a page P User@P or @ some child resource of P
View a page View the content of a page P, including page decoration and potentially the portlets on that page. The portlets on a page are protected separately. User@P
Modify a page Includes...

Change the layout
Add/remove a markup
Add/remove a locale
Add/remove attributes

...to/from a page P
For shared pages: Editor@P
For private pages: Privileged User@P
Customize a shared page Create a private, implicitly derived copy of a shared page P Privileged User@P
Add a root page Create and add a new top level page P For shared pages: Editor@Pages
For private pages: Privileged User@Pages
Pages is a virtual resource
Add a page Create a new page under a given Page P For shared pages: Editor@P
For private pages: Privileged User@P
Create a derived page Create a new page underneath P1 that is explicitly derived from page P2 New page is private: Privileged User@P1 + Privileged User@P2 + Security Administrator@P2
New page is shared: Editor@P1 + Editor@P2 + Security Administrator@P2
Delete a page Delete a page P and all descendant pages, including further subpages and the portlets on those pages Manager@P
Move a page Move page P1 to a new parent page P2 For shared pages: Manager@P1 + Editor@P2
For private pages: Manager@P1 + Privileged User@P2
Lock and unlock the contents of a page Lock or unlock the contents of a shared page P Editor@P
Portlets on pages View a portlet on a page View a portlet PO on page P User@P + User@PO
Configure an installed portlet Entering the configure mode of a portlet PO and modify its configuration Manager@PO
Modify a portlet on a page Entering the edit mode of a portlet PO on page P and modify its configuration
If P is a shared page and the user has no Editor role for this page, then modify the configuration of the portlet results in the creation of an implicitly derived copy of page P.
Editor@P + Editor@PO
Or
Privileged User@P + Privileged User@PO
Modify page content Add/remove a portlet PO to/from a page P
If P is a shared page and the user has no Editor role for this page, then modify the content of P results in the creation of an implicitly derived copy of page P.
For shared pages: Editor@P + User@PO
Or
For private pages: Privileged User@P + User@PO
Restricting the content of a page Add/remove a portlet from the Allowed Portlet List of a page Editor@P + User@PO
Portlets View an installed portlet View the portlet definition information of a portlet PO User@PO
Modify an installed portlet Includes...

Add/remove a locale
Set default locale
Modify settings

...to/from/of the portlet PO
For add/remove locales and setting default locale: Editor@PO
For modify settings: Manager@PO
Duplicating an installed portlet Create a new installed portlet based on an existing portlet PO that is part of a portlet application PA. Editor@Portlet Applications + User@PO+ User@PA
Portlet
Applications is a virtual resource
Delete an installed portlet Delete an installed portlet PO and remove all corresponding portlet entities from all pages within the portal Manager@PO
Enable/disabling an installed portlet Temporarily disabling a portlet PO Manager@PO
Provide portlet
(on the Producer side)
Provide portlet PO as a WSRP service Editor@WSRP_Export and Editor@PO
WSRP_Export is a virtual resource
Withdraw portlet
(on the Producer side)
Withdraw portlet PO from WSRP service Manager@WSRP_Export and Editor@PO
WSRP_Export is a virtual resource
Integrate a portlet
(on the Consumer side)
Integrate the portlet of a WSRP Producer PR into the portal If no portlet application exists for the group of portlets:
Editor@Portlet Applications and User@PR
Portlet
Applications is a virtual resource
If a Portlet Application PA already exists for the group of portlets:
Editor@PA and User@PR
Delete an integrated portlet
(on the Consumer side)
Delete an integrated WSRP portlet PO contained in the portlet application PA from the portal If this is the last portlet in the portlet application: Manager@PA
If more than portlets reside in the portlet application: Manager@PO
Portlet Applications View a portlet application View the portlet application definition information for a portlet application PA User@PA
Modify a portlet application Includes

