Access rights

 

+
Search Tips   |   Advanced Search

 

Overview

Access rights map operations for a resource within the portal to the roles required to perform the operations. Operations can include everything from view a portlet on a specific page to running xmlaccess scripts.

A role combines a set of permissions with a specific WebSphere Portal resource. This set of permissions is called a role type. Roles are denoted as...

RoleType@Resource

...and define minimum assignments necessary to perform an operation.

Some role types imply other role types. For example the operation...

Install Web Module

...requires a role type of...

Editor@Web Modules

Because the role of type Manager implies the Editor role type, assigning a Manager role at the Web Modules virtual resource also allows for installing Web modules.

Role assignments that manage application templates and composite applications for business users are defined in Access to applications and components.

The name of an application role does not indicate its application role type. To determine which application role type is associated with a specific application role, refer to the roles portlet and check out the specific application role's additional management permissions.

When access_rights are granted to any listed resource, it inherently requires access to the resource Access Control Administration.

Changing the owner of a resource can be done by using the WebSphere Portal Access Control Administration.

The resources listed could be different depending on other products that might be installed with WebSphere Portal. Some roles are required on virtual resources; other roles must be on resource instances.

Users might also have access_rights for some operations through ownership of resources.

private

only accessible by the owner of the resource

non-private

accessible by those people having been granted access to the resource

public

accessible without authentication

Resource	Operation	Required role assignment
Access Control Administration	View the access control configuration of a resource	If Resource is under internal PORTAL protection: Security Administrator@Resource ...or... Security Administrator@PORTAL If Resource is under external protection: Security Administrator@Resource ...or... Security Administrator@PORTAL +Security Administrator@EXTERNAL_ACCESS_CONTROL
	Create a new role of roletype on resource Resource	If Resource is under PORTAL protection: Security Administrator@Resource + roletype@Resource ...or... Security Administrator@PORTAL If Resource is under external protection: Security Administrator@Resource + roletype@Resource ...or... Security Administrator@PORTAL + Security Administrator@EXTERNAL_ACCESS_CONTROL
	Delete a role created from roletype on resource. All corresponding role mappings are also deleted.	If Resource is under internal PORTAL protection: Security Administrator@Resource + roletype@Resource + Delegator role on all assigned principals ...or... Security Administrator@PORTAL If Resource is under external protection: Security Administrator@Resource + roletype@Resource + Delegator role on all assigned principals + Security Administrator@PORTAL Security Administrator@EXTERNAL_ACCESS_CONTROL
	Create/delete a role assignment for user or group created from roletype on resource	If Resource is under internal PORTAL protection: Security Administrator@Resource + roletype@Resource + Delegator@U ...or... Security Administrator@PORTAL If Resource is under external protection: Security Administrator@Resource + roletype@Resource + Delegator@U ...or... Security Administrator@PORTAL + Security Administrator@EXTERNAL_ACCESS_CONTROL
	Create/delete a role block for all roles created from roletype on resource	If Resource is under internal PORTAL protection: Security Administrator@Resource + roletype@Resource ...or... Security Administrator@PORTAL If Resource is under external protection: Security Administrator@Resource + roletype@Resource ...or... Security Administrator@PORTAL + Security Administrator@EXTERNAL_ACCESS_CONTROL A Security Administrator on this resource is always implicitly a Delegator on this resource. For all other role types, the Security Administrator@Resource plus the assignments listed above are required.
	Externalize/internalize resources: Moving a resource Resource back and forth from internal to external control. All non-private child resources of Resource move with it. Private resources cannot be externalized.	Security Administrator@Resource + Security Administrator@EXTERNAL_ACCESS_CONTROL ...or... Security Administrator@PORTAL + Security Administrator@EXTERNAL_ACCESS_CONTROL
	Modify the owner of a resource: Set a user or group U1 as new owner of the non-private resource, where the old owner was U2	Delegator@U1, Delegator@U2, Manager@Resource, and Security_Administrator@Resource
Applications	Create an Application based on an existing template	User@template
	Create/edit/delete application roles of Application A	Application manager
	Add/remove/reassigning members to application roles	Application membership manager + Delegator@ManagedMember
	Saving Application A as a template in templateCategory	Application manager + Contributor@templateCategory Contributor@templateCategory is the minimum required access right to save an Application as a Template in a Template Category, though it is not recommended. Editor@templateCategory is recommended to save an Application as a Template in a Template Category and use the Portal administration utilities.
	Edit layout of Application A	Application manager
