Access permissions

Access permissions

Access control
Business rule
Pages
Root page
Vault
Trace
Event handlers
Clients
Search Index
Virtual Portal
Markup
Policy
Settings
Portle application
Portlets
Wires
Search
Tags and ratings
Templates
Unique names
URL mapping context
User groups
User profile
Users
Clippings
Web modules
WSRP Producer
XML configuration interface
Vanity URL
Overlay reports

Sensitive operations include common tasks such as viewing portlets on specific pages and complex, high-risk tasks like running XML configuration interface scripts.

Roles provide permissions for user to perform specific operations on resources. The following tables denote roles as follows: Role@Resource.

The following tables list minimum role assignments necessary to perform sensitive operations. Roles are organized in a hierarchy. Roles higher in the hierarchy generally include the permissions of roles lower in the role hierarchy. For example, to install web modules the editor role on the virtual resource WEB MODULES, Editor@WEB MODULES, is the minimum role assignment for this operation. The manager role is higher in the hierarchy than the editor role. For this reason, the manager role includes the permissions of the editor role. Manager@WEB MODULES also allows users to install web modules.
When access permissions are granted to any listed resource, it inherently requires access to the resource Access Control Administration.
To change the owner of a resource.
Administration | Access | Resource Permissions

Some roles are required on virtual resources; other roles must be on resource instances.
Users might also have access permissions for some operations through ownership of resources.
Definition of terms:

private Accessible only by the owner of the resource. The creator of a private page, has rights similar to Manager for that page and can also perform certain actions such as changing the page theme or deleting the page.
non-private Accessible by those people who were granted access to the resource.
public Accessible without authentication.

Virtual resources:
PORTAL, PORTAL SETTINGS, PORTLET APPLICATIONS, MARKUPS, VANITY_URL, WEB MODULES, USERS, USER SELF ENROLLMENT, PSE SOURCES, WSRP PRODUCERS, THEME MANAGEMENT, URL MAPPING CONTEXTS, WSRP EXPORT, ADMIN_SLOTS, EVENT HANDLERS, USER_GROUPS, XML ACCESS, VP URL MAPPINGS, SUGGESTED LINKS PORTLET, SEARCH CENTER PORTLET, PSE_SOURCES, TAGS, RATINGS, and EXTERNAL_ACCESS_CONTROL

The Security Administrator@EXTERNAL_ACCESS_CONTROL role is created and managed in the External Security Manager. It must be modified with the external security management tools. For example, use the IBM Security Access Manager pdadmin> command line or the Computer Associates eTrust SiteMinder administrative console.

Access control

Sensitive operation Role assignment

View access control configuration of resource Resource Resource is under internal PORTAL protection. Either

Security Administrator@Resource
Security Administrator@PORTAL

Resource is under external protection. Either:

Security Administrator@Resource
Security Administrator@PORTAL + Security Administrator@EXTERNAL_ACCESS_CONTROL

Create role Role on resource Resource Resource is under PORTAL protection. Either:

Security Administrator@Resource + Role@Resource
Security Administrator@PORTAL

Resource is under external protection. Either:

Security Administrator@Resource + Role@Resource
Security Administrator@PORTAL + Security Administrator@EXTERNAL_ACCESS_CONTROL

Delete role created from role Role on resource Resource.
Corresponding role mappings are also deleted. Resource is under internal PORTAL protection. Either:

Security Administrator@Resource + Role@Resource + Delegator role on assigned principals
Security Administrator@PORTAL

Resource is under external protection. Either:

Security Administrator@Resource + Role@Resource + Delegator role on assigned principals
Security Administrator@PORTAL + Security Administrator@EXTERNAL_ACCESS_CONTROL

Create/delete a role assignment for user or group Group created from role Role on resource Resource Resource is under internal PORTAL protection. Either:

Security Administrator@Resource + Role@Resource + Delegator@U
Security Administrator@PORTAL

Resource is under external protection. Either:

Security Administrator@Resource + Role@Resource + Delegator@U
Security Administrator@PORTAL + Security Administrator@EXTERNAL_ACCESS_CONTROL

Create/delete a role block for all roles created from role Role on resource Resource Resource is under internal PORTAL protection: Security Administrator@Resource + Role@Resource or Security Administrator@PORTAL
Resource is under external protection: Security Administrator@Resource + Role@Resource or Security Administrator@PORTAL + Security Administrator@EXTERNAL_ACCESS_CONTROL

A Security Administrator on this resource is always implicitly a Delegator on this resource. For all other roles, the Security Administrator@Resource plus the previous assignments are required.

Move Resource back and forth from internal to external control. Non-private child resources of Resource move with it. Private resources cannot be externalized. Either

Security Administrator@Resource + Security Administrator@EXTERNAL_ACCESS_CONTROL
Security Administrator@PORTAL + Security Administrator@EXTERNAL_ACCESS_CONTROL

Modify owner of resource:
Set a user or group U1 as new owner of the non-private resource Resource, where the old owner was U2 Delegator@U1, Delegator@U2, Manager@Resource, and Security_Administrator@Resource

Business rule

Sensitive operation Role assignment

View a Business Rule User@Business Rules Workspace

Set this permission on the Business Rules workspace in the Personalization navigator by selecting the root node and then choosing Extra Action > Edit Access from the menu.

