Access rights

Access rights

Overview

Sensitive operations include common tasks such as...

View portlets on specific pages
Complex, high-risk tasks like running xmlaccess scripts.

Roles provide permissions for user to perform specific operations on resources. The following tables denote roles as follows:
Role@Resource

The following tables list minimum role assignments that are necessary to perform sensitive operations. Roles are organized in a hierarchy. Roles that are higher in the hierarchy generally include the permissions of roles that are lower in the role hierarchy. For example, to install Web modules the Editor role on the virtual resource Web Modules, the minimum role assignment for this operation...
Editor@Web Modules
The Manager role is higher in the hierarchy than the Editor role. For this reason, the Manager role includes the permissions of the Editor role. Manager@Web Modules also allows users to install Web modules.
When access rights are granted to any listed resource, it inherently requires access to the resource Access Control Administration.
Use the Access Control Administration to change the owner of a resource.
The resources listed could be different depending on other products that might be installed with the product. Some roles are required on virtual resources; other roles must be on resource instances.
Users might also have access rights for some operations through ownership of resources.

private Accessible only by the owner of the resource. Creators of private resources automatically gain rights that are similar to the rights of a Manager. For example, if you create a private page, you have rights similar to those of a Manager for that page and can perform certain actions such as changing the page theme or deleting the page.
non-private Accessible by those people having been granted access to the resource.
public Accessible without authentication.

Access Control Administration

Operation Required role assignment
View access control of resource R If R is under internal PORTAL protection:
Security Administrator@R
.or...
Administrator@PORTAL.
If R is under external protection:
Security Administrator@R
.or...
Administrator@PORTAL + Security Administrator@EXTERNAL_ACCESS_CONTROL
PORTAL and EXTERNAL_ACCESS_CONTROL are virtual resources.
The Security Administrator@EXTERNAL_ACCESS_CONTROL role is created and managed in the External Security Manager (ESM). It must be modified using the ESM management tools. For example, use the IBM Tivoli Access Manager pdadmin> command line or the Computer Associates eTrust SiteMinder administrative console.
Create a new role RT on resource R If R is under PORTAL protection:
Security Administrator@R + RT@R
.or...
Administrator@PORTAL
If R is under external protection:
Security Administrator@R + RT@R
.or...
Administrator@PORTAL + Security Administrator@EXTERNAL_ACCESS_CONTROL
PORTAL and EXTERNAL_ACCESS_CONTROL are virtual resources.
The Security Administrator@EXTERNAL_ACCESS_CONTROL role is created and managed in the External Security Manager (ESM). It must be modified using the ESM management tools. For example, use the TAM pdadmin> command line or the eTrust SiteMinder administrative console.
Delete a role created from role RT on resource R. All corresponding role mappings are also deleted. If R is under internal PORTAL protection:
Security Administrator@R + RT@R + Delegator role on all assigned principals
.or...
Administrator@PORTAL
If R is under external protection:
Security Administrator@R + RT@R + Delegator role on all assigned principals
.or...
Administrator@PORTAL + Security Administrator@EXTERNAL_ACCESS_CONTROL
PORTAL and EXTERNAL_ACCESS_CONTROL are virtual resources.
The Security Administrator@EXTERNAL_ACCESS_CONTROL role is created and managed in the External Security Manager (ESM). It must be modified using the ESM management tools. For example, use the TAM pdadmin> command line or the eTrust SiteMinder administrative console.
Create or delete a role assignment for user or group U created from role RT on resource R If R is under internal PORTAL protection:
Security Administrator@R + RT@R + Delegator@U
.or...
Administrator@PORTAL
If R is under external protection:
Security Administrator@R + RT@R + Delegator@U
.or...
Administrator@PORTAL + Security Administrator@EXTERNAL_ACCESS_CONTROL
The Security Administrator@EXTERNAL_ACCESS_CONTROL role is created and managed in the External Security Manager (ESM). It must be modified using the ESM management tools. For example, use the TAM pdadmin> command line or the eTrust SiteMinder administrative console.
Create or delete a role block for all roles created from role RT on resource R If R is under internal PORTAL protection:
Security Administrator@R + RT@R
.or...
Administrator@PORTAL
If R is under external protection:
Security Administrator@R + RT@R
.or...
Administrator@PORTAL + Security Administrator@EXTERNAL_ACCESS_CONTROL
A Security Administrator on this resource is always implicitly a Delegator on this resource. For all other roles, the Security Administrator@R plus the assignments listed above are required.
The Security Administrator@EXTERNAL_ACCESS_CONTROL role is created and managed in the External Security Manager (ESM). It must be modified using the ESM management tools. For example, use the TAM pdadmin> command line or the eTrust SiteMinder administrative console.
Externalize or internalize resources:
Move a resource R back and forth from internal to external control. All non-private child resources of R move with it. Private resources cannot be externalized.
Security Administrator@R + Security Administrator@EXTERNAL_ACCESS_CONTROL
.or...
Administrator@Portal + Security Administrator@EXTERNAL_ACCESS_CONTROL
The Security Administrator@EXTERNAL_ACCESS_CONTROL role is created and managed in the External Security Manager (ESM). It must be modified using the ESM management tools. For example, use the TAM pdadmin> command line or the eTrust SiteMinder administrative console.

