Access rights
Overview
The following table lists the minimum role assignment that is necessary to perform a sensitive operation. A role combines a set of permissions (role type) with a specific WebSphere Portal resource. Roles are denoted as RoleType@Resource.
Some roles are required on virtual resources; other roles must be on resource instances.
Users might also have access rights for some operations through ownership of resources.
Resource Sensitive Operation Sensitive Operation Description Required role assignment Pages Traverse a page View the navigation of a page P User@P or @ some child resource of P View a page View the content of a page P, including page decoration and potentially the portlets on that page. The portlets on a page are protected separately. User@P Modify a page Includes...
- Change the layout
- Add/remove a markup
- Add/remove a locale
- Add/remove attributes
...to/from a page P
For shared pages: Editor@P For private pages: Privileged User@P
Customize a shared page Create a private, implicitly derived copy of a shared page P Privileged User@P Add a root page Create and add a new top level page P For shared pages: Editor@Pages For private pages: Privileged User@Pages
Pages is a virtual resource
Add a page Create a new page under a given Page P For shared pages: Editor@P For private pages: Privileged User@P
Create a derived page Create a new page underneath P1 that is explicitly derived from page P2 New page is private: Privileged User@P1 + Privileged User@P2 + Security Administrator@P2 New page is shared: Editor@P1 + Editor@P2 + Security Administrator@P2
Delete a page Delete a page P and all descendant pages, including further subpages and the portlets on those pages Manager@P Move a page Move page P1 to a new parent page P2 For shared pages: Manager@P1 + Editor@P2 For private pages: Manager@P1 + Privileged User@P2
Lock and unlock the contents of a page Lock or unlock the contents of a shared page P Editor@P Portlets on pages View a portlet on a page View a portlet PO on page P User@P + User@PO Configure an installed portlet Entering the configure mode of a portlet PO and modify its configuration Manager@PO Modify a portlet on a page Entering the edit mode of a portlet PO on page P and modify its configuration If P is a shared page and the user has no Editor role for this page, then modify the configuration of the portlet results in the creation of an implicitly derived copy of page P.
Editor@P + Editor@PO Or
Privileged User@P + Privileged User@PO
Modify page content Add/remove a portlet PO to/from a page P If P is a shared page and the user has no Editor role for this page, then modify the content of P results in the creation of an implicitly derived copy of page P.
For shared pages: Editor@P + User@PO Or
For private pages: Privileged User@P + User@PO
Restricting the content of a page Add/remove a portlet from the Allowed Portlet List of a page Editor@P + User@PO Portlets View an installed portlet View the portlet definition information of a portlet PO User@PO Modify an installed portlet Includes... ...to/from/of the portlet PO
For add/remove locales and setting default locale: Editor@PO For modify settings: Manager@PO
Duplicating an installed portlet Create a new installed portlet based on an existing portlet PO that is part of a portlet application PA. Editor@Portlet Applications + User@PO+ User@PA Portlet
Applications is a virtual resource
Delete an installed portlet Delete an installed portlet PO and remove all corresponding portlet entities from all pages within the portal Manager@PO Enable/disabling an installed portlet Temporarily disabling a portlet PO Manager@PO Provide portlet
(on the Producer side)Provide portlet PO as a WSRP service Editor@WSRP_Export and Editor@PO WSRP_Export is a virtual resource
Withdraw portlet
(on the Producer side)Withdraw portlet PO from WSRP service Manager@WSRP_Export and Editor@PO WSRP_Export is a virtual resource
Integrate a portlet
(on the Consumer side)Integrate the portlet of a WSRP Producer PR into the portal If no portlet application exists for the group of portlets: Editor@Portlet Applications and User@PR
Portlet
Applications is a virtual resource
If a Portlet Application PA already exists for the group of portlets:
Editor@PA and User@PR
Delete an integrated portlet
(on the Consumer side)Delete an integrated WSRP portlet PO contained in the portlet application PA from the portal If this is the last portlet in the portlet application: Manager@PA If more than portlets reside in the portlet application: Manager@PO
Portlet Applications View a portlet application View the portlet application definition information for a portlet application PA User@PA Modify a portlet application Includes to/from/of the portlet application PA Editor@PA Duplicating a portlet application Create a new portlet application based on an existing portlet application PA Editor@Portlet Applications + User@PA Portlet Applications is a virtual resource