Create Business Rule Contributor@Business Rules Workspace
Contributor@Business Rules Workspace is the minimum required access permission to create a Business Rule. However, we must use Editor@Business Rules Workspace to create and maintain business rules and use the Portal administration facilities.

Delete Business Rule Manager@Business Rules Workspace

Assign Business rule to a page Page Non-private pages: Editor@Page and User@Business Rules Workspace
Private pages: Priviliged User@Page and User@Business Rules Workspace

Assign Business rule to a portlet portlet on page P Non-private pages: Editor@Page, User@portlet, and User@Business Rules Workspace
Private pages: Privileged User@Page, User@portlet, and User@Business Rules Workspace

Additional actions Use the Set Access icon in Personalization to add a user or a group to a role on the root of the workspace. The same role is given to that user or group for all WCM libraries, policies, and templates.

Create or edit Segment Groups

Editor@Business Rules Workspace
To be able to create Segment Groups, the user must have read access to the Application objects and Resource Collections used in the segment group definition. Write access is required to add or manage dynamic properties. To obtain this level of access, the user must be given the Editor@Business Rules Workspace role on the Business Rules workspace.

Set as Editor of the library that contains the segment groups.
Editor role is required on the web content library to be able to create and edit segment groups. Log in to HCL Portal. Click the Administration menu icon. Then, click Portal Content > Web Content Libraries. Click the Set permissions icon on the Web Content library to set the Editor role. For information about the roles, go to Web content management roles.

Use Segments from Segment Groups to target content Set as User on the segment groups to be accessible.
Set this access at the library level or Segments folder level to give access to all segment groups within the library. Use the Web Content Libraries portlet to set access. Alternatively, set this access at the item level to give access to individual segment groups. For information about the roles, go to Web content management roles.
To target content on a Web Content Viewer portlet on a page, a user must have the following roles:

Editor on the Web Content Viewer portlet. Click the Administration menu icon. Then, click Portlet Management > Portlets.
Editor on the page itself.
User on the content to be targeted.
Contributor on the library where the content is stored.
Editor on the Site Areas and Pages library resource (item types) in the Portal Site Library. Go to the Web Content Library. Click the Library resources icon for this library. Then, click the Set permissions icon for Site Areas and Pages. We can now add users and groups to the Editor role.

Pages

Sensitive operation Role assignment

View the navigation of a page Page User@Page or @ some child resource of Page

View content of a page, including page decoration and potentially the portlets on that page. The portlets on a page are protected separately. User@Page

Modify page properties. Add/remove markup, locale, and parameters Editor@Page

Set page layout properties of a static page. Markup editor role. If the resources are in secure locations of layout templates, use Manager role.

Change the theme of a page Page Editor@Page

Add/remove wires. Manage actions. Non-private pages: Editor@Page
Private pages: Privileged User@Page

For managing receiving actions of a portlet on a target page:
Editor@Page and Editor@portlet

Customize the layout of a non-private page:
Create a private, implicitly derived copy of a non-private page P Privileged User@Page

Add root page:
Create and add a new top-level page page Non-private pages: Editor@PAGES
Private pages: Privileged User@PAGES

Create page under any Page page Non-private pages: Editor@Page
Private pages: Privileged User@Page

Create page underneath P1 that is explicitly derived from page P2 New page is private: Privileged User@P1 + Editor@P2
New page is non-private: Editor@P1 + Editor@P2

Delete page Page and all descendant pages, including further subpages and the portlets on those pages Manager@Page

Move page P1 to a new parent page P2 Non-private pages: Manager@P1 + Editor@P2
Private pages: Manager@P1 + Privileged User@P2

Lock or unlock the contents of a non-private page P Editor@Page + User@Portlet (Page Locks) + User@Page (Locks)

Edit page associations for a non-private page Page Editor@Page

Edit page associations for a private page Page Privileged User@Page

Enable membership-based access control delegation for a Community Page Page associated to an HCL Connections Community C represented by the virtual user groups Groups. It is activated through the Limit access to this page to only community members Page Associations check mark. Editor@Page + Security Administrator@Page + Delegator@Groups + View Privileges@Community (HCL Connections)

Activate Portal Page Security for a web content page P that is associated with site area SA in web content library L. This security is activated through the Use Portal Page Security check mark in the Page Associations window. Editor@Page + User@SiteArea + Administrator@Library and Editor@Page + User@SiteArea + Administrator@L + Manager@CONTENT MAPPINGS

Root page

Sensitive operation Role assignment

Add root page
Create and add a new top-level page Pages based on page template Template
Non-private pages:
Editor@PAGES and User@Template

Private pages:
Privileged User@PAGES and User@Template
Additional roles can be required based on instantiation features associated to page template Template:

Template is associated to site area SA1 in WCM, and the wps.content.root label is associated with site area SA2, with default content associations on each site area. WCM view permissions on SA1 and WCM create content permissions on SA2.
Template is associated to an HCL Connections community Community. Grant the following privileges to the user in HCL Connections:

View Community
Create new communities

Template is configured to create a community during instantiation with the ibm.portal.instantiation.community.create.new page parameter. Grant the following privileges to the user in HCL Connections: Create new communities
Template is enabled for Membership-based access control delegation: Delegator@USER_GROUPS

