Access rights


The following table maps sensitive operations within the portal to the corresponding roles that are required to perform these operations. Sensitive operations include simple tasks like viewing a portlet on a specific page, and complex, high-risk tasks like running XML configuration interface scripts.

A role combines a set of permissions with a specific WebSphere Portal resource. This set of permissions is called a role type. Roles are denoted as RoleType@Resource.

The following table lists the minimum role assignment that is necessary to perform a sensitive operation.

Resource Sensitive Operation Sensitive Operation Description Required role assignment
Pages Traversing a page Viewing the navigation of a page P User@P or @ some child resource of P
Viewing a page Viewing the content of a page P, including page decoration and potentially the portlets on that page. The portlets on a page are protected separately. See the portlets on pages row of this table for more information. User@P
Modify a page Includes:

  • Changing the layout

  • Adding/removing a markup

  • Adding/removing a locale

  • Adding/removing attributes

to/from a page P

For shared pages: Editor@P

For private pages: Privileged User@P

Customize a shared page Create a private, implicitly derived copy of a shared page P Privileged User@P
Adding a root page Create and adding a new top level page P For shared pages: Editor@Pages

For private pages: Privileged User@Pages

(Pages is a virtual resource)

Adding a page Create a new page under a given Page P For shared pages: Editor@P

For private pages: Privileged User@P

Create a derived page Create a new page underneath P1 that is explicitly derived from page P2 New page is private: Privileged User@P1 + Privileged User@P2 + Security Administrator@P2

New page is shared: Editor@P1 + Editor@P2 + Security Administrator@P2

Deleting a page Deleting a page P and all descendant pages, including further subpages and the portlets on those pages Manager@P
Moving a page Moving page P1 to a new parent page P2 For shared pages: Manager@P1 + Editor@P2

For private pages: Manager@P1 + Privileged User@P2

Locking and unlocking the contents of a page Locking or unlocking the contents of a shared page P Editor@P
Portlets on pages Viewing a portlet on a page Viewing a portlet PO on page P User@P + User@PO
Configure an installed portlet Entering the configure mode of a portlet PO and modifying its configuration Manager@PO
Modify a portlet on a page Entering the edit mode of a portlet PO on page P and modifying its configuration

Note: If P is a shared page and the user has no Editor role for this page, then modifying the configuration of the portlet results in the creation of an implicitly derived copy of page P.

Editor@P + Editor@PO

Privileged User@P + Privileged User@PO

Modify page content Adding/removing a portlet PO to/from a page P For shared pages: Editor@P + User@PO

For private pages: Privileged User@P + User@PO

Restricting the content of a page Adding/removing a portlet from the Allowed Portlet List of a page Editor@P + User@PO
Portlets Viewing an installed portlet Viewing the portlet definition information of a portlet PO User@PO
Modify an installed portlet Includes:

  • Adding/removing a locale

  • Set default locale
  • Modify settings

to/from/of the portlet PO

For adding/removing locales and setting default locale: Editor@PO

For modifying settings: Manager@PO

Duplicating an installed portlet Create a new installed portlet based on an existing portlet PO that is part of a portlet application PA. Editor@Portlet Applications + User@PO+ User@PA

(Portlet Applications is a virtual resource)

Deleting an installed portlet Deleting an installed portlet PO and removing all corresponding portlet entities from all pages within the portal Manager@PO
Enabling/disabling an installed portlet Temporarily disabling a portlet PO Manager@PO
Portlet Applications Viewing a portlet application Viewing the portlet application definition information for a portlet application PA User@PA
Modify a portlet application Includes