Delete a portlet application Delete a portlet application and remove all corresponding portlets and portlet entities from all pages within the portal Manager@PA Enable/disabling a portlet application Temporarily disabling the portlet application PA Manager@PA WSRP Producers
(on the Consumer side)Add Producer Add a remote WSRP Producer to the Portal Editor@WSRP_Producers WSRP_Producers is a virtual resource
Edit Producer Edit the settings of a remote Producer PR Editor@PR View Producer View the settings or display the list of portlets that are provided by a remote WSRP Producer PR User@PR Delete Producer Delete a remote WSRP Producer from a the portal Manager@PR Web modules Install a Web module Install a new portlet application WAR file Editor@Web Modules Updating a Web module This means updating a Web module WM by installing a corresponding WAR file Editor@Web Modules + Manager@WM Uninstalling a Web module Uninstalling a Web module and remove all corresponding portlet applications and portlets from all pages within the portal Manager@WM + Manager @ all portlet applications contained in WM Users Create a user Create a new user in the user registry Editor@Users Users is a virtual resource
View a user View the user profile information of a user U (User@UG and U is a member of user group UG) or User@Users Users is a virtual resource
Modify a user Modify the profile information of a user U (Editor@UG and U is a member of user group UG) or Editor@Users Users is a virtual resource
Delete a user Delete a user from the user registry and delete all private pages created by this user Manager@Users Users is a virtual resource
User groups Create a user group Create a new user group within the user registry Editor@User groups User groups is a virtual resource
View a user group View the user group profile information of a user group UG User@UG Modify a user group Modify the profile information of a user group UG Editor@UG Add/remove a member Add an existing user U or a user group UG2 to an existing user group UG1 Security Administrator@Users + Editor@UG1 Users is a virtual resource
Delete a user group Delete a user group UG Manager@UG URL mapping contexts Create a URL mapping context Create a new URL mapping context UMC Editor@URL Mapping Contexts URL Mapping Contexts is a virtual resource
Traverse a URL mapping context The ability to traverse a URL mapping context due to a role assignment to some child context of UMC User@UMC or @ some child context of UMC View a URL mapping context View the definition of a URL mapping context UMC User@UMC Assign URL Create a mapping between a URL mapping context UMC and a portal resource R Editor@UMC + User@R Modify a URL mapping context Change the properties of an existing URL mapping context UMC Editor@UMC Delete a URL mapping context Delete a URL mapping context UMC and all of its child contexts Manager@UMC Portal settings View portal settings View the current settings of the portal User@Portal Settings Modify portal settings Modify the current settings of the portal Editor@Portal Settings XmlAccess Run XML configuration interface commands The ability to execute commands via the XML configuration interface Security Administrator@Portal + Editor@XmlAccess Portal and XmlAccess are virtual resource
Event handlers Manage event handlers Create, modify, and delete event handlers Security Administrator@Event Handlers Access Control Administration View access control configuration View the access control configuration of a resource R If R is under internal portal protection: Security Administrator@R or Security Administrator@Portal Portal is a virtual resource
If R is under external protection: Security Administrator@R or Security Administrator@Portal + Security Administrator@External Access Control
Portal and External Access Control are virtual resource
Create a role Create a new role of role type RT on resource R If R is under portal protection: Security Administrator@R + RT@R or Security Administrator@Portal If R is under external protection: Security Administrator@R + RT@R or Security Administrator@Portal + Security Administrator@External Access Control
Portal and External Access Control are virtual resource
Delete a role Delete a role created from role type RT on resource R. All corresponding role mappings are also deleted. If R is under internal portal protection: Security Administrator@R + RT@R + Delegator role on all assigned principals or Security Administrator@Portal If R is under external protection: Security Administrator@R + RT@R + Delegator role on all assigned principals or Security Administrator@Portal + Security Administrator@External Access Control
Portal and External Access Control are virtual resource