Add/remove a locale
Set default locale
Modify settings
to/from/of the portlet application PA Editor@PA
Duplicating a portlet application Create a new portlet application based on an existing portlet application PA Editor@Portlet Applications + User@PA Portlet
Applications is a virtual resource
Delete a portlet application Delete a portlet application and remove all corresponding portlets and portlet entities from all pages within the portal Manager@PA
Enable/disabling a portlet application Temporarily disabling the portlet application PA Manager@PA
WSRP Producers
(on the Consumer side)
Add Producer Add a remote WSRP Producer to the Portal Editor@WSRP_Producers
WSRP_Producers is a virtual resource
Edit Producer Edit the settings of a remote Producer PR Editor@PR
View Producer View the settings or display the list of portlets that are provided by a remote WSRP Producer PR User@PR
Delete Producer Delete a remote WSRP Producer from a the portal Manager@PR
Web modules Install a Web module Install a new portlet application WAR file Editor@Web Modules
Web Modules is a virtual resource
Updating a Web module This means updating a Web module WM by installing a corresponding WAR file Editor@Web Modules + Manager@WM

Uninstalling a Web module Uninstalling a Web module and remove all corresponding portlet applications and portlets from all pages within the portal Manager@WM + Manager @ all portlet applications contained in WM
Users Create a user Create a new user in the user registry Editor@Users
Users is a virtual resource
View a user View the user profile information of a user U (User@UG and U is a member of user group UG) or User@Users
Users is a virtual resource
Modify a user Modify the profile information of a user U (Editor@UG and U is a member of user group UG) or Editor@Users
Users is a virtual resource
Delete a user Delete a user from the user registry and delete all private pages created by this user Manager@Users
Users is a virtual resource
User groups Create a user group Create a new user group within the user registry Editor@User groups
User groups is a virtual resource
View a user group View the user group profile information of a user group UG User@UG
Modify a user group Modify the profile information of a user group UG Editor@UG
Add/remove a member Add an existing user U or a user group UG2 to an existing user group UG1 Security Administrator@Users + Editor@UG1
Users is a virtual resource
Delete a user group Delete a user group UG Manager@UG
URL mapping contexts Create a URL mapping context Create a new URL mapping context UMC Editor@URL Mapping Contexts
URL Mapping Contexts is a virtual resource
Traverse a URL mapping context The ability to traverse a URL mapping context due to a role assignment to some child context of UMC User@UMC or @ some child context of UMC
View a URL mapping context View the definition of a URL mapping context UMC User@UMC
Assign URL Create a mapping between a URL mapping context UMC and a portal resource R Editor@UMC + User@R
Modify a URL mapping context Change the properties of an existing URL mapping context UMC Editor@UMC
Delete a URL mapping context Delete a URL mapping context UMC and all of its child contexts Manager@UMC
Portal settings View portal settings View the current settings of the portal User@Portal Settings
Portal Settings is a virtual resource
Modify portal settings Modify the current settings of the portal Editor@Portal Settings
Portal Settings is a virtual resource
XmlAccess Run XML configuration interface commands The ability to execute commands via the XML configuration interface Security Administrator@Portal + Editor@XmlAccess
Portal and XmlAccess are virtual resource
Event handlers Manage event handlers Create, modify, and delete event handlers Security Administrator@Event Handlers
Event Handlers is a virtual resource
Access Control Administration View access control configuration View the access control configuration of a resource R If R is under internal portal protection: Security Administrator@R or Security Administrator@Portal
Portal is a virtual resource

