Access permissions
- Business Rules (Personalization)
- Overview
- Content Nodes
- Credential Vault portlet
- Enable Tracing portlet
- Manage Clients portlet
- Manage Search
- Manage Virtual Portal
- Markups
- Policies
- Portal Settings
- Portlet Applications
- Portlets
- Portlets on pages
- Property Broker
- PSE Sources
- Tagging and rating
- themes, skins, and layout templates
- Unique Names portlet
- URL Mapping Contexts
- User Groups
- Users
- Web Clipping
- Web modules
- Access Control Administration
- Event Handlers
- Composite Applications
- WSRP Producers (on the Consumer side)
- XML Access
- Business Rules (Personalization)
- Application template Categories
- Application templates
- Role Mappings and WSRP services
- Virtual resources
- Terms
Overview
Roles provide permissions for user to perform specific operations on resources. The following tables denote roles as follows:
The following tables list minimum role assignments that are necessary to perform sensitive operations. Roles are organized in a hierarchy. Roles that are higher in the hierarchy generally include the permissions of roles that are lower in the role hierarchy.
For example, to install Web modules the Editor role on the virtual resource Web Modules...
is the minimum role assignment for this operation. The Manager role is higher in the hierarchy than the Editor role. In addition to including the permissions of the Editor role, it also allows user to install Web modules.
When access rights are granted to any listed resource, it inherently requires access to the resource Access Control Administration.
Use the Access Control Administration to change the owner of resource.
The resources listed could be different depending on other products that might be installed with the product. Some roles are required on virtual resources; other roles must be on resource instances.
Users might also have access rights for some operations through ownership of resources.
Content Nodes
Operation
Required role assignment
Assign to
group foobar
| View navigation
| User@P or child resource of P
| Yes
|
| View content, including page decoration and portlets
| User@P
| Yes
|
| Add/remove markup, locale, parameters
| Editor@P
Editor@MARKUPS
| Yes
|
| Change the theme of a P
| Editor@P
| Yes
|
Add or remove wires
Manage actions
|
| Non-private:
| Editor@P
|
| Private:
| Privileged User@P
|
| Receiving actions of a portlet on a target page
| Editor@P and Editor@PO
|
| Yes
|
| Create private, implicitly derived copy of a non-private P
| Privileged User@P
| Yes
|
| Create/Add a new top level P
|
| Yes
|
| Create new page under a given Page P
|
| Yes
|
| Create new page underneath P1 explicitly derived from P2
|
| Yes
|
| Delete P and all descendant pages, including further subpages and the portlets on those pages
| Manager@P
| Yes
|
| Move P1 to a new parent P2
|
|
|
| Lock/unlock the contents of a non-private P
| Editor@P + User@portlet (Page Locks) + User@page (Locks)
| Yes
|
1. The operations in this column specifically refer to pages only, but also applies to labels and URLs in some cases.
Credential Vault portlet
Credential vault is inaccessible via virtual portal
Enable Tracing portlet
Operation
Required role assignment
Assign to
group foobar
| Add or delete portal trace settings
| Add or delete portal trace setting through the Enable Tracing portlet requires access to an instance of the Enable Tracing portlet.
| Yes
|
Manage Clients portlet
Operation
Required role assignment
Assign to
group foobar
| Delete, modify, and add clients in Manage Clients portlet
| User@Manage Clients
| Yes
|
Manage Search
Operation
Required role assignment
Assign to
group foobar
| Create new search index
| Editor@PSE_Sources
| Yes
|
Manage Virtual Portal
Operation
Required role assignment
Assign to
group foobar
| Create the New Virtual Portal
| Security Administrator@PORTAL
| No
|
| View Virtual Portal
| Security Administrator@PORTAL
| No
|
| Delete the Virtual Portal
| Security Administrator@PORTAL
| No
|
| Edit the Virtual Portal
| Security Administrator@PORTAL
| No
|
Markups
Managing static content is the same as managing the page contents, so Markup Editor access is needed for the user. Add Markup Editor access to the StaticPageParent to assign and manage static layout/content.