Create/delete a role assignment Create/delete a role assignment for user or group U created from Role Type RT on resource R If R is under internal portal protection: Security Administrator@R + RT@R + Delegator@U or Security Administrator@Portal If R is under external protection: Security Administrator@R + RT@R + Delegator@U or Security Administrator@Portal + Security Administrator@External Access Control
Portal and External Access Control are virtual resource
Create/delete a role block Create/delete a role block for all roles created from role type RT on resource RT If R is under internal portal protection: Security Administrator@R + RT@R or Security Administrator@Portal If Ris under external protection: Security Administrator@R + RT@R or Security Administrator@Portal+ Security Administrator@External Access Control
Portal and External Access Control are virtual resource
Externalize/internalize resources Move a resource R back and forth from internal to external control. All public child resources of R move with it. Private resources cannot be externalized. Security Administrator@R + Security Administrator@External Access Control or Security Administrator@Portal + Security Administrator@External Access Control Portal and External Access Control are virtual resource
Modify the owner of a resource Set user or group U1 as new owner of the shared resource R, where the old owner was U2 Delegator@U1, Delegator@U2, Manager@>R, and Security_Administrator@R Property Broker Operate with Portlet ActionSets/PropertySets Operate with ActionSets/PropertySets for a portlet PO User@PO Create/Updating/Delete a wire Create/Updating/Delete a wire from a portlet PO1 on Page P1 to a portlet PO2 on Page P2 Global wire: Editor@P1, User@PO1, Editor@P2, User@PO2 Personal wire: Privileged User@P1, User@PO1, Privileged User@P2, User@PO2
In order to update or delete a personal wire, the user must have the above role assignments and created the wire they are updating or delete.
Executing a wire Executing a wire from a portlet PO1 on Page P1 to a portlet PO2 on Page P2 Global wire: User@P1, User@PO1, User@P2, User@PO2 Personal wire: Privileged User@P1, User@PO1, Privileged User@P2, User@PO2
In order to execute a personal wire, the user must have the above role assignments and created the wire they are executing.
View a wire View a wire from a portlet PO1 on Page P1 to a portlet PO2 on Page P2 Global wire: User@P1, User@PO1, User@P2, User@PO2 Personal wire: Privileged User@P1, User@PO1, Privileged User@P2, User@PO2
In order to view a personal wire, the user must have the above role assignments and created the wire they are viewing.
Markups Manage Markups Create, delete, or modify a Markup Editor@Markups Markups is a virtual resource
Manage Search Collections Create a new search index Create a new search index Editor@PSE_SOURCES Web Clipping Create new clippings Create new clippings Editor@PORTLET_APPLICATION Portal Document Manager (PDM) View, create and edit documents and folders View, create and edit documents and folders Editor@ICM_CONTENT
or
Editor@ICM_CONTENT_REPOSITORYPDM is a virtual resource
Themes and Skins portlet Manage themes and skins View the portlet; delete, modify, and add themes and skins in the Themes and Skins portlet User@Themes and Skins portlet Manage Clients portlet Manage clients View the portlet; delete, modify, and add clients in the Manage Clients portlet User@Manage Clients portlet Unique Names portlet Manage unique names View the portlet; delete, modify, and add unique names in the Unique Names portlet User@Unique Names portlet PSE Source Create a PSE Source Create a search collection Editor@PSE_SOURCE View a PSE Source View a search collection I User@I Facilitate a PSE Source Using a search collection I User@I Edit a PSE Source Edit a search collection I Editor@I Delete a PSE Source Delete a search collection I Manager@I
Role Mappings and WSRP services
When security is not enabled in the Producer portal, anonymous users need the role mappings to access the remote portlets accordingly. Anonymous users can access and use the portal without authenticating with user IDs and passwords. When security is enabled in the Producer portal, the appropriate role mappings must be defined for the user who represents the Consumer portal.
Virtual Resources
To grant access to a virtual resource...
- Login to WebSphere Portal as the Portal Administrator.
- Navigate to...
Administration | Access | Resource Permissions | Virtual Resources | resource_nameFor example...
Administration | Access | Resource Permissions | Virtual Resources | ICM_CONTENT_REPOSITORY- Add any required Users to the User Role and allow inheritance of the Role permission. To enable all Users, add the "All Authenticated Portal Users" group.
See also
- Roles
- Resources
- Access control scenarios
- User Group Permissions portlet
- Resource Permissions portlet
WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.
IBM is a trademark of the IBM Corporation in the United States, other countries, or both.