  • Adding/removing a locale

  • Set default locale

  • Modify settings

to/from/of the portlet application PA

Editor@PA
Duplicating a portlet application Create a new portlet application based on an existing portlet application PA Editor@Portlet Applications + User@PA (Portlet Applications is a virtual resource)
Deleting a portlet application Deleting a portlet application and removing all corresponding portlets and portlet entities from all pages within the portal Manager@PA
Enabling/disabling a portlet application Temporarily disabling the portlet application PA Manager@PA
Web modules Install a Web module Install a new portlet application WAR file Editor@Web Modules (Web Modules is a virtual resource)
Update a Web module This means updating a Web module WM by installing a corresponding WAR file Editor@Web Modules + Manager@WM
Enabling/disabling a Web module Temporarily disabling the portlet application PA Manager@WM
Uninstalling a Web module Uninstalling a Web module and removing all corresponding portlet applications and portlets from all pages within the portal Manager@WM + Manager @ all portlet applications contained in WM
Users Create a user Create a new user in the user registry Editor@Users (Users is a virtual resource)
Viewing a user Viewing the user profile information of a user U User@U or User@Users (Users is a virtual resource)
Modify a user Modify the profile information of a user U Editor@U or Editor@Users (Users is a virtual resource)
Deleting a user Deleting a user from the user registry and deleting all private pages created by this user Manager@Users (Users is a virtual resource)
User groups Create a user group Create a new user group within the user registry Editor@User groups (User groups is a virtual resource)
Viewing a user group Viewing the user group profile information of a user group UG User@UG
Modify a user group Modify the profile information of a user group UG Editor@UG
Adding/removing a member Adding an existing user U or a user group UG2 to an existing user group UG1 Security Administrator@Users + Editor@UG1 (Users is a virtual resource)
Deleting a user group Deleting a user group UG Manager@UG
URL mapping contexts Create a URL mapping context Create a new URL mapping context UMC Editor@URL Mapping Contexts (URL Mapping Contexts is a virtual resource)
Traversing a URL mapping context The ability to traverse a URL mapping context due to a role assignment to some child context of UMC User@UMC or @ some child context of UMC
Viewing a URL mapping context Viewing the definition of a URL mapping context UMC User@UMC
Assign URL Create a mapping between a URL mapping context UMC and a portal resource R Editor@UMC + User@R
Modify a URL mapping context Changing the properties of an existing URL mapping context UMC Editor@UMC
Deleting a URL mapping context Deleting a URL mapping context UMC and all of its child contexts Manager@UMC
Portal settings View portal settings Viewing the current settings of the portal User@Portal Settings (Portal Settings is a virtual resource)
Modify portal settings Modify the current settings of the portal Editor@Portal Settings (Portal Settings is a virtual resource)
XmlAccess Running XML configuration interface commands The ability to execute commands via the XML configuration interface Security Administrator@Portal + Editor@XmlAccess (Portal and XmlAccess are virtual resources)
Event handlers Manage event handlers Create, modifying, and deleting event handlers Security Administrator@Event Handlers (Event Handlers is a virtual resource)
Access Control Administration Viewing access control configuration Viewing the access control configuration of a resource R If R is under internal portal protection: Security Administrator@R or Security Administrator@Portal (Portal is a virtual resource)

If R is under external protection: Security Administrator@R or Security Administrator@Portal + Security Administrator@External Access Control (Portal and External Access Control are virtual resources)

(Portal and External Access Control are virtual resources)

Create a role Create a new role of role type RT on resource R If R is under portal protection: Security Administrator@R + RT@R or Security Administrator@Portal

If R is under external protection: Security Administrator@R + RT@R or Security Administrator@Portal + Security Administrator@External Access Control

(Portal and External Access Control are virtual resources)

Deleting a role Deleting a role created from role type RT on resource R. All corresponding role mappings are also deleted. If R is under internal portal protection: Security Administrator@R + RT@R + Delegator role on all assigned principals or Security Administrator@Portal

If R is under external protection: Security Administrator@R + RT@R + Delegator role on all assigned principals or Security Administrator@Portal + Security Administrator@External Access Control

(Portal and External Access Control are virtual resources)

Create/deleting a role assignment Create/deleting a role assignment for user or group U created from Role Type RT on resource R If R is under internal portal protection: Security Administrator@R + RT@R + Delegator@U or Security Administrator@Portal

If R is under external protection: Security Administrator@R + RT@R + Delegator@U or Security Administrator@Portal + Security Administrator@External Access Control

(Portal and External Access Control are virtual resources)

Create/delete a role block Create/deleting a role block for all roles created from role type RT on resource RT If R is under internal portal protection: Security Administrator@R + RT@R or Security Administrator@Portal

If Ris under external protection: Security Administrator@R + RT@R or Security Administrator@Portal+ Security Administrator@External Access Control

(Portal and External Access Control are virtual resources)

Externalizing/internalizing resources Moving a resource R back and forth from internal to external control. All public child resources of R move with it. Private resources cannot be externalized. Security Administrator@R + Security Administrator@External Access Control or Security Administrator@Portal + Security Administrator@External Access Control

(Portal and External Access Control are virtual resources)

Modify the owner of a resource Set user or group U1 as new owner of the shared resource R, where the old owner was U2 Delegator@U1, Delegator@U2, Manager@>R, and Security_Administrator@R
Property Broker Operating with Portlet ActionSets/PropertySets Operating with ActionSets/PropertySets for a portlet PO User@PO
Create/Updating/Deleting a wire Create/Updating/Deleting a wire from a portlet PO1 on Page P1 to a portlet PO2 on Page P2 Global wire: Editor@P1, Editor@PO1, Editor@P2, Editor@PO2

Personal wire: Privileged User@P1, Privileged User@PO1, Privileged User@P2, Privileged User@PO2

Executing a wire Executing a wire from a portlet PO1 on Page P1 to a portlet PO2 on Page P2 Global wire: User@P1, User@PO1, User@P2, User@PO2

Personal wire: Privileged User@P1, Privileged User@PO1, Privileged User@P2, Privileged User@PO2

Markups Manage Markups Create, deleting, or modifing a Markup Editor@Markups (Markups is a virtual resource)
Themes and Skins and Manage Clients portlets Manage themes, skins, and clients Viewing the portlets; deleting, modifying, and adding themes and skins in the Themes and Skins portlet; deleting, modifying, and adding clients in the Manage Clients portlet User@Content Node, User@Themes and Skins portlet, User@Manage Clients portlet

 

See also