Manage users and groups

 

 

Overview

Users can register and manage their own account information, or an administrator can provision and manage users. Group memberships give the required permissions to access an object or perform a request.

All read-only attributes for users and groups must be listed in...

<wp_root>/shared/app/config/services/PumaService.properties

If read-only attributes are not listed in this file, users and groups cannot be modified. List the attributes with the appropriate properties below:

• user attributes: user.sync.remove.attributes

• group attributes: group.sync.remove.attributes

Make sure there is always at least one user with the Administrator@Portal role. If no user has this role, the portal will be inoperable.

 

Nested groups

WebSphere Portal supports nested groups to enable simple inheritance of access control. Two groups are nested if one of the groups contains the other group as a member. WebSphere Portal's access control system treats this as though all members of the contained group are also members of the containing group.

 

Virtual Users and User Groups

The portal supports predefined virtual users and groups that allow for access control configuration that applies to abstract sets of users. These virtual users and groups are not stored in the user registry. They only exist within the access control context. You cannot change group membership or other attributes of these virtual users and groups.

 

Anonymous Portal User

This virtual user models a portal user that has not yet logged into the portal. Roles assigned to this user allows establishing pages and portlets that can be accessed prior to completing an authentication form. This is useful for creating public welcome pages. The Anonymous User is considered not to be a member of any group within the portal. Permissions on the anonymous user are derived from permissions on the virtual resource Users.

 

All Authenticated Users

This virtual user group models the set of all users that are known by portal. After successfully logging in to the portal, users lose the Anonymous Portal User identity and become authenticated users. These authenticated users are members of the All Authenticated Users virtual user group. Roles assigned to this user group allows establishing the permissions that will apply to all authenticated users and thus supports the setting up the default privileges within the portal.

 

All User Group

This virtual user group contains all non-virtual user groups.

 

Set limits on searches for users and groups

Searching for users or groups is a time consuming task. A search may time out or return more results than the system can handle or the user may expect. To prevent this behavior, you can limit searches for users or groups in two ways:

• Set a maximum number of search results

• Set a timeout for searches in the user repository

These settings can be altered in the wmm.xml file with the parameters shown below:

maximumSearchResults="200"
searchTimeOut="120000"

The parameter maximumSearchResults specifies the maximum number of search results. The parameter searchTimeOut specifies the time out in thousandths of a second.

The example above shows the default values. It returns a maximum number of 200 users or groups and terminates the search if the back end does not respond within two minutes.

These settings affect the user or groups shown in portlets (e.g. the User Manager portlet) and XML export scripts.

Important: If your user repository contains more users or groups than the value configured in maximumSearchResults, a complete export of users and groups with XML Access is not possible.

 

Changing user profiles and group membership information

WebSphere Portal Version 5.0.2 changes the default behavior for modifying user profiles, changing group membership information, and other sensitive operations that require access to users and groups.

Roles assignments on user groups no longer include permissions on nested subgroups. To obtain permissions on a user, you must have a role assignment on a group to which the user directly belongs.

For example, suppose there are two user groups, the Sales Group and the Marketing group. The Marketing group is a nested subgroup of the Sales group. Mary is a direct member of the Marketing group.

• WebSphere Portal Version 5.0 default behavior: The Editor@Sales Group role allows a user to modify Mary's user profile

• WebSphere Portal Version 5.0.2 default behavior: The Editor@Sales Group role allows a user to modify Mary's user profile only if Mary is also a direct member of the Sales group

Roles assigned to user groups are still propagated to nested subgroups. For example, if the Sales group has the Editor@Market News Page role, then by default Mary still inherits that role assignment.

To revert to the WebSphere Portal Version 5.0 default behavior, modify the <wp_root>/shared/app/config/services/AccessControlDataManagementService.properties file by adding the following text in a new line:

accessControlDataManagement.enableTargetResourceGroupInheritance=true

 

See also

1. Authorization
2. Security
3. Customize common name generation
4. Manage User Groups portlet
5. Subscriber management: Registration and Self-care
6. Special characters in user IDs and passwords
7. Search group membership