Add page
Create page from Template Template under any Page Page
Private pages: Privileged User@Page and User@Template
Additional roles can be required based on instantiation features associated to page template Template:

Template is associated to site area SA1 in WCM, and the wps.content.root label is associated with site area SA2, with default content associations on each site area. WCM view permissions on SA1 and WCM create content permissions on SA2.
Template is associated to an HCL Connections community C. Grant the following privileges to the user in HCL Connections:

View Community
Create new communities

T is configured to create a community during instantiation with the ibm.portal.instantiation.community.create.new page parameter. Grant the following privileges to the user in HCL Connections: Create new communities
T is enabled for Membership-based access control delegation: Delegator@USER_GROUPS

Credential Vault

Sensitive operation Role assignment

Add/remove/deleting a vault segment Management of the Credential Vault through the Credential Vault portlet requires access to an instance of the Credential Vault portlet.

Add shared administrative credential vault slot (containing a system credential) Management of the Credential Vault through the Credential Vault portlet requires access to an instance of the Credential Vault portlet.

Retrieving the credential from a shared administrative credential vault slot (containing a system credential) User@slot or User@ADMIN_SLOTS

Modify a shared administrative credential vault slot (containing a system credential) Editor@slot or Editor@ADMIN_SLOTS

Delete shared administrative credential vault slot (containing a system credential) Manager@slot or Manager@ADMIN_SLOTS

Add/view/delete/edit a non-shared vault slot Management of the Credential Vault through the Credential Vault portlet requires access to an instance of the Credential Vault portlet.

The permission on this node is propagated to all slots, if it is not blocked by an inheritance or propagation block.

Trace

Sensitive operation Role assignment

Add/delete portal trace settings Add/delete portal trace setting through the Enable Tracing portlet requires access to an instance of the Enable Tracing portlet.

Event handlers

Sensitive operation Role assignment

Create/modify/delete deleting event handlers Security Administrator@EVENT HANDLERS

Clients

Sensitive operation Role assignment

Delete/modify/add clients in the Manage Clients portlet User@Manage Clients

Search Index

Sensitive operation Role assignment

Create search index Editor@PSE_sOURCES

Associate keywords with content items through the Search Center portlet, so that they are promoted to users who search for those keywords. Administrator@SEARCH CENTER PORTLET

Modify keywords associated with content items that exist in the Suggested Links portlet already. Administrator@ for SUGGESTED LINKS PORTLET

Virtual Portal

Sensitive operation Role assignment

Create the New Virtual Portal Security Administrator@PORTAL

View Virtual Portal Security Administrator@PORTAL

Deleting the Virtual Portal Security Administrator@PORTAL

Edit the Virtual Portal Security Administrator@PORTAL

Markup

Sensitive operation Role assignment

Create, delete, or modify a Markup Editor@MARKUPS

Policy

Sensitive operation Role assignment

Create Policy under any Policy Editor@Policy and User@Business Rules Workspace

Contributor@Policy is the minimum required access permission to create a Policy under any Policy, though it is not recommended. Editor@Policy is recommended to create and maintain policies and use the Portal administration utilities.
If a rule must be created or edited during the creation of a Policy, then Editor@Business Rules Workspace and Editor@Policy is also required.
Business Rules workspace is the root node in the Personalization navigator for Business Rules resources. Set permissions on this node by selecting the workspace node and then choosing Extra Action > Edit Access from the menu.

Assign Business rule to a Policy User@Business Rules and Editor@Policy

Edit a Policy Editor@Policy and User@Business Rules
If a rule must be created or edited during the creation of a Policy, then Editor@Business Rules is also required.

View a Policy User@Policy + User@Business Rules

Importing a new Policy Editor@Policy_Root
Important: Contributor@Policy_Root is the minimum required access permission to import a new Policy, however, we must use Editor@Policy_Root to import and maintain policies and use the Portal administration utilities.

Delete Policy Manager@Policy + User@Business RulesDeleting policies: When you delete a policy, the associated rule is not deleted.

Settings

Sensitive operation Role assignment

View current portal settings User@PORTAL SETTINGS

Modify current portal settings Editor@PORTAL SETTINGS

Portlet application

Sensitive operation Role assignment

View portlet application definition information for a portlet application PA User@PA

Modify a portlet application PA:

Add or remove a locale
Set default locale
Modify settings
Editor@PA

Create a portlet application based on an existing portlet application PA Editor@PORTLET APPLICATIONS + User@PA

Delete portlet application and remove all corresponding portlets and portlet entities from all pages within the portal Manager@PA

Enable/disable the portlet application PA Manager@PA

Portlets

Sensitive operation Role assignment

View the portlet definition information of a portlet portlet User@portlet

Add/remove a locale, set default locale, modify settings Add/remove locales and set default locale: Editor@portlet
Modify settings: Manager@portlet

Create a new installed portlet based on an existing portlet portlet that is part of a portlet application PA. Editor@PORTLET APPLICATIONS + User@portlet + User@PA

Delete installed portlet portlet and remove all corresponding portlet entities from all pages within the portal Manager@portlet

Enable or disable an installed portlet:
Manager@portlet

Provide portlet portlet as a WSRP service Editor@WSRP EXPORT and Editor@portlet

Withdraw portlet portlet from WSRP service Manager@WSRP EXPORT and Editor@portlet