If R is under external protection: Security Administrator@R or Security Administrator@Portal + Security Administrator@External Access Control
Portal and External Access Control are virtual resource
Create a role Create a new role of role type RT on resource R If R is under portal protection: Security Administrator@R + RT@R or Security Administrator@Portal
If R is under external protection: Security Administrator@R + RT@R or Security Administrator@Portal + Security Administrator@External Access Control
Portal and External Access Control are virtual resource
Delete a role Delete a role created from role type RT on resource R. All corresponding role mappings are also deleted. If R is under internal portal protection: Security Administrator@R + RT@R + Delegator role on all assigned principals or Security Administrator@Portal
If R is under external protection: Security Administrator@R + RT@R + Delegator role on all assigned principals or Security Administrator@Portal + Security Administrator@External Access Control
Portal and External Access Control are virtual resource
Create/delete a role assignment Create/delete a role assignment for user or group U created from Role Type RT on resource R If R is under internal portal protection: Security Administrator@R + RT@R + Delegator@U or Security Administrator@Portal
If R is under external protection: Security Administrator@R + RT@R + Delegator@U or Security Administrator@Portal + Security Administrator@External Access Control
Portal and External Access Control are virtual resource
Create/delete a role block Create/delete a role block for all roles created from role type RT on resource RT If R is under internal portal protection: Security Administrator@R + RT@R or Security Administrator@Portal
If Ris under external protection: Security Administrator@R + RT@R or Security Administrator@Portal+ Security Administrator@External Access Control
Portal and External Access Control are virtual resource
Externalize/internalize resources Move a resource R back and forth from internal to external control. All public child resources of R move with it. Private resources cannot be externalized. Security Administrator@R + Security Administrator@External Access Control or Security Administrator@Portal + Security Administrator@External Access Control
Portal and External Access Control are virtual resource
Modify the owner of a resource Set user or group U1 as new owner of the shared resource R, where the old owner was U2 Delegator@U1, Delegator@U2, Manager@>R, and Security_Administrator@R
Property Broker Operate with Portlet ActionSets/PropertySets Operate with ActionSets/PropertySets for a portlet PO User@PO
Create/Updating/Delete a wire Create/Updating/Delete a wire from a portlet PO1 on Page P1 to a portlet PO2 on Page P2 Global wire: Editor@P1, User@PO1, Editor@P2, User@PO2
Personal wire: Privileged User@P1, User@PO1, Privileged User@P2, User@PO2
In order to update or delete a personal wire, the user must have the above role assignments and created the wire they are updating or delete.
Executing a wire Executing a wire from a portlet PO1 on Page P1 to a portlet PO2 on Page P2 Global wire: User@P1, User@PO1, User@P2, User@PO2
Personal wire: Privileged User@P1, User@PO1, Privileged User@P2, User@PO2
In order to execute a personal wire, the user must have the above role assignments and created the wire they are executing.
View a wire View a wire from a portlet PO1 on Page P1 to a portlet PO2 on Page P2 Global wire: User@P1, User@PO1, User@P2, User@PO2
Personal wire: Privileged User@P1, User@PO1, Privileged User@P2, User@PO2
In order to view a personal wire, the user must have the above role assignments and created the wire they are viewing.
Markups Manage Markups Create, delete, or modify a Markup Editor@Markups
Markups is a virtual resource
Manage Search Collections Create a new search index Create a new search index Editor@PSE_SOURCES
Manage Search Collections is a virtual resource
Web Clipping Create new clippings Create new clippings Editor@PORTLET_APPLICATION
Web Clipping is a virtual resource
Portal Document Manager (PDM) View, create and edit documents and folders View, create and edit documents and folders Editor@ICM_CONTENT
or
Editor@ICM_CONTENT_REPOSITORY
PDM is a virtual resource
Themes and Skins portlet Manage themes and skins View the portlet; delete, modify, and add themes and skins in the Themes and Skins portlet User@Themes and Skins portlet
Manage Clients portlet Manage clients View the portlet; delete, modify, and add clients in the Manage Clients portlet User@Manage Clients portlet
Unique Names portlet Manage unique names View the portlet; delete, modify, and add unique names in the Unique Names portlet User@Unique Names portlet
PSE Source Create a PSE Source Create a search collection Editor@PSE_SOURCE
PSE_SOURCE is a virtual resource
View a PSE Source View a search collection I User@I
Facilitate a PSE Source Using a search collection I User@I
Edit a PSE Source Edit a search collection I Editor@I
Delete a PSE Source Delete a search collection I Manager@I

Role Mappings and WSRP services

When security is not enabled in the Producer portal, anonymous users need the role mappings to access the remote portlets accordingly. Anonymous users can access and use the portal without authenticating with user IDs and passwords. When security is enabled in the Producer portal, the appropriate role mappings must be defined for the user who represents the Consumer portal.

Virtual Resources
To grant access to a virtual resource...

Login to WebSphere Portal as the Portal Administrator.
Navigate to...
Administration | Access | Resource Permissions | Virtual Resources | resource_name

For example...
Administration | Access | Resource Permissions | Virtual Resources | ICM_CONTENT_REPOSITORY

Add any required Users to the User Role and allow inheritance of the Role permission. To enable all Users, add the "All Authenticated Portal Users" group.