Modify the owner of a resource:
Set a user or group U1 as new owner of the non-private resource R, where the old owner was U2
Delegator@U1, Delegator@U2, Manager@R, and Security_Administrator@R

Applications

Operation Required role assignment
Create an Application based on an existing Template T in Template Category TC

User@TC
Create, edit, or delete application roles of Application A Application manager
Add, remove, or reassign members to application roles Application membership manager
Saving Application A as a Template T in Template Category TC Application manager + Contributor@TC
Edit layout of Application A Application manager
Change owner of Application A Application owner or Application manager
Only the application owner or an administrator can set new owners.
Delete an Application A Application manager

Application Template Categories

Operation Required role assignment
Create a Template Category TC New in Template Category TC_Parent

Contributor@TC_Parent
View a Template Category TC User@TC

Application Templates

Operation Required role assignment
Create a Template from an existing Application:
Serializing an existing Application A and creating a new Template T under Template Category TC
Application manager +

Contributor@TC
Deploy or importing a new Template T in Template Category TC Contributor@TC + Editor@TEMPLATE DEPLOYMENT
Create a new Template T in Template Category TC Contributor@TC
Export a Template T in Template Category TC User@T +
User@TC
Edit a Template T in Template Category TC Editor@T +
User@TC
Change owner of Template A Delegator@Template
Set new owners:
Only the application owner or an administrator can set new owners.
Delete a Template T in Template Category TC Manager@T +
Editor@TC
View a Template T in Template Category TC User@T +
User@TC
In most cases User@T will be inherited by the permission on the Template Category (TC) because the TC is the parent of the Template resource, but setting a propagation block for the TC could prevent a user from getting the permission User@T. In this case the access right for T would be an additional setting.

Business Rules (Personalization)

Operation Required role assignment
View a Business Rule User@Business Rules Workspace
Set this permission on the Business Rules Workspace in the Personalization navigator by selecting the root node and then choosing Extra Action -> Edit Access from the menu.
Create a Business Rule Contributor@Business Rules Workspace
Important:
Contributor@Business Rules Workspace is the minimum required access right to create a Business Rule, however, you should use Editor@Business Rules Workspace to create and maintain business rules and use the Portal administration facilities.
Delete a Business Rule Manager@Business Rules Workspace
Assign a Business rule to a page P For non-private pages:
Editor@P and User@Business Rules Workspace
For private pages:
Priviliged User@P and User@Business Rules Workspace
Assign a Business rule to a portlet PO on page P For non-private pages:
Editor@P, User@PO, and User@Business Rules Workspace
For private pages:
Privileged User@P, User@PO, and User@Business Rules Workspace
Additional actions When you use the Set Access button in Personalization to add a user or a group to a role on the root of the workspace, this automatically gives the same role to that user or group for all Web Content Manager libraries, policies and templates.

Content Nodes, such as pages, labels, and URLs

Operation
The operations in this column specifically refer to pages only, but also applies to labels and URLs in some cases.
Required role assignment
Traversing a page:
View the navigation of a page P
User@P or @ some child resource of P
View the content of a page P, including page decoration and potentially the portlets on that page. The portlets on a page are protected separately. See the portlets on pages row of this table for more information. User@P
Modify page properties includes:

Add or remove markup
Add or remove a locale
Add or remove parameters

to or from a page P
Editor@P
Change the theme of a page P Editor@P
Modify the layout of a page P includes:

Add or removing wires
Manage actions

For non-private pages:
Editor@P
For private pages:
Privileged User@P
For managing receiving actions of a portlet on a target page:
Editor@P and Editor@PO
Customize the layout of a non-private page:
Create a private, implicitly derived copy of a non-private page P
Privileged User@P
Add a root page:
Create and adding a new top level page P
For non-private pages:
Editor@Pages
For private pages:
Privileged User@Pages
Add a page:
Create a new page under a given Page P
For non-private pages:
Editor@P
For private pages:
Privileged User@P
Create a derived page:
Create a new page underneath P1 that is explicitly derived from page P2
New page is private:
Privileged User@P1 + Editor@P2
New page is non-private:
Editor@P1 + Editor@P2
Delete a page P and all descendant pages, including further subpages and the portlets on those pages Manager@P
Move page P1 to a new parent page P2 For non-private pages:
Manager@P1 + Editor@P2
For private pages:
Manager@P1 + Privileged User@P2
Lock or unlocking the contents of a non-private page P Editor@P + User@portlet (Page Locks) + User@page (Locks)

Credential Vault portlet

Operation Required role assignment
Adding, viewing, or deleting a vault segment Management of the Credential Vault through the Credential Vault portlet requires access to an instance of the Credential Vault portlet.
Adding, viewing, deleting, or editing a vault slot Management of the Credential Vault through the Credential Vault portlet requires access to an instance of the Credential Vault portlet.