Operation
Required role assignment
Assign to
group foobar
| Create, delete, or modify a Markup
| Editor@MARKUPS
|
|
Policies
Operation
Required role assignment
Assign to
group foobar
| Create new Policy under a given Policy
| Editor@Policy and User@Business Rules Workspace
Contributor@Policy is the minimum required access right to create a new Policy under a given Policy, though it is not recommended. Editor@Policy is recommended to create and maintain policies and use the Portal administration utilities.
If a rule has to be created or edited during the creation of a Policy, then Editor@Business Rules Workspace and Editor@Policy is also required.
Business Rules Workspace is the root node in the Personalization navigator for Business Rules resources. Set permissions on this node by selecting the workspace node and then choosing Extra Action -> Edit Access from the menu.
|
|
| Assign a Business rule to a Policy
| User@Business Rules and Editor@Policy
|
| Edit a Policy
| Editor@Policy and User@Business Rules
If a rule has to be created or edited during the creation of a Policy, then Editor@Business Rules is also required.
|
|
| View a Policy
| User@Policy + User@Business Rules
|
|
| Import a new Policy
| Editor@Policy_Root
Contributor@Policy_Root is the minimum required access right to import a new Policy, however, you should use Editor@Policy_Root to import and maintain policies and use the Portal administration utilities.
|
|
| Delete Policy
| Manager@Policy + User@Business Rules
When you delete a policy, the associated rule is not deleted.
|
|
Portal Settings
Operation
Required role assignment
Assign to
group foobar
| View current portal settings
| User@Portal_Settings
|
|
| Modify current portal settings
| Editor@Portal_Settings
|
|
Portlet Applications
Operation
Required role assignment
Assign to
group foobar
| View portlet application definition information for a PA
| User@PA
|
|
Add or remove a locale
Set default locale
Modify settings to, from, or of the PA
| Editor@PA
|
|
| Duplicate a portlet application
| Editor@PA + User@PA
|
|
| Delete portlet application and removing all corresponding portlets and portlet entities from all pages within the portal
| Manager@PA
|
|
| Enable or disable the PA
| Manager@PA
|
|
Portlets
Operation
Required role assignment
Assign to
group foobar
| View portlet definition information of a PO
| User@PO
|
|
Add or remove a locale
Set default locale
Modify settings to, from, or of the PO.
| To add, remove, or set locale: Editor@PO
To modify settings: Manager@PO
|
|
| Create new installed portlet based on an existing PO that is part of a PA
| Editor@PA + User@PO + User@PA
|
|
| Delete an installed PO and removing all corresponding portlet entities from all pages within the portal
| Manager@PO
|
|
| Enable or disable a PO
| Manager@PO
|
|
| Provide PO as a WSRP service
| Editor@WSRP Export and Editor@PO
|
|
| Withdraw PO from WSRP service
| Manager@WSRP Export and Editor@PO
|
|
| Integrate the portlet of a WSRP Producer PR into the portal
| If no portlet application exists for the group of portlets:
Editor@PA and User@PR
If a PA already exists for the group of portlets:
Editor@PA and User@PR
|
|
| Delete an integrated WSRP PO contained in the portlet application PA from the portal
| If this is the last portlet in Portlet Applications: Manager@PA
If more than one portlet resides in Portlet Applications: Manager@PO
|
|
Portlets on pages
Operation
Required role assignment
Assign to
group foobar
| View a PO on P
| User@P + User@PO
|
|
| Enter the configure mode of a PO and modify configuration
| Manager@PO
|
|
| Enter the edit mode of a PO on P and modify configuration 2
| Editor@P + Editor@PO
or...
Privileged User@P + Privileged User@PO
|
|
| Add or remove a PO to/from a P 3
|
|
|
| Add or remove a portlet from the Allowed Portlet List of a page
| Editor@P + User@PO
|
|
2. If P is a non-private page and the user has no Editor role for this page, then modifying the configuration of the portlet results in the creation of an implicitly derived copy of P.
3. If P is a non-private page and the user has no Editor role for this page, then modifying the content of P results in the creation of an implicitly derived copy of P.