	Change owner of Application A	Application owner + Application manager + Delegator@NewOwner + Delegator@OldOwner Only the application owner is allowed to set a new owner
	Delete an Application A	Application manager
Application Template Categories	Create a templateCategory	Contributor@Template Application Document Library Template Application Document Library is a single protected resource of the type Application Template Root Contributor@Template Application Document Library is the minimum required access right to create a Template Category, though it is not recommended. Editor@Template Application Document Library is recommended to create and maintain Template Categories and use the Portal administration utilities.
	View a templateCategory	User@templateCategory
Application Templates	Create a Template from an existing Application: Serializing an existing Application A and creating a new template under templateCategory	Application manager + Contributor@templateCategory Contributor@templateCategory is the minimum required access right to create a Template from an existing Application, though it is not recommended. Editor@templateCategory is recommended to create a Template from an existing Application and use the Portal administration utilities.
	Deploying or importing a new template in templateCategory	Contributor@templateCategory + Editor@TEMPLATE_DEPLOYMENT Contributor@templateCategory is the minimum required access right to deploy or import a new Template in a Template Category, though it is not recommended. Editor@templateCategory is recommended to deploy or import a new Template in a Template Category and use the Portal administration utilities.
	Create a new template in templateCategory	Contributor@templateCategory Contributor@templateCategory is the minimum required access right to create a new Template in a Template Category, though it is not recommended. Editor@templateCategory is recommended to create a new Template in a Template Category and use the Portal administration utilities.
	Exporting a template templateCategory	User@Template +User@templateCategory
	Edit a template in templateCategory	Editor@Template +User@templateCategory
	Delete a template in templateCategory	Manager@Template + Editor@templateCategory
	View a template in templateCategory	User@template + User@templateCategory In most cases User@template will be inherited by the permission on the Template Category (TC) because the TC is the parent of the Template resource, but setting a propagation block for the TC could prevent a user from getting the permission User@template. In this case the access right for template would be an additional setting.
Business Rules (Personalization)	View a Business Rule	User@Business Rules Workspace Set this permission on the Business Rules Workspace in the Personalization navigator by selecting the root node and then choosing Extra Action > Edit Access from the menu.
	Create a Business Rule	Contributor@Business Rules Workspace Contributor@Business Rules Workspace is the minimum required access right to create a Business Rule, though it is not recommended. Editor@Business Rules Workspace is recommended to create and maintain business rules and use the Portal administration facilities.
	Delete a Business Rule	Manager@Business Rules Workspace
	Assigning a Business rule to a page P	For non-private pages: Editor@P and User@Business Rules Workspace For private pages: Priviliged User@P and User@Business Rules Workspace
	Assigning a Business rule to a portlet PO on page P	For non-private pages: Editor@P, User@PO and User@Business Rules Workspace For private pages: Privileged User@P, User@PO and User@Business Rules Workspace
	Extra Actions	When you use the Set Access button in Personalization to add a user or a group to a role on the root of the workspace, this automatically gives the same role to that user or group for all Document Manager and Web Content Management libraries, policies and templates. To prevent the propagation of the role into Document Manager, click Administration, then under Portal Content, click Document Libraries. In Document Libraries, click Set Access on Root. Click to deselect the Allow Inheritance check box next to the role that was added in Personalization, then click Apply. IBM recommends that you deselect Allow Inheritance for all roles. The Administrator and Security Administrator role cannot be blocked. Those two roles will always be inherited.
CONTENT NODES	Traverse a page: View the navigation of a page P	User@P ...or... @ some child resource of P
	View the content of a page P, including page decoration and potentially the portlets on that page. The portlets on a page are protected separately. See the portlets on pages row of this table for more information.	User@P
	Modify page properties includes: Add/remove a markup Add/remove a locale Add/remove parameters to/from a page P	Editor@P
	Modify the layout of a page P includes: Add/remove wires manage actions	For non-private pages: Editor@P For private pages: Privileged User@P For managing receiving actions of a portlet on a target page: Editor@P and Editor@PO
	Customize the layout of a non-private page: Create a private, implicitly derived copy of a non-private page P	Privileged User@P
	Add a root page: Create and adding a new top level page P	For non-private pages: Editor@Pages For private pages: Privileged User@Pages
	Add a page: Create a new page under a given Page P	For non-private pages: Editor@P For private pages: Privileged User@P
	Create a derived page: Create a new page underneath P1 that is explicitly derived from page P2	New page is private: Privileged User@P1 + Editor@P2 New page is non-private: Editor@P1 + Editor@P2