Enable Tracing portlet

Operation Required role assignment
Add or deleting portal trace settings Add or deleting portal trace setting through the Enable Tracing portlet requires access to an instance of the Enable Tracing portlet.

Event Handlers

Operation Required role assignment
Manage event handlers:
Creating, modifying, and deleting event handlers
Security Administrator@Event Handlers

Manage Clients portlet

Operation Required role assignment
Manage clients:
View the portlet; deleting, modifying, and adding clients in the Manage Clients portlet
User@Manage Clients

Manage Search

Operation Required role assignment
Create a new search index Editor@PSE_Sources

Manage Virtual Portal

Operation Required role assignment
Create the New Virtual Portal Security Administrator@Portal
View the Virtual Portal Security Administrator@Portal
Delete the Virtual Portal Security Administrator@Portal
Edit the Virtual Portal Security Administrator@Portal

Markups

Operation Required role assignment
Manage Markups:
Creating, deleting, or modifying a Markup
Editor@Markups

Policies

Operation Required role assignment
Create a new Policy under a given Policy Editor@Policy and User@Business Rules Workspace
Contributor@Policy is the minimum required access right to create a new Policy under a given Policy, though it is not recommended. Editor@Policy is recommended to create and maintain policies and use the Portal administration utilities.
If a rule has to be created or edited during the creation of a Policy, then Editor@Business Rules Workspace and Editor@Policy is also required.
Business Rules Workspace is the root node in the Personalization navigator for Business Rules resources. Set permissions on this node by selecting the workspace node and then choosing Extra Action -> Edit Access from the menu.
Assign a Business rule to a Policy User@Business Rules and Editor@Policy
Edit a Policy Editor@Policy and User@Business Rules
If a rule has to be created or edited during the creation of a Policy, then Editor@Business Rules is also required.
View a Policy User@Policy + User@Business Rules
Import a new Policy Editor@Policy_Root
Important:
Contributor@Policy_Root is the minimum required access right to import a new Policy, however, you should use Editor@Policy_Root to import and maintain policies and use the Portal administration utilities.
Delete a Policy Manager@Policy + User@Business Rules
Delete policies:
When you delete a policy, the associated rule is not deleted.

Portal Settings

Operation Required role assignment
View current portal settings User@Portal Settings
Modify current portal settings Editor@Portal Settings

Portlet Applications

Operation Required role assignment
View the portlet application definition information for a portlet application PA User@PA
Modify a portlet application includes:

Add or removing a locale
Set default locale
Modify settings

to, from, or of the portlet application PA.
Editor@PA
Duplicating a portlet application:
Create a new portlet application based on an existing portlet application PA
Editor@Portlet Applications + User@PA
Delete a portlet application and removing all corresponding portlets and portlet entities from all pages within the portal Manager@PA
Enable or disable a portlet application:
Temporarily enabling or disabling the portlet application PA
Manager@PA

Portlets

Operation Required role assignment
View an installed portlet:
View the portlet definition information of a portlet PO
User@PO
Modify an installed portlet includes:
Add or removing a locale
Set default locale
Modify settings

to, from, or of the portlet PO.
For adding or removing locales and setting default locale:
Editor@PO
For modifying settings:
Manager@PO
Duplicating an installed portlet:
Create a new installed portlet based on an existing portlet PO that is part of a portlet application PA.
Editor@Portlet Applications + User@PO + User@PA
Delete an installed portlet PO and removing all corresponding portlet entities from all pages within the portal Manager@PO
Enable or disable an installed portlet:
Temporarily enabling or disabling a portlet PO
Manager@PO
Provide portlet PO as a WSRP service Editor@WSRP Export and Editor@PO
Withdrawing portlet PO from WSRP service Manager@WSRP Export and Editor@PO
Integrate the portlet of a WSRP Producer PR into the portal If no portlet application exists for the group of portlets:
Editor@Portlet Applications and User@PR
If a Portlet Applications PA already exists for the group of portlets:
Editor@PA and User@PR
Delete an integrated WSRP portlet PO contained in the portlet application PA from the portal If this is the last portlet in Portlet Applications:
Manager@PA
If more than one portlet resides in Portlet Applications:
Manager@PO