Property Broker
Operation
Required role assignment
Assign to
group foobar
| Operate with ActionSets or PropertySets for a PO
| User@PO
|
|
| Create, update, or delete a wire from a PO1 on Page P1 to a portlet PO2 on Page P2 4
| Global: Editor@P1, User@PO1, Editor@P2, User@PO2
Personal: Privileged User@P1, User@PO1, Privileged User@P2, User@PO2
|
|
| Create wire from a PO1 on Page P1 to a portlet PO2 on Page P2 4
| Global: User@P1, User@PO1, User@P2, User@PO2
Personal: Privileged User@P1, User@PO1, Privileged User@P2, User@PO2
|
|
| View a wire from a PO1 on Page P1 to a portlet PO2 on Page P2 4
| Global: User@P1, User@PO1, User@P2, User@PO2
Personal : Privileged User@P1, User@PO1, Privileged User@P2, User@PO2
|
|
4. User must have created the wire
PSE Sources
Operation
Required role assignment
Assign to
group foobar
| Create search collection
| Editor@PSE Sources
|
|
| View a search collection SC
| User@SC
|
|
| Use a search collection SC
| User@SC
|
|
| Edit a search collection SC
| Editor@SC
|
|
| Delete search collection SC
| Manager@SC
|
|
Tagging and rating
Operation
Required role assignment
Assign to
group foobar
View community tags and ratings that other users have applied.
Create and delete personal public tags and ratings.
Delete community tags regardless of ownership.
| Manager@Tags + Manager@Ratings
|
|
View community tags and ratings that other users have applied.
Create and delete personal public tags and ratings.
| Contributor@Tags + Contributor@Ratings
|
|
View community tags and ratings that other users have applied.
Create and delete personal private tags and ratings.
| Privileged user@Tags + Privileged user@Ratings
|
|
| View community tags and ratings that other users have applied.
| User@Tags + User@Ratings
|
|
Themes, skins, and layout templates
Operation
Required role assignment
Assign to
group foobar
| Create, view, edit, and delete a theme, skin, or layout template
| Manager@THEME MANAGEMENT
|
|
Unique Names portlet
Operation
Required role assignment
Assign to
group foobar
| Delete and add using Unique Names portlet
| Editor@R + User@Unique Names
|
|
URL Mapping Contexts
Operation
Required role assignment
Assign to
group foobar
| Create new URL mapping context UMC
| Editor@URL Mapping Contexts
|
|
| Traverse a URL mapping context due to a role assignment to some child context of UMC
| User@UMC or child context of UMC
|
|
| View definition of a URL mapping context UMC
| User@UMC
|
|
| Create or edit a mapping between a URL mapping context UMC and a portal R
| Editor@UMC + User@R
|
|
| Change the properties of an existing URL mapping context UMC; for example edit the label
| Editor@UMC
Virtual portal mapping: Editor@VP URL Mappings
|
|
| Delete URL mapping context UMC and all of its child contexts
| Manager@UMC
|
|
User Groups
Operation
Required role assignment
Assign to
group foobar
| Create new user group within the user registry
| Editor@User Groups
|
|
| View user group profile information of a user group UG
| User@UG
|
|
| Modify profile information of a user group UG
| Editor@UG
|
|
| Add or remove an existing user U or a user group UG2 to or from an existing user group UG1
| Security Administrator@Users + Editor@UG1
|
|
| Delete user group UG 5
| Manager@UG
|
|
5. The owner of the user group can also delete it.
Users
Operation
Required role assignment
Assign to
group foobar
| Create new user in the user registry
| Editor@User Self Enrollment
|
|
| View user profile information of a user U
| User@UG and U is a member of user group UG or User@Users
|
|
| Modify profile information of a user U
| Editor@UG and U is a member of user group UG or Editor@Users
|
|
| Delete user from the user registry and deleting all private pages created by this user
| Manager@Users
|
|
| Impersonating a user to troubleshoot problems and view pages, portlets, and other portal components.
| Can Run As User@Users 7
|
|
7. To use the Can Run As User role, enable the impersonation feature and assign the Can Run As User role to an appropriate user.