Integrating the portlet of a WSRP Producer Producer into the portal If no portlet application exists for the group of portlets:
EditorPORTLET APPLICATIONS and User@PR

If a Portlet Applications PA exists for the group of portlets:

Editor@PA and User@PR

Delete an integrated WSRP portlet portlet contained in the portlet application PA from the portal If this portlet is the last portlet in Portlet Applications: Manager@PA
If more than one portlet is in Portlet Applications: Manager@portlet

View a portlet portlet on page Page User@Page + User@portlet

Configure an installed portlet
Manager@portlet

Enter the Edit Shared Settings mode of a portlet portlet on page Page and modifying its configuration
If Page is a non-private page and the user has no Editor role for this page, then modifying the configuration of the portlet results in the creation of an implicitly derived copy of page Page.
Editor@Page + Editor@portlet
Or

Privileged User@Page + Privileged User@portlet

Add/remove a portlet portlet to/from a page Page
If Page is a non-private page and the user has no Editor role for this page, then modifying the content of P results in the creation of an implicitly derived copy of page Page.
Non-private pages: Editor@Page + User@portlet
Or

Private pages: Privileged User@Page + User@portlet

Add web content to a page:
Add web content viewer portlet portlet configured to render web content Content from site area SA in WCM. Portlet portlet is configured with the option Create content (based on selection), and page Page is associated with site area SA.

If Page is a non-private page and the user has no Editor role for this page, then modifying the content of Page results in the creation of an implicitly derived copy of page Page.

Non-private pages:
Editor@Page + User@portlet + WCM view permissions on Content and WCM create content permissions on SA.
Private pages:
Privileged User@Page + User@portlet + WCM view permissions on Content and WCM create content permissions on SA

Add/remove a portlet from the Allowed Portlet List of a page Editor@Page + User@portlet

Wires

Sensitive operation Role assignment

Operating with ActionSets or PropertySets for a portlet portlet User@portlet

Create, update, or delete a wire from a portlet PO1 on Page P1 to a portlet PO2 on Page P2 Global wire: Editor@P1, User@PO1, Editor@P2, User@PO2Personal wire: Privileged User@P1, User@PO1, Privileged User@P2, User@PO2
Important: To update or delete a personal wire, the user must have the previous role assignments and created the wire that they are updating or deleting.

Create wire from a portlet PO1 on Page P1 to a portlet PO2 on Page P2 Global wire: User@P1, User@PO1, User@P2, User@PO2
Personal wire: Privileged User@P1, User@PO1, Privileged User@P2, User@PO2

Important: To create a personal wire, the user must have the previous role assignments and created the wire that they are starting.

View a wire from a portlet PO1 on Page P1 to a portlet PO2 on Page P2 Global wire: User@P1, User@PO1, User@P2, User@PO2
Personal wire: Privileged User@P1, User@PO1, Privileged User@P2, User@PO2

Important: To view a personal wire, the user must have the previous role assignments and created the wire that they are viewing

Search

Sensitive operation Role assignment

Create PSE Source:
Editor@PSE SOURCES

View a PSE Source:
User@SearchCollection

Use a search collection SearchCollection User@SearchCollection

Edit a search collection SearchCollection Editor@SearchCollection

Delete search collection SearchCollection Manager@SearchCollection

Tags and ratings

Sensitive operation Role assignment

View community tags and ratings that other users applied.
Create and delete personal public tags and ratings.

Delete community tags regardless of ownership.
Manager@TAGS + Manager@RATINGS

View community tags and ratings that other users applied.
Create and delete personal public tags and ratings.
Contributor@TAGs + Contributor@RATINGS

View community tags and ratings that other users applied.
Create and delete private tags and ratings.
Privileged user@TAGS + Privileged user@RATINGS

View community tags and ratings that other users applied. User@TAGS + User@RATINGS

Templates

Sensitive operation Role assignment

Create, view, edit, and delete a Theme, Skin, or Layout Template Manager@THEME MANAGEMENT

Unique names

Sensitive operation Role assignment

Delete/modify/add unique names in the Unique Names portlet Editor@Resource + User@Unique Names

URL mapping context

Sensitive operation Role assignment

Create URL mapping context UMC Editor@URL MAPPING CONTEXTS

Traverse URL mapping context
The ability to traverse a URL mapping context due to a role assignment to some child context of UMC User@UMC or @ some child context of UMC

View definition of a URL mapping context UMC User@UMC

Assign URL:
Create or edit a mapping between a URL mapping context UMC and a portal resource Resource Editor@UMC + User@Resource

Modify a URL mapping context:
Change the properties of an existing URL mapping context UMC; for example, editing the label Editor@UMC

Delete URL mapping context UMC and all of its child contexts Manager@UMC

User groups

Sensitive operation Role assignment

Create User group within the user registry Editor@USER GROUPS

View User group profile information of a user group UG User@UG

Modify profile information of a User group UG Editor@UG

Add/remove an existing User User or a User group UG2 to or from an existing User group UG1 Security Administrator@USERS + Editor@UG1

Delete user group UG Manager@UG

User profile

Sensitive operation Role assignment

Create user in the user registry Contributor@USER SELF ENROLLMENT or Editor@USERS

Contributor@USER SELF ENROLLMENT allows the user to add new users. We can modify other existing users with Editor@USERS

View user profile information of a user User User@UG and U is a member of user group UG or User@USERS

Modify profile information of a user User Editor@UG and User is a member of user group UG or Editor@USERS

Delete user from the user registry and deleting all private pages created by this user Manager@USERS

Impersonating a user to troubleshoot problems and view pages, portlets, and other portal components. Can Run As User@USERS
Restriction: To use the Can Run As User role, enable the impersonation feature and assign the Can Run As User role to an appropriate user.