Portlets on pages

Operation Required role assignment
View a portlet PO on page P User@P + User@PO
Configuring an installed portlet:
Entering the configure mode of a portlet PO and modifying its configuration
Manager@PO
Modify a portlet on a page:
Entering the edit mode of a portlet PO on page P and modifying its configuration
If P is a non-private page and the user has no Editor role for this page, then modifying the configuration of the portlet results in the creation of an implicitly derived copy of page P.
Editor@P + Editor@PO
Or
Privileged User@P + Privileged User@PO
Modify page content:
Add or removing a portlet PO to/from a page P
If P is a non-private page and the user has no Editor role for this page, then modifying the content of P results in the creation of an implicitly derived copy of page P.
For non-private pages:
Editor@P + User@PO
Or
For private pages:
Privileged User@P + User@PO
Restricting the content of a page:
Add or removing a portlet from the Allowed Portlet List of a page
Editor@P + User@PO

Property Broker

Operation Required role assignment
Operating with ActionSets or PropertySets for a portlet PO User@PO
Creating, updating, or deleting a wire from a portlet PO1 on Page P1 to a portlet PO2 on Page P2 Global wire:
Editor@P1, User@PO1, Editor@P2, User@PO2
Personal wire:
Privileged User@P1, User@PO1, Privileged User@P2, User@PO2
Important:
In order to update or delete a personal wire, the user must have the above role assignments and created the wire they are updating or deleting.
Create a wire from a portlet PO1 on Page P1 to a portlet PO2 on Page P2 Global wire:
User@P1, User@PO1, User@P2, User@PO2
Personal wire:
Privileged User@P1, User@PO1, Privileged User@P2, User@PO2
Important:
In order to create a personal wire, the user must have the above role assignments and created the wire they are executing
View a wire from a portlet PO1 on Page P1 to a portlet PO2 on Page P2 Global wire:
User@P1, User@PO1, User@P2, User@PO2
Personal wire:
Privileged User@P1, User@PO1, Privileged User@P2, User@PO2
Important:
In order to view a personal wire, the user must have the above role assignments and created the wire they are viewing

PSE Sources

Operation Required role assignment
Create a PSE Source:
Create a search collection
Editor@PSE Sources
View a PSE Source:
View a search collection SC
User@SC
Facilitating a PSE Source:
Use a search collection SC
User@SC
Edit a PSE Source:
Edit a search collection SC
Editor@SC
Delete a PSE Source:
Delete a search collection SC
Manager@SC

Tagging and rating

Operation Required role assignment
View community tags and ratings that other users have applied.
Create and deleting personal public tags and ratings.
Delete community tags regardless of ownership.
Manager@Tags + Manager@Ratings
View community tags and ratings that other users have applied.
Create and deleting personal public tags and ratings.
Contributor@Tags + Contributor@Ratings
View community tags and ratings that other users have applied.
Create and deleting personal private tags and ratings.
Privileged user@Tags + Privileged user@Ratings
View community tags and ratings that other users have applied. User@Tags + User@Ratings

Themes, Skins, and Layout Templates

Operation Required role assignment
Creating, viewing, editing, and deleting a Theme, Skin, or Layout Template Manager@THEME MANAGEMENT

Unique Names portlet

Operation Required role assignment
Manage unique names:
View the portlet; deleting, modifying, and adding unique names in the Unique Names portlet
Editor@R + User@Unique Names

URL Mapping Contexts

Operation Required role assignment
Create a new URL mapping context UMC Editor@URL Mapping Contexts
Traversing a URL mapping context:
The ability to traverse a URL mapping context due to a role assignment to some child context of UMC
User@UMC or @ some child context of UMC
View the definition of a URL mapping context UMC User@UMC
Assign a URL:
Create a mapping between a URL mapping context UMC and a portal resource R
Editor@UMC + User@R
Modify a URL mapping context:
Change the properties of an existing URL mapping context UMC; for example editing the label
Editor@UMC
If Virtual Portal Mapping: Editor@VP URL Mappings
Delete a URL mapping context UMC and all of its child contexts Manager@UMC

User Groups

Operation Required role assignment
Create a new User group within the user registry Editor@User Groups
View the User group profile information of a user group UG User@UG
Modify the profile information of a User group UG Editor@UG
Add or removing an existing User U or a User group UG2 to or from an existing User group UG1 Security Administrator@Users + Editor@UG1
Delete a user group UG Manager@UG
Delete the user group:
The owner of the user group can also delete it.

Users

Operation Required role assignment
Create a new user in the user registry Editor@User Self Enrollment
View the user profile information of a user U User@UG and U is a member of user group UG or User@Users
Modify the profile information of a user U Editor@UG and U is a member of user group UG or Editor@Users
Delete a user from the user registry and deleting all private pages created by this user Manager@Users
Impersonating a user to troubleshoot problems and view pages, portlets, and other portal components. Can Run As User@Users
To use the Can Run As User role, enable the impersonation feature and assign the Can Run As User role to an appropriate user.