	Delete a page P and all descendant pages, including further subpages and the portlets on those pages	Manager@P
	Moving page P1 to a new parent page P2	For non-private pages: Manager@P1 + Editor@P2 For private pages: Manager@P1 + Privileged User@P2
	Locking or unlocking the contents of a non-private page P	Editor@P
Credential Vault Portlet	Add, view, or delete a vault segment	Management of the Credential Vault via the Credential Vault Portlet requires access to an instance of the Credential Vault Portlet
	Add, view, delete, or editing a vault slot	Management of the Credential Vault via the Credential Vault Portlet requires access to an instance of the Credential Vault Portlet
Document Libraries	Create a Document Library	Editor@ /contentRoot/ Contributor@/contentRoot/ is the minimum required access right to create a Document Library, although it is not recommended. Editor@/contentRoot/ is recommended to create and maintain Document Libraries and use the Portal administration facilities.
	View the Document Library	User@Document Library
	Delete the Document Library	Manager@Document Library
	Import documents into the Document Library	Editor@parent (Document Library/Folder)
	Moving the Copy Document Library	Editor@ /contentRoot/
	Edit the Document Library	Editor@Document Library
	Create a New Document	Editor@parent (Folder)
	View a Document	User@Document
	Delete a Document	Manager@Document
	Import a Document	Editor@parent (Folder)
	Moving a Document	Manager@Document and Editor@target Folder
	Edit a Document	Editor@Document
	Locking a Document	Editor@Document
	Unlocking a Document	Editor@Document and User@UserVR
	Create a New Folder	Editor@parent (Folder)
	View a Folder	User@Folder
	Delete a Folder	Manager@Folder
	Moving a Folder	Manager@Folder and Editor@target Folder
	Edit a Folder	Editor@Folder
Enable Tracing Portlet	Add or delete a portal trace setting	Add or delete portal trace setting via the Enable Tracing Portlet requires access to an instance of the Enable Tracing Portlet
EVENT HANDLERS	Manage event handlers: Create, modifying, and delete event handlers	Security Administrator@EVENT HANDLERS
Manage Clients portlet	Manage clients: View the portlet; delete, modifying, and adding clients in the Manage Clients portlet	User@Manage Clients portlet
Manage Search	Create a new search index	Editor@PSE_SOURCES
Manage Virtual Portal	Create the New Virtual Portal	Security Administrator@PORTAL
	View the Virtual Portal	Security Administrator@PORTAL
	Delete the Virtual Portal	Security Administrator@PORTAL
	Edit the Virtual Portal	Security Administrator@PORTAL
MARKUPS	Manage Markups: Create, delete, or modifying a Markup	Editor@MARKUPS
Policies	Create a new Policy under a given Policy	Editor@Policy and User@Business Rules Workspace Notes: Contributor@Policy is the minimum required access right to create a new Policy under a given Policy, though it is not recommended. Editor@Policy is recommended to create and maintain policies and use the Portal administration utilities. If a rule has to be created or edited during the creation of a Policy, then Editor@Business Rules Workspace and Editor@Policy is also required. Business Rules Workspace is the root node in the Personalization navigator for Business Rules resources. Set permissions on this node by selecting the workspace node and then choosing Extra Action > Edit Access from the menu.
	Assigning a Business rule to a Policy	User@Business Rules and Editor@Policy
	Edit a Policy	Editor@Policy and User@Business Rules If a rule has to be created or edited during the creation of a Policy, then Editor@Business Rules is also required.
	View a Policy	User@Policy + User@Business Rules
	Import a new Policy	Editor@POLICY_ROOT Contributor@POLICY_ROOT is the minimum required access right to import a new Policy, though it is not recommended. Editor@POLICY_ROOT is recommended to import and maintain policies and use the Portal administration utilities.
	Delete a Policy	Manager@Policy + User@Business Rules When delete a policy the associated rule is not deleted.
PORTAL SETTINGS	View current portal settings	User@PORTAL SETTINGS
	Modify current portal settings	Editor@PORTAL SETTINGS
PORTLET APPLICATIONS	View the portlet application definition information for a portlet application PA	User@PA
	Modify a portlet application includes: Add/remove a locale Set default locale Modify settings to/from/of the portlet application PA	Editor@PA
	Duplicating a portlet application: Create a new portlet application based on an existing portlet application PA	Editor@PORTLET APPLICATIONS + User@PA
	Delete a portlet application and remove all corresponding portlets and portlet entities from all pages within the portal	Manager@PA
	Enabling/disabling a portlet application: Temporarily enabling or disabling the portlet application PA	Manager@PA
Portlets	View an installed portlet: View the portlet definition information of a portlet PO	User@PO
	Modify an installed portlet includes: Add/remove a locale Set default locale Modify settings to/from/of the portlet PO	For adding/remove locales and setting default locale: Editor@PO For modifying settings: Manager@PO
	Duplicating an installed portlet: Create a new installed portlet based on an existing portlet PO that is part of a portlet application PA.	Editor@PORTLET APPLICATIONS + User@PO + User@PA
	Delete an installed portlet PO and remove all corresponding portlet entities from all pages within the portal	Manager@PO
	Enabling/disabling an installed portlet: Temporarily enaabling or disabling a portlet PO	Manager@PO
	Providing portlet PO as a WSRP service	Editor@WSRP EXPORT and Editor@PO