See also

Roles
Resources
Access control scenarios
User Group Permissions portlet
Resource Permissions portlet

WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.

IBM is a trademark of the IBM Corporation in the United States, other countries, or both.

Resource	Sensitive Operation	Sensitive Operation Description	Required role assignment
Pages	Traverse a page	View the navigation of a page P	User@P or @ some child resource of P
	View a page	View the content of a page P, including page decoration and potentially the portlets on that page. The portlets on a page are protected separately.	User@P
	Modify a page	Includes... Change the layout Add/remove a markup Add/remove a locale Add/remove attributes ...to/from a page P	For shared pages: Editor@P For private pages: Privileged User@P
	Customize a shared page	Create a private, implicitly derived copy of a shared page P	Privileged User@P
	Add a root page	Create and add a new top level page P	For shared pages: Editor@Pages For private pages: Privileged User@Pages Pages is a virtual resource
	Add a page	Create a new page under a given Page P	For shared pages: Editor@P For private pages: Privileged User@P
	Create a derived page	Create a new page underneath P1 that is explicitly derived from page P2	New page is private: Privileged User@P1 + Privileged User@P2 + Security Administrator@P2 New page is shared: Editor@P1 + Editor@P2 + Security Administrator@P2
	Delete a page	Delete a page P and all descendant pages, including further subpages and the portlets on those pages	Manager@P
	Move a page	Move page P1 to a new parent page P2	For shared pages: Manager@P1 + Editor@P2 For private pages: Manager@P1 + Privileged User@P2
	Lock and unlock the contents of a page	Lock or unlock the contents of a shared page P	Editor@P
Portlets on pages	View a portlet on a page	View a portlet PO on page P	User@P + User@PO
	Configure an installed portlet	Entering the configure mode of a portlet PO and modify its configuration	Manager@PO
	Modify a portlet on a page	Entering the edit mode of a portlet PO on page P and modify its configuration If P is a shared page and the user has no Editor role for this page, then modify the configuration of the portlet results in the creation of an implicitly derived copy of page P.	Editor@P + Editor@PO Or Privileged User@P + Privileged User@PO
	Modify page content	Add/remove a portlet PO to/from a page P If P is a shared page and the user has no Editor role for this page, then modify the content of P results in the creation of an implicitly derived copy of page P.	For shared pages: Editor@P + User@PO Or For private pages: Privileged User@P + User@PO
	Restricting the content of a page	Add/remove a portlet from the Allowed Portlet List of a page	Editor@P + User@PO
Portlets	View an installed portlet	View the portlet definition information of a portlet PO	User@PO
	Modify an installed portlet	Includes... Add/remove a locale Set default locale Modify settings ...to/from/of the portlet PO	For add/remove locales and setting default locale: Editor@PO For modify settings: Manager@PO
	Duplicating an installed portlet	Create a new installed portlet based on an existing portlet PO that is part of a portlet application PA.	Editor@Portlet Applications + User@PO+ User@PA Portlet Applications is a virtual resource
	Delete an installed portlet	Delete an installed portlet PO and remove all corresponding portlet entities from all pages within the portal	Manager@PO
	Enable/disabling an installed portlet	Temporarily disabling a portlet PO	Manager@PO
	Provide portlet (on the Producer side)	Provide portlet PO as a WSRP service	Editor@WSRP_Export and Editor@PO WSRP_Export is a virtual resource
	Withdraw portlet (on the Producer side)	Withdraw portlet PO from WSRP service	Manager@WSRP_Export and Editor@PO WSRP_Export is a virtual resource
	Integrate a portlet (on the Consumer side)	Integrate the portlet of a WSRP Producer PR into the portal	If no portlet application exists for the group of portlets: Editor@Portlet Applications and User@PR Portlet Applications is a virtual resource If a Portlet Application PA already exists for the group of portlets: Editor@PA and User@PR
	Delete an integrated portlet (on the Consumer side)	Delete an integrated WSRP portlet PO contained in the portlet application PA from the portal	If this is the last portlet in the portlet application: Manager@PA If more than portlets reside in the portlet application: Manager@PO
Portlet Applications	View a portlet application	View the portlet application definition information for a portlet application PA	User@PA
	Modify a portlet application	Includes Add/remove a locale Set default locale Modify settings to/from/of the portlet application PA	Editor@PA
	Duplicating a portlet application	Create a new portlet application based on an existing portlet application PA	Editor@Portlet Applications + User@PA Portlet Applications is a virtual resource
	Delete a portlet application	Delete a portlet application and remove all corresponding portlets and portlet entities from all pages within the portal	Manager@PA
	Enable/disabling a portlet application	Temporarily disabling the portlet application PA	Manager@PA
WSRP Producers (on the Consumer side)	Add Producer	Add a remote WSRP Producer to the Portal	Editor@WSRP_Producers WSRP_Producers is a virtual resource
	Edit Producer	Edit the settings of a remote Producer PR	Editor@PR
	View Producer	View the settings or display the list of portlets that are provided by a remote WSRP Producer PR	User@PR
	Delete Producer	Delete a remote WSRP Producer from a the portal	Manager@PR
Web modules	Install a Web module	Install a new portlet application WAR file	Editor@Web Modules Web Modules is a virtual resource
	Updating a Web module	This means updating a Web module WM by installing a corresponding WAR file	Editor@Web Modules + Manager@WM