Web Clipping

Operation Required role assignment
Create new clippings Editor@Portlet Applications

Web modules

Operation Required role assignment
Install a new portlet application WAR file Editor@Web Modules
Update a Web module WM by installing a corresponding WAR file Editor@Web Modules + Manager@WM
Uninstall a Web module and removing all corresponding portlet applications and portlets from all pages within the portal Manager@WM + Manager @ all portlet applications contained in WM

WSRP Producers (on the Consumer side)

Operation Required role assignment
Add a remote WSRP Producer PR to the Portal Editor@WSRP Producers
Edit the settings of a remote Producer PR Editor@PR
View the settings or display the list of portlets that are provided by a remote WSRP Producer PR User@PR
Delete a remote WSRP Producer from the portal Manager@PR

XML Access

Operation Required role assignment
Run commands using the xmlaccess Security Administrator@Portal + Editor@XML Access

Role Mappings and WSRP services
On the WSRP producer side, you can set the configuration property wsrp.security.enabled to enforce the access control decision for the provided portlets. If this property value is set to true, then all access control decisions in the producing portal are based on the authenticated principal. If wsrp.security.enabled is set to false, then the producing portal does not enforce any access control on incoming client portal WSRP requests.
When using identity propagation, the user authenticated on the client portal needs to have the required role assignments. If no identity propagation is configured, but SSL client certificate authentication is enabled, then the ID of the certificate needs to have the required role assignments. If none of the previously mentioned authentication methods is used, then the request is treated as if coming from the Anonymous Portal Users. In the latter case, the required roles need to be assigned to the Anonymous Portal User, which implies allowing unauthenticated access to the corresponding resources for all users who can access the producer portal.

+
Search Tips | Advanced Search

private	Accessible only by the owner of the resource. Creators of private resources automatically gain rights that are similar to the rights of a Manager. For example, if you create a private page, you have rights similar to those of a Manager for that page and can perform certain actions such as changing the page theme or deleting the page.
non-private	Accessible by those people having been granted access to the resource.
public	Accessible without authentication.

Operation	Required role assignment
View access control of resource R	If R is under internal PORTAL protection: Security Administrator@R .or... Administrator@PORTAL. If R is under external protection: Security Administrator@R .or... Administrator@PORTAL + Security Administrator@EXTERNAL_ACCESS_CONTROL PORTAL and EXTERNAL_ACCESS_CONTROL are virtual resources. The Security Administrator@EXTERNAL_ACCESS_CONTROL role is created and managed in the External Security Manager (ESM). It must be modified using the ESM management tools. For example, use the IBM Tivoli Access Manager pdadmin> command line or the Computer Associates eTrust SiteMinder administrative console.
Create a new role RT on resource R	If R is under PORTAL protection: Security Administrator@R + RT@R .or... Administrator@PORTAL If R is under external protection: Security Administrator@R + RT@R .or... Administrator@PORTAL + Security Administrator@EXTERNAL_ACCESS_CONTROL PORTAL and EXTERNAL_ACCESS_CONTROL are virtual resources. The Security Administrator@EXTERNAL_ACCESS_CONTROL role is created and managed in the External Security Manager (ESM). It must be modified using the ESM management tools. For example, use the TAM pdadmin> command line or the eTrust SiteMinder administrative console.
Delete a role created from role RT on resource R. All corresponding role mappings are also deleted.	If R is under internal PORTAL protection: Security Administrator@R + RT@R + Delegator role on all assigned principals .or... Administrator@PORTAL If R is under external protection: Security Administrator@R + RT@R + Delegator role on all assigned principals .or... Administrator@PORTAL + Security Administrator@EXTERNAL_ACCESS_CONTROL PORTAL and EXTERNAL_ACCESS_CONTROL are virtual resources. The Security Administrator@EXTERNAL_ACCESS_CONTROL role is created and managed in the External Security Manager (ESM). It must be modified using the ESM management tools. For example, use the TAM pdadmin> command line or the eTrust SiteMinder administrative console.
Create or delete a role assignment for user or group U created from role RT on resource R	If R is under internal PORTAL protection: Security Administrator@R + RT@R + Delegator@U .or... Administrator@PORTAL If R is under external protection: Security Administrator@R + RT@R + Delegator@U .or... Administrator@PORTAL + Security Administrator@EXTERNAL_ACCESS_CONTROL The Security Administrator@EXTERNAL_ACCESS_CONTROL role is created and managed in the External Security Manager (ESM). It must be modified using the ESM management tools. For example, use the TAM pdadmin> command line or the eTrust SiteMinder administrative console.
Create or delete a role block for all roles created from role RT on resource R	If R is under internal PORTAL protection: Security Administrator@R + RT@R .or... Administrator@PORTAL If R is under external protection: Security Administrator@R + RT@R .or... Administrator@PORTAL + Security Administrator@EXTERNAL_ACCESS_CONTROL A Security Administrator on this resource is always implicitly a Delegator on this resource. For all other roles, the Security Administrator@R plus the assignments listed above are required. The Security Administrator@EXTERNAL_ACCESS_CONTROL role is created and managed in the External Security Manager (ESM). It must be modified using the ESM management tools. For example, use the TAM pdadmin> command line or the eTrust SiteMinder administrative console.
Externalize or internalize resources: Move a resource R back and forth from internal to external control. All non-private child resources of R move with it. Private resources cannot be externalized.	Security Administrator@R + Security Administrator@EXTERNAL_ACCESS_CONTROL .or... Administrator@Portal + Security Administrator@EXTERNAL_ACCESS_CONTROL The Security Administrator@EXTERNAL_ACCESS_CONTROL role is created and managed in the External Security Manager (ESM). It must be modified using the ESM management tools. For example, use the TAM pdadmin> command line or the eTrust SiteMinder administrative console.
Modify the owner of a resource: Set a user or group U1 as new owner of the non-private resource R, where the old owner was U2	Delegator@U1, Delegator@U2, Manager@R, and Security_Administrator@R

