+

Search Tips   |   Advanced Search

Manage access control with external security managers

HCL WebSphere Portal externalized roles use access control to set membership. These externalized roles contain only one permission: membership in the role. HCL WebSphere Portal always determines the permissions associated with each role.

For example, if we externalize the Editor@MarketNews Page role, use the external security manager to edit the access control. HCL WebSphere Portal still determines the permissions associated with the Editor role type. Roles are always associated with a specific resource, so the role Editor@MarketNews contains specific permissions on the MarketNews page only. Use the Resource Permissions portlet or the XML configuration interface to move resources back and forth from internal to external access control.

It is not possible to combine the usage of externalized roles and role mappings with managed pages. Portal pages cannot be externalized when being edited within a project and externalized resources cannot be added to projects.

By default, externalized roles appear in the external security manager as...

    Role Type@Resource Type/Name/Object ID

For example...

    Administrator@PORTLET_APPLICATION/Welcome/1_1_1G

We can change this format to...

This format change groups the roles by resource name instead of by role type. For example...

    PORTLET_APPLICATION/Welcome/1_0_1G@Administrator

This format change is visible only when the roles are externalized. This change does not affect the way roles are displayed in HCL WebSphere Portal.

The role...

    Administrator@VIRTUAL/wps.EXTERNAL ACCESS CONTROL/1

...is never affected by this format change. This role always appears with the role type Administrator.


Manage access control with external security managers

  1. Use the Resource Permissions portlet to internalize any external roles.

  2. Log on to the WAS admin console and modify the Resource Environment Provider:

      WP AccessControlDataManagementService

    ...and set...

      accessControlDataManagement.reorderRoleNames = true

    Add the accessControlDataManagement.reorderRoleNames parameter if it does not exist.

  3. Save the changes and restart the WebSphere_Portal server.

  4. Use the Resource Permissions portlet to externalize the resources internalized in the first step.

Example of roles list with reorderRoleNames=false:

    Administrator@WEB_MODULE/Tracing.war/1_0_3K
    Administrator@PORTLET_APPLICATION/Welcome/1_0_1G
    User@WEB_MODULE/Tracing.war/1_0_3K
    Privileged User@WEB_MODULE/Tracing.war/1_0_3K
    Privileged User@PORTLET_APPLICATION/Welcome/1_0_1G

Example of roles list with reorderRoleNames=true:

    PORTLET_APPLICATION/Welcome/1_0_1G@Administrator
    PORTLET_APPLICATION/Welcome/1_0_1G@Privileged User
    WEB_MODULE/Tracing.war/1_0_3K@Administrator
    WEB_MODULE/Tracing.war/1_0_3K@Privileged User
    WEB_MODULE/Tracing.war/1_0_3K@User


Parent External security managers