Web Clipping
Operation
Required role assignment
Assign to
group foobar
| Create new clippings
| Editor@PA
|
|
Web modules
Operation
Required role assignment
Assign to
group foobar
| Install new portlet application WAR file
| Editor@Web Modules
| No
|
| Update a Web module WM by installing a corresponding WAR file
| Editor@Web Modules + Manager@WM
| No
|
| Uninstall Web module and removing all corresponding portlet applications and portlets from all pages within the portal
| Manager@WM + Manager @ all portlet applications contained in WM
| No
|
Not applicable for virtual portals
Access Control Administration
Operation
Required role assignment
Assign to
group foobar
| View access control configuration of R
| If R is under internal PORTAL protection:
Security Administrator@R +
Security Administrator@PORTAL
If R is under external protection:
Security Administrator@R
or...
Security Administrator@PORTAL +
Security Administrator@EXTERNAL_ACCESS_CONTROL
|
|
| Create new role RT on R
| If R is under PORTAL protection:
Security Administrator@R + RT@R
or...
Security Administrator@PORTAL
If R is under external protection:
Security Administrator@R + RT@R
or...
Security Administrator@PORTAL +
Security Administrator@EXTERNAL_ACCESS_CONTROL
|
|
| Delete role created from role RT on R. All corresponding role mappings are also deleted.
| If R is under internal PORTAL protection:
Security Administrator@R + RT@R + Delegator role on all assigned principals
or...
Security Administrator@PORTAL
If R is under external protection:
Security Administrator@R + RT@R + Delegator role on all assigned principals
or...
Security Administrator@PORTAL + Security Administrator@EXTERNAL_ACCESS_CONTROL
|
|
| Create/delete a role assignment for user or group U created from role RT on R
| If R is under internal PORTAL protection:
Security Administrator@R + RT@R + Delegator@U
or...
Security Administrator@PORTAL
If R is under external protection:
Security Administrator@R +
RT@R +
Delegator@U or Security Administrator@PORTAL +
Security Administrator@EXTERNAL_ACCESS_CONTROL
|
|
| Create/delete a role block for all roles created from role RT on R
| If R is under internal PORTAL protection:
Security Administrator@R + RT@R
or...
Security Administrator@PORTAL
If R is under external protection:
Security Administrator@R +
RT@R or Security Administrator@PORTAL +
Security Administrator@EXTERNAL_ACCESS_CONTROL
A Security Administrator on this resource is always implicitly a Delegator on this resource. For all other roles, the Security Administrator@R plus the assignments listed above are required.
|
|
| Externalizing or internalizing resources:
Move R back and forth from internal to external control. All non-private child resources of R move with it. Private resources cannot be externalized.
| Security Administrator@R + Security Administrator@EXTERNAL_ACCESS_CONTROL
or...
Security Administrator@PORTAL +
Security Administrator@EXTERNAL_ACCESS_CONTROL
|
|
|
Modify owner of resource:
Set a user or group U1 as new owner of the non-private R, where the old owner was U2
| Delegator@U1, Delegator@U2, Manager@R, and Security_Administrator@R
|
|
WSRP Producers (on the Consumer side)
Operation
Required role assignment
Assign to
group foobar
| Add a remote WSRP Producer PR to the Portal
| Editor@WSRP Producers
|
|
| Edit the settings of a remote Producer PR
| Editor@PR
|
|
| View settings or display the list of portlets that are provided by a remote WSRP Producer PR
| User@PR
|
|
| Delete remote WSRP Producer from the portal
| Manager@PR
|
|
XML Access
Operation
Required role assignment
Assign to
group foobar
| Run commands using xmlaccess.sh
| Security Administrator@PORTAL + Editor@XML Access
|
|
Business Rules (Personalization)
Operation
Required role assignment
Assign to
group foobar
| View a Business Rule
| User@Business Rules Workspace
Set perm on the Business Rules Workspace in the Personalization navigator by selecting...
root node | Extra Action | Edit Access
|
|
| Create Business Rule
| Contributor@Business Rules Workspace 9
|
| Delete Business Rule
| Manager@Business Rules Workspace
|
|
| Assign a Business rule to a P
|
| Non-private:
| Editor@P and User@Business Rules Workspace
|
| Private:
| Priviliged User@P and User@Business Rules Workspace
|
|
|
| Assign a Business rule to a PO on P
|
| Non-private:
| Editor@P, User@PO, and User@Business Rules Workspace
|
| Private:
| Privileged User@P, User@PO, and User@Business Rules Workspace
|
|
|
| Additional actions
| When using Set Access button in Personalization to add a user or a group to a role on the root of the workspace, this automatically gives the same role to that user or group for all Web Content Manager libraries, policies and templates.
|
| |
9. Contributor@Business Rules Workspace is the minimum required access right to create a Business Rule, however, you should use Editor@Business Rules Workspace to create and maintain business rules and use the Portal administration facilities.