Operation	Required role assignment
Create an Application based on an existing Template T in Template Category TC	User@TC
Create, edit, or delete application roles of Application A	Application manager
Add, remove, or reassign members to application roles	Application membership manager
Saving Application A as a Template T in Template Category TC	Application manager + Contributor@TC
Edit layout of Application A	Application manager
Change owner of Application A	Application owner or Application manager Only the application owner or an administrator can set new owners.
Delete an Application A	Application manager

Operation	Required role assignment
Create a Template from an existing Application: Serializing an existing Application A and creating a new Template T under Template Category TC	Application manager + Contributor@TC
Deploy or importing a new Template T in Template Category TC	Contributor@TC + Editor@TEMPLATE DEPLOYMENT
Create a new Template T in Template Category TC	Contributor@TC
Export a Template T in Template Category TC	User@T + User@TC
Edit a Template T in Template Category TC	Editor@T + User@TC
Change owner of Template A	Delegator@Template Set new owners: Only the application owner or an administrator can set new owners.
Delete a Template T in Template Category TC	Manager@T + Editor@TC
View a Template T in Template Category TC	User@T + User@TC In most cases User@T will be inherited by the permission on the Template Category (TC) because the TC is the parent of the Template resource, but setting a propagation block for the TC could prevent a user from getting the permission User@T. In this case the access right for T would be an additional setting.

Operation	Required role assignment
View a Business Rule	User@Business Rules Workspace Set this permission on the Business Rules Workspace in the Personalization navigator by selecting the root node and then choosing Extra Action -> Edit Access from the menu.
Create a Business Rule	Contributor@Business Rules Workspace Important: Contributor@Business Rules Workspace is the minimum required access right to create a Business Rule, however, you should use Editor@Business Rules Workspace to create and maintain business rules and use the Portal administration facilities.
Delete a Business Rule	Manager@Business Rules Workspace
Assign a Business rule to a page P	For non-private pages: Editor@P and User@Business Rules Workspace For private pages: Priviliged User@P and User@Business Rules Workspace
Assign a Business rule to a portlet PO on page P	For non-private pages: Editor@P, User@PO, and User@Business Rules Workspace For private pages: Privileged User@P, User@PO, and User@Business Rules Workspace
Additional actions	When you use the Set Access button in Personalization to add a user or a group to a role on the root of the workspace, this automatically gives the same role to that user or group for all Web Content Manager libraries, policies and templates.

Operation The operations in this column specifically refer to pages only, but also applies to labels and URLs in some cases.	Required role assignment
Traversing a page: View the navigation of a page P	User@P or @ some child resource of P
View the content of a page P, including page decoration and potentially the portlets on that page. The portlets on a page are protected separately. See the portlets on pages row of this table for more information.	User@P
Modify page properties includes: Add or remove markup Add or remove a locale Add or remove parameters to or from a page P	Editor@P
Change the theme of a page P	Editor@P
Modify the layout of a page P includes: Add or removing wires Manage actions	For non-private pages: Editor@P For private pages: Privileged User@P For managing receiving actions of a portlet on a target page: Editor@P and Editor@PO
Customize the layout of a non-private page: Create a private, implicitly derived copy of a non-private page P	Privileged User@P
Add a root page: Create and adding a new top level page P	For non-private pages: Editor@Pages For private pages: Privileged User@Pages
Add a page: Create a new page under a given Page P	For non-private pages: Editor@P For private pages: Privileged User@P
Create a derived page: Create a new page underneath P1 that is explicitly derived from page P2	New page is private: Privileged User@P1 + Editor@P2 New page is non-private: Editor@P1 + Editor@P2
Delete a page P and all descendant pages, including further subpages and the portlets on those pages	Manager@P
Move page P1 to a new parent page P2	For non-private pages: Manager@P1 + Editor@P2 For private pages: Manager@P1 + Privileged User@P2
Lock or unlocking the contents of a non-private page P	Editor@P + User@portlet (Page Locks) + User@page (Locks)

Operation	Required role assignment
Adding, viewing, or deleting a vault segment	Management of the Credential Vault through the Credential Vault portlet requires access to an instance of the Credential Vault portlet.
Adding, viewing, deleting, or editing a vault slot	Management of the Credential Vault through the Credential Vault portlet requires access to an instance of the Credential Vault portlet.

