Portal, V6.1
Access control scenarios
Overview
The following examples use a hypothetical portal user called Mary and a hypothetical group called the Sales group.
The tasks described here can be performed using either the administrative portlets or the XML configuration interface.
Give a user full access to the portal
Give the user the role...
Administrator@Portal roleThis permits unrestricted access to all portal resources except the private pages of other users.
Give users this role in one of two ways:
- Add users to a group that has the role...
Administrator@PortalThe wpsadmins user group automatically receives this role during the portal installation. Use the Manage Users and Groups portlet to assign users to this group.
- Explicitly assign role...
Administrator@Portal...to specific users. Use the Resource Permissions portlet or the User and Group Permissions portlet to give users this role.
Allow a user to manage portlet applications with the Manage Applications portlet
Suppose that Mary needs to manage certain portlet applications. She must use the Manage Applications portlet to do this. Give Mary the following roles:
User@Web_Module
Permits Mary to see the information that is contained in a Web Module and to use the Manage Applications portlet to navigate to the Portlet Applications that are contained in this Web Module. You must assign Mary to a User role on each Web Module that she needs to access.
Manager@Portlet_Application
Permits Mary to administer the portlet application. You must assign Mary to a Manager role on each Portlet Application that she needs to administer.
There are two ways to give Mary these roles:
- Use the Manage Users and Groups portlet to add Mary to a group that has these roles.
- Use the Resource Permissions portlet or the User and Group Permissions portlet to explicitly assign the roles to Mary.
Allow users to access a page and some subset of its child pages
Create an inheritance block on the appropriate page. For example, give the Sales group the role...
Editor@Market News PageThis allows members of the Sales group to edit the Market News page and all of its current and future child pages, including the Europe Market News page and the USA Market News page. To allow the Sales group to edit the USA Market News page, but not the Europe Market News page, insert an inheritance role block for the Editor role type on the Europe Market News Page.
Use the Resource Permissions portlet or the XML configuration interface to insert this role block. This role block prevents members of the Sales group (and all other users and groups with an inherited or implicit Editor role on any parent pages of the Europe Market News page) from editing the Europe Market News page and all of its current and future child pages.
Allow users to access a portlet on a page
Give the group a role assignment on both the page and the portlet. Role assignments on a page do not contain access rights for portlets that appear on the page. Use the Resource Permissions portlet, the User and Group Permissions portlet, or the XML configuration interface to assign these roles.
For example, suppose there is a Market Targets portlet on the Market News Page. Give the Sales group the roles...
Editor@Market Targets Portlet
Editor@Market News Page
Allow users to access a page, but not its child pages
Use the Resource permissions portlet to create a propagation block on the appropriate page. For example, give the Sales group Editor access to the Market News page. To prevent this group from editing the USA Market News page and the Europe Market News page, create a propagation block for the Editor role type on the Market News page. It is not necessary to create a propagation block on the Market News child pages. This Market News page role block prevents the Sales group from editing all current and future child pages of the Market News Page.
Allow users to view and personalize a page and all of its child pages
Give the group the Privileged User role on the page and any portlets that appear on the page or its child pages. For example, give the Sales group to the role...
Privileged User@Market News PageThis allows all members of this group to view and personalize the Market News page and all of its current and future child pages. Then give the Sales group the Privileged User role on all portlets and portlet applications that appear on the Market News page and any of its child pages.
Giving the Sales group the Privileged User role instead of the Editor role allows members to create new private pages that are children of the Market News Page, but prevents members from creating new non-private pages.
The Editor role blocks that are created in the previous examples do not affect Privileged User roles in any way.
Allow a user to assign roles on a specific resource to members of a specific group
For example, to allow Mary to assign the Sales group to the role...
Privileged User@Market News Page...do either of the following steps...
- Give Mary the roles...
Privileged User@Market News Page
Security Administrator@Market News Page
Delegator@Sales GroupThis allows her to assign the Sales group (or individual members of this group) to the roles...
Privileged User@Market News Page
User@Market News PageMary cannot assign anyone to the role...
Editor@Market News Page...because she is not an Editor on the Market News Page.
Mary cannot assign the Global Marketing group to the role...
Privileged User@Market News Page...unless the Global Marketing group is a member of the Sales group.
- Give Mary the role...
Administrator@PortalThis allows her to assign any user or group to any role on any resource.
To administer access control through the administrative portlets, Mary must have role assignments that allow her to view the User Group Permissions or the Resource Permissions portlets and the pages that contain these portlets.
To administer access control through the XML configuration interface, Mary must have a role assignment that allows her to access the XmlAccess virtual resource.
- Assigning access to policies
Assign user access to work with a policy by assigning and editing user roles.
Parent topic
Controlling access