Users

Sensitive operation Role assignment

Create user in the user registry Editor@USER SELF ENROLLMENT

View user profile information of a user U User@UG and U is a member of user group UG or User@USERS

Modify profile information of a user U Editor@UG and U is a member of user group UG or Editor@USERS

Delete user from the user registry and delete all private pages created by this user Manager@USERS

Clippings

Sensitive operation Role assignment

Creating new clippings EditorPORTLET APPLICATIONS

Web modules

Sensitive operation Role assignment

Install a new portlet application WAR file Editor@WEB MODULES

Update a web module WM by installing a corresponding WAR file Editor@WEB MODULES + Manager@WM

Uninstall a web module and removing all corresponding portlet applications and portlets from all pages within the portal Manager@WM + Manager @ all portlet applications contained in WM

WSRP Producer

Sensitive operation Role assignment

Add remote WSRP Producer Producer to the Portal Editor@WSRP PRODUCERS

Edit the settings of remote Producer Producer Editor@Producer

View settings or display the list of portlets provided by a remote WSRP Producer Producer User@Producer

Delete remote WSRP Producer from the portal Manager@Producer

XML configuration interface

Sensitive operation Role assignment

Run commands with the XML configuration interface Security Administrator@PORTAL + Editor@XML ACCESS

Vanity URL

Sensitive operation Role assignment

Create/modif/delete a vanity URL that points to page P Editor@Page and Editor@VANITY_URL

If a user deletes a page, all vanity URLs that point to that page are also deleted, independent of the rights that the user has on the virtual resource VANITY_URL.

Overlay reports and site promotions

Overlay reports

Resource Sensitive operation Role assignment

Overlay reports Can view overlay reports on a resource. User@OverlayReports + User@Resource
OVERLAY_REPORTS is a virtual resource.

Overlay reports Can view all existing site promotions. User@SitePromotions
SITE_PROMOTIONS is a virtual resource.

Overlay reports Can create a site promotion. Editor@SitePromotions

Overlay reports Can update an existing site promotion. Editor@SitePromotions

Overlay reports Can delete a site promotion. Editor@SitePromotions

Overlay reports Can add a site promotion assignment on specific resource. Editor@SitePromotions + User@Resource

Overlay reports Can view a site promotion assignment on specific resource. User@SitePromotions + User@Resource

Site promotions Can remove a site promotion assignment on specific resource. Editor@SitePromotions + User@Resource

Role Mappings and WSRP services

On the WSRP producer side, we can set the configuration property wsrp.security.enabled to enforce the access control decision for the provided portlets. If this property value is set to true, then all access control decisions in the producing portal are based on the authenticated principal. If wsrp.security.enabled is set to false, then the producing portal does not enforce any access control on incoming client portal WSRP requests.

When you use identity propagation, the user who is authenticated on the client portal needs to have the required role assignments. If no identity propagation is configured, but SSL client certificate authentication is enabled, then the ID of the certificate needs to have the required role assignments. If no authentication method is used, then the request is treated as if it comes from the Anonymous Portal Users. In the latter case, the required roles need to be assigned to the Anonymous Portal User. This assignment implies allowing unauthenticated access to the corresponding resources for all users who can access the producer portal.

private	Accessible only by the owner of the resource. The creator of a private page, has rights similar to Manager for that page and can also perform certain actions such as changing the page theme or deleting the page.
non-private	Accessible by those people who were granted access to the resource.
public	Accessible without authentication.

Sensitive operation	Role assignment
View access control configuration of resource Resource	Resource is under internal PORTAL protection. Either Security Administrator@Resource Security Administrator@PORTAL Resource is under external protection. Either: Security Administrator@Resource Security Administrator@PORTAL + Security Administrator@EXTERNAL_ACCESS_CONTROL
Create role Role on resource Resource	Resource is under PORTAL protection. Either: Security Administrator@Resource + Role@Resource Security Administrator@PORTAL Resource is under external protection. Either: Security Administrator@Resource + Role@Resource Security Administrator@PORTAL + Security Administrator@EXTERNAL_ACCESS_CONTROL
Delete role created from role Role on resource Resource. Corresponding role mappings are also deleted.	Resource is under internal PORTAL protection. Either: Security Administrator@Resource + Role@Resource + Delegator role on assigned principals Security Administrator@PORTAL Resource is under external protection. Either: Security Administrator@Resource + Role@Resource + Delegator role on assigned principals Security Administrator@PORTAL + Security Administrator@EXTERNAL_ACCESS_CONTROL
Create/delete a role assignment for user or group Group created from role Role on resource Resource	Resource is under internal PORTAL protection. Either: Security Administrator@Resource + Role@Resource + Delegator@U Security Administrator@PORTAL Resource is under external protection. Either: Security Administrator@Resource + Role@Resource + Delegator@U Security Administrator@PORTAL + Security Administrator@EXTERNAL_ACCESS_CONTROL
Create/delete a role block for all roles created from role Role on resource Resource	Resource is under internal PORTAL protection: Security Administrator@Resource + Role@Resource or Security Administrator@PORTAL Resource is under external protection: Security Administrator@Resource + Role@Resource or Security Administrator@PORTAL + Security Administrator@EXTERNAL_ACCESS_CONTROL A Security Administrator on this resource is always implicitly a Delegator on this resource. For all other roles, the Security Administrator@Resource plus the previous assignments are required.
Move Resource back and forth from internal to external control. Non-private child resources of Resource move with it. Private resources cannot be externalized.	Either Security Administrator@Resource + Security Administrator@EXTERNAL_ACCESS_CONTROL Security Administrator@PORTAL + Security Administrator@EXTERNAL_ACCESS_CONTROL
Modify owner of resource: Set a user or group U1 as new owner of the non-private resource Resource, where the old owner was U2	Delegator@U1, Delegator@U2, Manager@Resource, and Security_Administrator@Resource