	Uninstalling a Web module	Uninstalling a Web module and remove all corresponding portlet applications and portlets from all pages within the portal	Manager@WM + Manager @ all portlet applications contained in WM
Users	Create a user	Create a new user in the user registry	Editor@Users Users is a virtual resource
	View a user	View the user profile information of a user U	(User@UG and U is a member of user group UG) or User@Users Users is a virtual resource
	Modify a user	Modify the profile information of a user U	(Editor@UG and U is a member of user group UG) or Editor@Users Users is a virtual resource
	Delete a user	Delete a user from the user registry and delete all private pages created by this user	Manager@Users Users is a virtual resource
User groups	Create a user group	Create a new user group within the user registry	Editor@User groups User groups is a virtual resource
	View a user group	View the user group profile information of a user group UG	User@UG
	Modify a user group	Modify the profile information of a user group UG	Editor@UG
	Add/remove a member	Add an existing user U or a user group UG2 to an existing user group UG1	Security Administrator@Users + Editor@UG1 Users is a virtual resource
	Delete a user group	Delete a user group UG	Manager@UG
URL mapping contexts	Create a URL mapping context	Create a new URL mapping context UMC	Editor@URL Mapping Contexts URL Mapping Contexts is a virtual resource
	Traverse a URL mapping context	The ability to traverse a URL mapping context due to a role assignment to some child context of UMC	User@UMC or @ some child context of UMC
	View a URL mapping context	View the definition of a URL mapping context UMC	User@UMC
	Assign URL	Create a mapping between a URL mapping context UMC and a portal resource R	Editor@UMC + User@R
	Modify a URL mapping context	Change the properties of an existing URL mapping context UMC	Editor@UMC
	Delete a URL mapping context	Delete a URL mapping context UMC and all of its child contexts	Manager@UMC
Portal settings	View portal settings	View the current settings of the portal	User@Portal Settings Portal Settings is a virtual resource
Portal settings	Modify portal settings	Modify the current settings of the portal	Editor@Portal Settings Portal Settings is a virtual resource
XmlAccess	Run XML configuration interface commands	The ability to execute commands via the XML configuration interface	Security Administrator@Portal + Editor@XmlAccess Portal and XmlAccess are virtual resource
Event handlers	Manage event handlers	Create, modify, and delete event handlers	Security Administrator@Event Handlers Event Handlers is a virtual resource
Access Control Administration	View access control configuration	View the access control configuration of a resource R	If R is under internal portal protection: Security Administrator@R or Security Administrator@Portal Portal is a virtual resource If R is under external protection: Security Administrator@R or Security Administrator@Portal + Security Administrator@External Access Control Portal and External Access Control are virtual resource
	Create a role	Create a new role of role type RT on resource R	If R is under portal protection: Security Administrator@R + RT@R or Security Administrator@Portal If R is under external protection: Security Administrator@R + RT@R or Security Administrator@Portal + Security Administrator@External Access Control Portal and External Access Control are virtual resource
	Delete a role	Delete a role created from role type RT on resource R. All corresponding role mappings are also deleted.	If R is under internal portal protection: Security Administrator@R + RT@R + Delegator role on all assigned principals or Security Administrator@Portal If R is under external protection: Security Administrator@R + RT@R + Delegator role on all assigned principals or Security Administrator@Portal + Security Administrator@External Access Control Portal and External Access Control are virtual resource