Operation	Required role assignment
Add or deleting portal trace settings	Add or deleting portal trace setting through the Enable Tracing portlet requires access to an instance of the Enable Tracing portlet.

Operation	Required role assignment
Manage event handlers: Creating, modifying, and deleting event handlers	Security Administrator@Event Handlers

Operation	Required role assignment
Manage clients: View the portlet; deleting, modifying, and adding clients in the Manage Clients portlet	User@Manage Clients

Operation	Required role assignment
Create a new search index	Editor@PSE_Sources

Operation	Required role assignment
Create the New Virtual Portal	Security Administrator@Portal
View the Virtual Portal	Security Administrator@Portal
Delete the Virtual Portal	Security Administrator@Portal
Edit the Virtual Portal	Security Administrator@Portal

Operation	Required role assignment
Manage Markups: Creating, deleting, or modifying a Markup	Editor@Markups

Operation	Required role assignment
Create a new Policy under a given Policy	Editor@Policy and User@Business Rules Workspace Contributor@Policy is the minimum required access right to create a new Policy under a given Policy, though it is not recommended. Editor@Policy is recommended to create and maintain policies and use the Portal administration utilities. If a rule has to be created or edited during the creation of a Policy, then Editor@Business Rules Workspace and Editor@Policy is also required. Business Rules Workspace is the root node in the Personalization navigator for Business Rules resources. Set permissions on this node by selecting the workspace node and then choosing Extra Action -> Edit Access from the menu.
Assign a Business rule to a Policy	User@Business Rules and Editor@Policy
Edit a Policy	Editor@Policy and User@Business Rules If a rule has to be created or edited during the creation of a Policy, then Editor@Business Rules is also required.
View a Policy	User@Policy + User@Business Rules
Import a new Policy	Editor@Policy_Root Important: Contributor@Policy_Root is the minimum required access right to import a new Policy, however, you should use Editor@Policy_Root to import and maintain policies and use the Portal administration utilities.
Delete a Policy	Manager@Policy + User@Business Rules Delete policies: When you delete a policy, the associated rule is not deleted.

Operation	Required role assignment
View current portal settings	User@Portal Settings
Modify current portal settings	Editor@Portal Settings

Operation	Required role assignment
View the portlet application definition information for a portlet application PA	User@PA
Modify a portlet application includes: Add or removing a locale Set default locale Modify settings to, from, or of the portlet application PA.	Editor@PA
Duplicating a portlet application: Create a new portlet application based on an existing portlet application PA	Editor@Portlet Applications + User@PA
Delete a portlet application and removing all corresponding portlets and portlet entities from all pages within the portal	Manager@PA
Enable or disable a portlet application: Temporarily enabling or disabling the portlet application PA	Manager@PA

Operation	Required role assignment
View an installed portlet: View the portlet definition information of a portlet PO	User@PO
Modify an installed portlet includes: Add or removing a locale Set default locale Modify settings to, from, or of the portlet PO.	For adding or removing locales and setting default locale: Editor@PO For modifying settings: Manager@PO
Duplicating an installed portlet: Create a new installed portlet based on an existing portlet PO that is part of a portlet application PA.	Editor@Portlet Applications + User@PO + User@PA
Delete an installed portlet PO and removing all corresponding portlet entities from all pages within the portal	Manager@PO
Enable or disable an installed portlet: Temporarily enabling or disabling a portlet PO	Manager@PO
Provide portlet PO as a WSRP service	Editor@WSRP Export and Editor@PO
Withdrawing portlet PO from WSRP service	Manager@WSRP Export and Editor@PO
Integrate the portlet of a WSRP Producer PR into the portal	If no portlet application exists for the group of portlets: Editor@Portlet Applications and User@PR If a Portlet Applications PA already exists for the group of portlets: Editor@PA and User@PR
Delete an integrated WSRP portlet PO contained in the portlet application PA from the portal	If this is the last portlet in Portlet Applications: Manager@PA If more than one portlet resides in Portlet Applications: Manager@PO

Operation	Required role assignment
View a portlet PO on page P	User@P + User@PO
Configuring an installed portlet: Entering the configure mode of a portlet PO and modifying its configuration	Manager@PO
Modify a portlet on a page: Entering the edit mode of a portlet PO on page P and modifying its configuration If P is a non-private page and the user has no Editor role for this page, then modifying the configuration of the portlet results in the creation of an implicitly derived copy of page P.	Editor@P + Editor@PO Or Privileged User@P + Privileged User@PO
Modify page content: Add or removing a portlet PO to/from a page P If P is a non-private page and the user has no Editor role for this page, then modifying the content of P results in the creation of an implicitly derived copy of page P.	For non-private pages: Editor@P + User@PO Or For private pages: Privileged User@P + User@PO
Restricting the content of a page: Add or removing a portlet from the Allowed Portlet List of a page	Editor@P + User@PO