Sensitive operation	Role assignment
View a Business Rule	User@Business Rules Workspace Set this permission on the Business Rules workspace in the Personalization navigator by selecting the root node and then choosing Extra Action > Edit Access from the menu.
Create Business Rule	Contributor@Business Rules Workspace Contributor@Business Rules Workspace is the minimum required access permission to create a Business Rule. However, we must use Editor@Business Rules Workspace to create and maintain business rules and use the Portal administration facilities.
Delete Business Rule	Manager@Business Rules Workspace
Assign Business rule to a page Page	Non-private pages: Editor@Page and User@Business Rules Workspace Private pages: Priviliged User@Page and User@Business Rules Workspace
Assign Business rule to a portlet portlet on page P	Non-private pages: Editor@Page, User@portlet, and User@Business Rules Workspace Private pages: Privileged User@Page, User@portlet, and User@Business Rules Workspace
Additional actions	Use the Set Access icon in Personalization to add a user or a group to a role on the root of the workspace. The same role is given to that user or group for all WCM libraries, policies, and templates.
Create or edit Segment Groups	Editor@Business Rules Workspace To be able to create Segment Groups, the user must have read access to the Application objects and Resource Collections used in the segment group definition. Write access is required to add or manage dynamic properties. To obtain this level of access, the user must be given the Editor@Business Rules Workspace role on the Business Rules workspace. Set as Editor of the library that contains the segment groups. Editor role is required on the web content library to be able to create and edit segment groups. Log in to HCL Portal. Click the Administration menu icon. Then, click Portal Content > Web Content Libraries. Click the Set permissions icon on the Web Content library to set the Editor role. For information about the roles, go to Web content management roles.
Use Segments from Segment Groups to target content	Set as User on the segment groups to be accessible. Set this access at the library level or Segments folder level to give access to all segment groups within the library. Use the Web Content Libraries portlet to set access. Alternatively, set this access at the item level to give access to individual segment groups. For information about the roles, go to Web content management roles. To target content on a Web Content Viewer portlet on a page, a user must have the following roles: Editor on the Web Content Viewer portlet. Click the Administration menu icon. Then, click Portlet Management > Portlets. Editor on the page itself. User on the content to be targeted. Contributor on the library where the content is stored. Editor on the Site Areas and Pages library resource (item types) in the Portal Site Library. Go to the Web Content Library. Click the Library resources icon for this library. Then, click the Set permissions icon for Site Areas and Pages. We can now add users and groups to the Editor role.

Sensitive operation	Role assignment
View the navigation of a page Page	User@Page or @ some child resource of Page
View content of a page, including page decoration and potentially the portlets on that page. The portlets on a page are protected separately.	User@Page
Modify page properties. Add/remove markup, locale, and parameters	Editor@Page
Set page layout properties of a static page.	Markup editor role. If the resources are in secure locations of layout templates, use Manager role.
Change the theme of a page Page	Editor@Page
Add/remove wires. Manage actions.	Non-private pages: Editor@Page Private pages: Privileged User@Page For managing receiving actions of a portlet on a target page: Editor@Page and Editor@portlet
Customize the layout of a non-private page: Create a private, implicitly derived copy of a non-private page P	Privileged User@Page
Add root page: Create and add a new top-level page page	Non-private pages: Editor@PAGES Private pages: Privileged User@PAGES
Create page under any Page page	Non-private pages: Editor@Page Private pages: Privileged User@Page
Create page underneath P1 that is explicitly derived from page P2	New page is private: Privileged User@P1 + Editor@P2 New page is non-private: Editor@P1 + Editor@P2
Delete page Page and all descendant pages, including further subpages and the portlets on those pages	Manager@Page
Move page P1 to a new parent page P2	Non-private pages: Manager@P1 + Editor@P2 Private pages: Manager@P1 + Privileged User@P2
Lock or unlock the contents of a non-private page P	Editor@Page + User@Portlet (Page Locks) + User@Page (Locks)
Edit page associations for a non-private page Page	Editor@Page
Edit page associations for a private page Page	Privileged User@Page
Enable membership-based access control delegation for a Community Page Page associated to an HCL Connections Community C represented by the virtual user groups Groups. It is activated through the Limit access to this page to only community members Page Associations check mark.	Editor@Page + Security Administrator@Page + Delegator@Groups + View Privileges@Community (HCL Connections)
Activate Portal Page Security for a web content page P that is associated with site area SA in web content library L. This security is activated through the Use Portal Page Security check mark in the Page Associations window.	Editor@Page + User@SiteArea + Administrator@Library and Editor@Page + User@SiteArea + Administrator@L + Manager@CONTENT MAPPINGS