	Create/delete a role assignment	Create/delete a role assignment for user or group U created from Role Type RT on resource R	If R is under internal portal protection: Security Administrator@R + RT@R + Delegator@U or Security Administrator@Portal If R is under external protection: Security Administrator@R + RT@R + Delegator@U or Security Administrator@Portal + Security Administrator@External Access Control Portal and External Access Control are virtual resource
	Create/delete a role block	Create/delete a role block for all roles created from role type RT on resource RT	If R is under internal portal protection: Security Administrator@R + RT@R or Security Administrator@Portal If Ris under external protection: Security Administrator@R + RT@R or Security Administrator@Portal+ Security Administrator@External Access Control Portal and External Access Control are virtual resource
	Externalize/internalize resources	Move a resource R back and forth from internal to external control. All public child resources of R move with it. Private resources cannot be externalized.	Security Administrator@R + Security Administrator@External Access Control or Security Administrator@Portal + Security Administrator@External Access Control Portal and External Access Control are virtual resource
	Modify the owner of a resource	Set user or group U1 as new owner of the shared resource R, where the old owner was U2	Delegator@U1, Delegator@U2, Manager@>R, and Security_Administrator@R
Property Broker	Operate with Portlet ActionSets/PropertySets	Operate with ActionSets/PropertySets for a portlet PO	User@PO
	Create/Updating/Delete a wire	Create/Updating/Delete a wire from a portlet PO1 on Page P1 to a portlet PO2 on Page P2	Global wire: Editor@P1, User@PO1, Editor@P2, User@PO2 Personal wire: Privileged User@P1, User@PO1, Privileged User@P2, User@PO2 In order to update or delete a personal wire, the user must have the above role assignments and created the wire they are updating or delete.
	Executing a wire	Executing a wire from a portlet PO1 on Page P1 to a portlet PO2 on Page P2	Global wire: User@P1, User@PO1, User@P2, User@PO2 Personal wire: Privileged User@P1, User@PO1, Privileged User@P2, User@PO2 In order to execute a personal wire, the user must have the above role assignments and created the wire they are executing.
	View a wire	View a wire from a portlet PO1 on Page P1 to a portlet PO2 on Page P2	Global wire: User@P1, User@PO1, User@P2, User@PO2 Personal wire: Privileged User@P1, User@PO1, Privileged User@P2, User@PO2 In order to view a personal wire, the user must have the above role assignments and created the wire they are viewing.
Markups	Manage Markups	Create, delete, or modify a Markup	Editor@Markups Markups is a virtual resource
Manage Search Collections	Create a new search index	Create a new search index	Editor@PSE_SOURCES Manage Search Collections is a virtual resource
Web Clipping	Create new clippings	Create new clippings	Editor@PORTLET_APPLICATION Web Clipping is a virtual resource
Portal Document Manager (PDM)	View, create and edit documents and folders	View, create and edit documents and folders	Editor@ICM_CONTENT or Editor@ICM_CONTENT_REPOSITORY PDM is a virtual resource
Themes and Skins portlet	Manage themes and skins	View the portlet; delete, modify, and add themes and skins in the Themes and Skins portlet	User@Themes and Skins portlet
Manage Clients portlet	Manage clients	View the portlet; delete, modify, and add clients in the Manage Clients portlet	User@Manage Clients portlet
Unique Names portlet	Manage unique names	View the portlet; delete, modify, and add unique names in the Unique Names portlet	User@Unique Names portlet
PSE Source	Create a PSE Source	Create a search collection	Editor@PSE_SOURCE PSE_SOURCE is a virtual resource
	View a PSE Source	View a search collection I	User@I
	Facilitate a PSE Source	Using a search collection I	User@I
	Edit a PSE Source	Edit a search collection I	Editor@I
	Delete a PSE Source	Delete a search collection I	Manager@I