Event Handlers
Operation
Required role assignment
Assign to
group foobar
| Create, modify, and delete event handlers
| Security Administrator@Event Handlers
|
|
Composite Applications
6. Only the application owner or an administrator can set new owners.
Application template categories
Operation
Required role assignment
Assign to
group foobar
| Create TC New in TC_Parent
| Contributor@TC_Parent
|
|
| View a TC
| User@TC
|
|
Application templates
Operation
Required role assignment
Assign to
group foobar
| Serialize an existing A and create a new T under TC
| Application manager + Contributor@TC
|
|
| Deploy or import a new T in TC
| Contributor@TC + Editor@TEMPLATE_DEPLOYMENT
|
|
| Create new T in TC
| Contributor@TC
|
|
| Export a T in TC
| User@T + User@TC
|
|
| Edit a T in TC
| Editor@T + User@TC
|
|
| Change owner of template A
| Delegator@Template 8
|
|
| Delete T in TC
| Manager@T + Editor@TC
|
|
| View a T in TC
| User@T + User@TC 9
|
|
8. Only the application owner or an administrator can set new owners.
9. In most cases User@T will be inherited by the permission on the template Category (TC) because the TC is the parent of the Template resource, but setting a propagation block for the TC could prevent a user from getting the permission User@T. In this case the access right for T would be an additional setting.
Role Mappings and WSRP services
On the WSRP producer side, you can set the configuration property wsrp.security.enabled to enforce the access control decision for the provided portlets. If this property value is set to true, then all access control decisions in the producing portal are based on the authenticated principal. If wsrp.security.enabled is set to false, then the producing portal does not enforce any access control on incoming client portal WSRP requests.
When using identity propagation, the user authenticated on the client portal needs to have the required role assignments. If no identity propagation is configured, but SSL client certificate authentication is enabled, then the ID of the certificate needs to have the required role assignments. If none of the previously mentioned authentication methods is used, then the request is treated as if coming from the Anonymous Portal Users. In the latter case, the required roles need to be assigned to the Anonymous Portal User, which implies allowing unauthenticated access to the corresponding resources for all users who can access the producer portal.
Virtual resources
The following are virtual resources. To set, go to: Resource Permissions | Virtual Resources
- PORTAL
- EXTERNAL_ACCESS_CONTROL
- Portal Settings
- Pages
- Portlet Applications
- TEMPLATE DEPLOYMENT
- Event Handlers
- PSE_Sources
- MARKUPS
- THEME MANAGEMENT
- URL Mapping Contexts
- VP URL Mappings
- User Groups
- Users
- User Self Enrollment
- WSRP Producers
- XML Access
Security Administrator@EXTERNAL_ACCESS_CONTROL is created and managed in the ESM and must be modified using the ESM management tools such as pdadmin> or the eTrust SiteMinder administrative console.
Terms
| private
| Accessible only by the owner of the resource. Creators of private resources automatically gain rights that are similar to the rights of a Manager. For example, if you create a private page, you have rights similar to those of a Manager for that page and can perform certain actions such as changing the page theme or deleting the page.
|
| Non-private
| Accessible by those people having been granted access to the resource.
|
| public
| Accessible without authentication.
|
| A
| Application
|
| P
| Page
|
| PO
| Portlet
|
| PA
| Portlet application
|
| R
| Resource
|
| T
| Template
|
| TC
| Template Category
|
| ESM
| External Security Manager
|
Resources, roles, access rights, and initial access control settings
Related tasks
Assign user access to policies
Prepare security for a WSRP Producer portal
Prepare security for a WSRP Consumer portal
Disable and enable Portal Access Control for a WSRP Producer portal
Assign access to policies