Sensitive operation	Role assignment
Add/remove/deleting a vault segment	Management of the Credential Vault through the Credential Vault portlet requires access to an instance of the Credential Vault portlet.
Add shared administrative credential vault slot (containing a system credential)	Management of the Credential Vault through the Credential Vault portlet requires access to an instance of the Credential Vault portlet.
Retrieving the credential from a shared administrative credential vault slot (containing a system credential)	User@slot or User@ADMIN_SLOTS
Modify a shared administrative credential vault slot (containing a system credential)	Editor@slot or Editor@ADMIN_SLOTS
Delete shared administrative credential vault slot (containing a system credential)	Manager@slot or Manager@ADMIN_SLOTS
Add/view/delete/edit a non-shared vault slot	Management of the Credential Vault through the Credential Vault portlet requires access to an instance of the Credential Vault portlet.

Sensitive operation	Role assignment
Create search index	Editor@PSE_sOURCES
Associate keywords with content items through the Search Center portlet, so that they are promoted to users who search for those keywords.	Administrator@SEARCH CENTER PORTLET
Modify keywords associated with content items that exist in the Suggested Links portlet already.	Administrator@ for SUGGESTED LINKS PORTLET

Sensitive operation	Role assignment
Create the New Virtual Portal	Security Administrator@PORTAL
View Virtual Portal	Security Administrator@PORTAL
Deleting the Virtual Portal	Security Administrator@PORTAL
Edit the Virtual Portal	Security Administrator@PORTAL

Sensitive operation	Role assignment
Create Policy under any Policy	Editor@Policy and User@Business Rules Workspace Contributor@Policy is the minimum required access permission to create a Policy under any Policy, though it is not recommended. Editor@Policy is recommended to create and maintain policies and use the Portal administration utilities. If a rule must be created or edited during the creation of a Policy, then Editor@Business Rules Workspace and Editor@Policy is also required. Business Rules workspace is the root node in the Personalization navigator for Business Rules resources. Set permissions on this node by selecting the workspace node and then choosing Extra Action > Edit Access from the menu.
Assign Business rule to a Policy	User@Business Rules and Editor@Policy
Edit a Policy	Editor@Policy and User@Business Rules If a rule must be created or edited during the creation of a Policy, then Editor@Business Rules is also required.
View a Policy	User@Policy + User@Business Rules
Importing a new Policy	Editor@Policy_Root Important: Contributor@Policy_Root is the minimum required access permission to import a new Policy, however, we must use Editor@Policy_Root to import and maintain policies and use the Portal administration utilities.
Delete Policy	Manager@Policy + User@Business RulesDeleting policies: When you delete a policy, the associated rule is not deleted.

Sensitive operation	Role assignment
View current portal settings	User@PORTAL SETTINGS
Modify current portal settings	Editor@PORTAL SETTINGS

Sensitive operation	Role assignment
View portlet application definition information for a portlet application PA	User@PA
Modify a portlet application PA: Add or remove a locale Set default locale Modify settings	Editor@PA
Create a portlet application based on an existing portlet application PA	Editor@PORTLET APPLICATIONS + User@PA
Delete portlet application and remove all corresponding portlets and portlet entities from all pages within the portal	Manager@PA
Enable/disable the portlet application PA	Manager@PA

Sensitive operation	Role assignment
View the portlet definition information of a portlet portlet	User@portlet
Add/remove a locale, set default locale, modify settings	Add/remove locales and set default locale: Editor@portlet Modify settings: Manager@portlet
Create a new installed portlet based on an existing portlet portlet that is part of a portlet application PA.	Editor@PORTLET APPLICATIONS + User@portlet + User@PA
Delete installed portlet portlet and remove all corresponding portlet entities from all pages within the portal	Manager@portlet
Enable or disable an installed portlet:	Manager@portlet
Provide portlet portlet as a WSRP service	Editor@WSRP EXPORT and Editor@portlet
Withdraw portlet portlet from WSRP service	Manager@WSRP EXPORT and Editor@portlet
Integrating the portlet of a WSRP Producer Producer into the portal	If no portlet application exists for the group of portlets: EditorPORTLET APPLICATIONS and User@PR If a Portlet Applications PA exists for the group of portlets: Editor@PA and User@PR
Delete an integrated WSRP portlet portlet contained in the portlet application PA from the portal	If this portlet is the last portlet in Portlet Applications: Manager@PA If more than one portlet is in Portlet Applications: Manager@portlet
View a portlet portlet on page Page	User@Page + User@portlet
Configure an installed portlet	Manager@portlet
Enter the Edit Shared Settings mode of a portlet portlet on page Page and modifying its configuration If Page is a non-private page and the user has no Editor role for this page, then modifying the configuration of the portlet results in the creation of an implicitly derived copy of page Page.	Editor@Page + Editor@portlet Or Privileged User@Page + Privileged User@portlet
Add/remove a portlet portlet to/from a page Page If Page is a non-private page and the user has no Editor role for this page, then modifying the content of P results in the creation of an implicitly derived copy of page Page.	Non-private pages: Editor@Page + User@portlet Or Private pages: Privileged User@Page + User@portlet
Add web content to a page: Add web content viewer portlet portlet configured to render web content Content from site area SA in WCM. Portlet portlet is configured with the option Create content (based on selection), and page Page is associated with site area SA. If Page is a non-private page and the user has no Editor role for this page, then modifying the content of Page results in the creation of an implicitly derived copy of page Page.	Non-private pages: Editor@Page + User@portlet + WCM view permissions on Content and WCM create content permissions on SA. Private pages: Privileged User@Page + User@portlet + WCM view permissions on Content and WCM create content permissions on SA
Add/remove a portlet from the Allowed Portlet List of a page	Editor@Page + User@portlet