Operation	Required role assignment
Operating with ActionSets or PropertySets for a portlet PO	User@PO
Creating, updating, or deleting a wire from a portlet PO1 on Page P1 to a portlet PO2 on Page P2	Global wire: Editor@P1, User@PO1, Editor@P2, User@PO2 Personal wire: Privileged User@P1, User@PO1, Privileged User@P2, User@PO2 Important: In order to update or delete a personal wire, the user must have the above role assignments and created the wire they are updating or deleting.
Create a wire from a portlet PO1 on Page P1 to a portlet PO2 on Page P2	Global wire: User@P1, User@PO1, User@P2, User@PO2 Personal wire: Privileged User@P1, User@PO1, Privileged User@P2, User@PO2 Important: In order to create a personal wire, the user must have the above role assignments and created the wire they are executing
View a wire from a portlet PO1 on Page P1 to a portlet PO2 on Page P2	Global wire: User@P1, User@PO1, User@P2, User@PO2 Personal wire: Privileged User@P1, User@PO1, Privileged User@P2, User@PO2 Important: In order to view a personal wire, the user must have the above role assignments and created the wire they are viewing

Operation	Required role assignment
Create a PSE Source: Create a search collection	Editor@PSE Sources
View a PSE Source: View a search collection SC	User@SC
Facilitating a PSE Source: Use a search collection SC	User@SC
Edit a PSE Source: Edit a search collection SC	Editor@SC
Delete a PSE Source: Delete a search collection SC	Manager@SC

Operation	Required role assignment
View community tags and ratings that other users have applied. Create and deleting personal public tags and ratings. Delete community tags regardless of ownership.	Manager@Tags + Manager@Ratings
View community tags and ratings that other users have applied. Create and deleting personal public tags and ratings.	Contributor@Tags + Contributor@Ratings
View community tags and ratings that other users have applied. Create and deleting personal private tags and ratings.	Privileged user@Tags + Privileged user@Ratings
View community tags and ratings that other users have applied.	User@Tags + User@Ratings

Operation	Required role assignment
Creating, viewing, editing, and deleting a Theme, Skin, or Layout Template	Manager@THEME MANAGEMENT

Operation	Required role assignment
Manage unique names: View the portlet; deleting, modifying, and adding unique names in the Unique Names portlet	Editor@R + User@Unique Names

Operation	Required role assignment
Create a new URL mapping context UMC	Editor@URL Mapping Contexts
Traversing a URL mapping context: The ability to traverse a URL mapping context due to a role assignment to some child context of UMC	User@UMC or @ some child context of UMC
View the definition of a URL mapping context UMC	User@UMC
Assign a URL: Create a mapping between a URL mapping context UMC and a portal resource R	Editor@UMC + User@R
Modify a URL mapping context: Change the properties of an existing URL mapping context UMC; for example editing the label	Editor@UMC If Virtual Portal Mapping: Editor@VP URL Mappings
Delete a URL mapping context UMC and all of its child contexts	Manager@UMC

Operation	Required role assignment
Create a new User group within the user registry	Editor@User Groups
View the User group profile information of a user group UG	User@UG
Modify the profile information of a User group UG	Editor@UG
Add or removing an existing User U or a User group UG2 to or from an existing User group UG1	Security Administrator@Users + Editor@UG1
Delete a user group UG	Manager@UG Delete the user group: The owner of the user group can also delete it.

Operation	Required role assignment
Create a new user in the user registry	Editor@User Self Enrollment
View the user profile information of a user U	User@UG and U is a member of user group UG or User@Users
Modify the profile information of a user U	Editor@UG and U is a member of user group UG or Editor@Users
Delete a user from the user registry and deleting all private pages created by this user	Manager@Users
Impersonating a user to troubleshoot problems and view pages, portlets, and other portal components.	Can Run As User@Users To use the Can Run As User role, enable the impersonation feature and assign the Can Run As User role to an appropriate user.

Operation	Required role assignment
Create new clippings	Editor@Portlet Applications

Operation	Required role assignment
Install a new portlet application WAR file	Editor@Web Modules
Update a Web module WM by installing a corresponding WAR file	Editor@Web Modules + Manager@WM
Uninstall a Web module and removing all corresponding portlet applications and portlets from all pages within the portal	Manager@WM + Manager @ all portlet applications contained in WM

Operation	Required role assignment
Add a remote WSRP Producer PR to the Portal	Editor@WSRP Producers
Edit the settings of a remote Producer PR	Editor@PR
View the settings or display the list of portlets that are provided by a remote WSRP Producer PR	User@PR
Delete a remote WSRP Producer from the portal	Manager@PR

Operation	Required role assignment
Run commands using the xmlaccess	Security Administrator@Portal + Editor@XML Access