	Withdrawing portlet PO from WSRP service	Manager@WSRP EXPORT and Editor@PO
	Integrating the portlet of a WSRP Producer PR into the portal	If no portlet application exists for the group of portlets: Editor@PORTLET APPLICATIONS and User@Producer If a PORTLET APPLICATIONS (PA) already exists for the group of portlets: Editor@PA and User@Producer
	Delete an integrated WSRP portlet PO contained in the portlet application PA from the portal	If this is the last portlet in the PORTLET APPLICATION: Manager@PA If more than portlets reside in the PORTLET APPLICATION: Manager@PO
Portlets on pages	View a portlet PO on page P	User@P + User@PO
	Configuring an installed portlet: Entering the configure mode of a portlet PO and modifying its configuration	Manager@PO
	Modify a portlet on a page: Entering the edit mode of a portlet PO on page P and modifying its configuration If P is a non-private page and the user has no Editor role for this page, then modifying the configuration of the portlet results in the creation of an implicitly derived copy of page P.	Editor@P + Editor@PO Or Privileged User@P + Privileged User@PO
	Modify page content: Add/remove a portlet PO to/from a page P If P is a non-private page and the user has no Editor role for this page, then modifying the content of P results in the creation of an implicitly derived copy of page P.	For non-private pages: Editor@P + User@PO Or For private pages: Privileged User@P + User@PO
	Restricting the content of a page: Add/remove a portlet from the Allowed Portlet List of a page	Editor@P + User@PO
Property Broker	Operating with ActionSets/PropertySets for a portlet PO	User@PO
	Create/Update/Delete a wire from a portlet PO1 on Page P1 to a portlet PO2 on Page P2	Global wire: Editor@P1, User@PO1, Editor@P2, User@PO2 Personal wire: Privileged User@P1, User@PO1, Privileged User@P2, User@PO2 In order to update or delete a personal wire, the user must have the above role assignments and created the wire they are updating or delete.
	Executing a wire from a portlet PO1 on Page P1 to a portlet PO2 on Page P2	Global wire: User@P1, User@PO1, User@P2, User@PO2 Personal wire: Privileged User@P1, User@PO1, Privileged User@P2, User@PO2 In order to execute a personal wire, the user must have the above role assignments and created the wire they are executing
	View a wire from a portlet PO1 on Page P1 to a portlet PO2 on Page P2	Global wire: User@P1, User@PO1, User@P2, User@PO2 Personal wire: Privileged User@P1, User@PO1, Privileged User@P2, User@PO2 In order to view a personal wire, the user must have the above role assignments and created the wire they are view
PSE SOURCES	Create a PSE Source: Create a search collection	Editor@PSE_SOURCES
	View a PSE Source: View a search collection I	User@I
	Facilitating a PSE Source: Using a search collection I	User@I
	Editing a PSE Source: Editing a search collection I	Editor@I
	Delete a PSE Source: Delete a search collection I	Manager@I
Themes and Skins portlet	Manage themes and skins: View the portlet; delete, modifying, and adding themes and skins in the Themes and Skins portlet	User@Themes and Skins portlet
Unique Names portlet	Manage unique names: View the portlet; delete, modifying, and adding unique names in the Unique Names portlet	Editor@Resource + User@Unique Names portlet
URL MAPPING CONTEXTS	Create a new URL mapping context UMC	Editor@URL MAPPING CONTEXTS
	Traversing a URL mapping context: The ability to traverse a URL mapping context due to a role assignment to some child context of UMC	User@UMC or @ some child context of UMC
	View the definition of a URL mapping context UMC	User@UMC
	Assigning a URL: Create or editing a mapping between a URL mapping context UMC and a portal resource	Editor@UMC + User@Resource
	Modify a URL mapping context: Changing the properties of an existing URL mapping context UMC; for example editing the label	Editor@UMCIf Virtual Portal Mapping: Editor@VP URL MAPPINGS
	Delete a URL mapping context UMC and all of its child contexts	Manager@UMC
USER GROUPS	Create a new User group within the user registry	Editor@User groups
	View the User group profile information of a user group UG	User@UG
	Modify the profile information of a User group UG	Editor@UG
	Add/remove an existing User U or a User group UG2 to or from an existing User group UG1	Security Administrator@USERS + Editor@UG1
	Delete a user group UG	Manager@UG
USERS	Create a new user in the user registry	Editor@User Self Enrollment
	View the user profile information of a user U	User@UG and U is a member of user group UG or User@USERS
	Modify the profile information of a user U	Editor@UG and U is a member of user group UG or Editor@USERS
	Delete a user from the user registry and delete all private pages created by this user	Manager@USERS
Web Clipping	Create new clippings	Editor@PORTLET_APPLICATIONS
Web modules	Install a new portlet application WAR file	Editor@Web Modules
	Update a Web module WM by installing a corresponding WAR file	Editor@Web Modules + Manager@WM
	Uninstalling a Web module and remove all corresponding portlet applications and portlets from all pages within the portal	Manager@WM + Manager @ all portlet applications contained in WM
WSRP PRODUCERS (on the Consumer side)	Add a remote WSRP Producer to the Portal	Editor@WSRP PRODUCERS
	Ediing the settings of a remote Producer	Editor@Producer
	View the settings or display the list of portlets that are provided by a remote WSRP Producer PR	User@Producer
	Delete a remote WSRP Producer from the portal	Manager@Producer
XML ACCESS	Run commands using the XML configuration interface	Security Administrator@PORTAL + Editor@XML ACCESS

