Access management scenario

 

+
Search Tips   |   Advanced Search

 

Overview

This section describes basic tasks for administering access control. The following examples use a hypothetical portal user called Michael and a hypothetical group called the Marketing group.

The tasks described here can be performed using either the administrative portlets or the XML configuration interface.

 

Give a user full access to the portal

Give the user the Administrator@Portal role. The Administrator@Portal role permits unrestricted access to all portal resources except the private pages of other users.

Give users this role in one of two ways:

• Add users to a group that has the Administrator@Portal role. The <wpsadmins> user group automatically receives the Administrator@Portal role during the portal installation. Use the Manage Users and Groups portlet to assign users to this group.

• Explicitly assign the Administrator@Portal role to specific users. Use the Resource Permissions portlet or the User and Group Permissions portlet to to give users this role.

 

Allow a user to manage portlet applications with the Manage Applications portlet

Suppose that Michael needs to manage certain portlet applications. He must use the Manage Applications portlet to do this. Give Michael the following roles:

• User@<Web_Module>: This role permits Michael to see the information that is contained in a Web Module and to use the Manage Applications portlet to navigate to the Portlet Applications that are contained in this Web Module. You must assign Michael to a User role on each Web Module that she needs to access.

• Manager@<Portlet_Application>: This role permits Michael to administer the portlet application. You must assign Michael to a Manager role on each Portlet Application that she needs to administer.

There are two ways to give Michael these roles:

• Add Michael to a group that has these roles. Use the Manage Users and Groups portlet to assign her to this group.

• Explicitly assign the roles to Michael. Use the Resource Permissions portlet or the User and Group Permissions portlet to give her these roles.

 

 

Allow users to access a page and some subset of its child pages

Create an inheritance block on the appropriate page. For example, give the Marketing group the Editor@Market News Page role. This allows members of the Marketing group to edit the Market News page and all of its current and future child pages, including the Europe Market News page and the USA Market News page. To allow the Marketing group to edit the USA Market News page, but not the Europe Market News page, insert an inheritance role block for the Editor role type on the Europe Market News Page. Use the Resource Permissions portlet or the XML configuration interface to insert this role block. This role block prevents members of the Marketing group (and all other users and groups with an inherited or implicit Editor role on any parent pages of the Europe Market News page) from editing the Europe Market News page and all of its current and future child pages.

 

Allow users to access a portlet on a page

Give the group a role assignment on both the page and the portlet. Role assignments on a page do not contain access rights for portlets that appear on the page. Use the Resource Permissions portlet, the User and Group Permissions portlet, or the XML configuration interface to assign these roles.

For example, suppose there is a Market Targets portlet on the Market News Page. Give the Marketing group (or a user group that contains the Marketing group) the Editor@Market Targets Portlet role and the Editor@Market News Page role.

 

Allow users to access a page, but not its child pages

Use the Resource permissions portlet to create a propagation block on the appropriate page. For example, give the Marketing group Editor access to the Market News page. To prevent this group from editing the USA Market News page and the Europe Market news page, create a propagation block for the Editor role type on the USA Market News page. This role block prevents the Marketing group (and all other users and groups with an inherited or implicit Editor@Market News Page role) from editing all current and future child pages of the Market News Page.

 

Allow users to view and personalize a page and all of its child pages

Give the group the Privileged User role on the page and any portlets that appear on the page or its child pages. For example, give the Marketing group to the Privileged User@Market News Page role. This allows all members of this group to view and personalize the Market News page and all of its current and future child pages. Then give the Marketing group the Privileged User role on all portlets and portlet applications that appear on the Market News page and any of its child pages.

Giving the Marketing group the Privileged User role instead of the Editor role allows members to create new private pages that are children of the Market News Page, but prevents members from creating new public pages.

The Editor role blocks that are created in the previous examples do not affect Privileged User roles in any way.

 

Allow a user to assign roles on a specific resource to members of a specific group

For example, to allow Michael to assign the Marketing group to the role Privileged User@Market News Page, do either of the following steps:

• Give Michael the Privileged User@Market News Page, Security Administrator@Market News Page, and Delegator@Marketing Group roles. This allows her to assign the Marketing group (or individual members of this group) to the Privileged User@Market News Page role or the User@Market News Page role. Michael cannot assign anyone to the Editor@Market News Page role because she is not an Editor on the Market News Page. Michael cannot assign the Global Marketing group to the Privileged User@Market News Page role unless the Global Marketing group is a member of the Marketing group.

• Give Michael the Administrator@Portal role. This allows her to assign any user or group to any role on any resource.

Note: To administer access control through the administrative portlets, Michael must have role assignments that allow her to view the User Group Permissions or the Resource Permissions portlets and the pages that contain these portlets. To administer access control through the XML configuration interface, Michael must have a role assignment that allows her to access the XmlAccess virtual resource.

 

See also

1. Access rights
2. Access control administration
3. Resource Permissions portlet
4. Manage users and groups
5. User and Group Permissions portlet
6. XML configuration interface
7. Roles