 

Role Mappings and WSRP services

On the WSRP producer side, the enforcement of the access control decision for provided portlets can be enabled or suppressed by setting the configuration property wsrp.security.enabled, in Configuration Service. If this property value is set to true, as described in Set configuration properties, then all access control decisions in the producing portal are based on the authenticated principal. If wsrp.security.enabled is set to false, then the producing portal does not enforce any access control on incoming client portal WSRP requests.

When using identity propagation, the user authenticated on the client portal needs to have the required role assignments. If no identity propagation is configured, but SSL client certificate authentication is enabled, then the ID of the certificate needs to have the required role assignments. If none of the previously mentioned authentication methods is used, then the request is treated as if coming from the Anonymous Portal Users. In the latter case, the required roles need to be assigned to the Anonymous Portal User, which implies allowing unauthenticated access to the corresponding resources for all users who can access the producer portal.

 

External Access Control

The role...

Security Administrator@EXTERNAL_ACCESS_CONTROL

...can only be modified using external security manager tools, such as the Tivoli Access Manager (TAM) pdadmin command or the Trust SiteMinder administrative console.

 

Virtual Resources

1. EXTERNAL_ACCESS_CONTROL
2. EVENT HANDLERS
3. MARKUPS
4. PORTAL
5. PORTAL SETTINGS
6. PORTLET APPLICATIONS
7. PSE_SOURCES
8. URL MAPPING CONTEXTS
9. TEMPLATE_DEPLOYMENT
10. USERS
11. VP URL MAPPINGS
12. WSRP EXPORT
13. WSRP PRODUCERS

 

Related information

1. Roles
2. Resources
3. Access control scenarios
4. Initial Access Control Sets
5. Delegated Access Control Administration
6. User Group Permissions portlet
7. Resource Permissions portlet

 

---