Sensitive operation	Role assignment
Operating with ActionSets or PropertySets for a portlet portlet	User@portlet
Create, update, or delete a wire from a portlet PO1 on Page P1 to a portlet PO2 on Page P2	Global wire: Editor@P1, User@PO1, Editor@P2, User@PO2Personal wire: Privileged User@P1, User@PO1, Privileged User@P2, User@PO2 Important: To update or delete a personal wire, the user must have the previous role assignments and created the wire that they are updating or deleting.
Create wire from a portlet PO1 on Page P1 to a portlet PO2 on Page P2	Global wire: User@P1, User@PO1, User@P2, User@PO2 Personal wire: Privileged User@P1, User@PO1, Privileged User@P2, User@PO2 Important: To create a personal wire, the user must have the previous role assignments and created the wire that they are starting.
View a wire from a portlet PO1 on Page P1 to a portlet PO2 on Page P2	Global wire: User@P1, User@PO1, User@P2, User@PO2 Personal wire: Privileged User@P1, User@PO1, Privileged User@P2, User@PO2 Important: To view a personal wire, the user must have the previous role assignments and created the wire that they are viewing

Sensitive operation	Role assignment
Create PSE Source:	Editor@PSE SOURCES
View a PSE Source:	User@SearchCollection
Use a search collection SearchCollection	User@SearchCollection
Edit a search collection SearchCollection	Editor@SearchCollection
Delete search collection SearchCollection	Manager@SearchCollection

Sensitive operation	Role assignment
View community tags and ratings that other users applied. Create and delete personal public tags and ratings. Delete community tags regardless of ownership.	Manager@TAGS + Manager@RATINGS
View community tags and ratings that other users applied. Create and delete personal public tags and ratings.	Contributor@TAGs + Contributor@RATINGS
View community tags and ratings that other users applied. Create and delete private tags and ratings.	Privileged user@TAGS + Privileged user@RATINGS
View community tags and ratings that other users applied.	User@TAGS + User@RATINGS

Sensitive operation	Role assignment
Create URL mapping context UMC	Editor@URL MAPPING CONTEXTS
Traverse URL mapping context The ability to traverse a URL mapping context due to a role assignment to some child context of UMC	User@UMC or @ some child context of UMC
View definition of a URL mapping context UMC	User@UMC
Assign URL: Create or edit a mapping between a URL mapping context UMC and a portal resource Resource	Editor@UMC + User@Resource
Modify a URL mapping context: Change the properties of an existing URL mapping context UMC; for example, editing the label	Editor@UMC
Delete URL mapping context UMC and all of its child contexts	Manager@UMC

Sensitive operation	Role assignment
Create User group within the user registry	Editor@USER GROUPS
View User group profile information of a user group UG	User@UG
Modify profile information of a User group UG	Editor@UG
Add/remove an existing User User or a User group UG2 to or from an existing User group UG1	Security Administrator@USERS + Editor@UG1
Delete user group UG	Manager@UG

Sensitive operation	Role assignment
Create user in the user registry	Contributor@USER SELF ENROLLMENT or Editor@USERS Contributor@USER SELF ENROLLMENT allows the user to add new users. We can modify other existing users with Editor@USERS
View user profile information of a user User	User@UG and U is a member of user group UG or User@USERS
Modify profile information of a user User	Editor@UG and User is a member of user group UG or Editor@USERS
Delete user from the user registry and deleting all private pages created by this user	Manager@USERS
Impersonating a user to troubleshoot problems and view pages, portlets, and other portal components.	Can Run As User@USERS Restriction: To use the Can Run As User role, enable the impersonation feature and assign the Can Run As User role to an appropriate user.

Sensitive operation	Role assignment
Create user in the user registry	Editor@USER SELF ENROLLMENT
View user profile information of a user U	User@UG and U is a member of user group UG or User@USERS
Modify profile information of a user U	Editor@UG and U is a member of user group UG or Editor@USERS
Delete user from the user registry and delete all private pages created by this user	Manager@USERS

Sensitive operation	Role assignment
Install a new portlet application WAR file	Editor@WEB MODULES
Update a web module WM by installing a corresponding WAR file	Editor@WEB MODULES + Manager@WM
Uninstall a web module and removing all corresponding portlet applications and portlets from all pages within the portal	Manager@WM + Manager @ all portlet applications contained in WM

Sensitive operation	Role assignment
Add remote WSRP Producer Producer to the Portal	Editor@WSRP PRODUCERS
Edit the settings of remote Producer Producer	Editor@Producer
View settings or display the list of portlets provided by a remote WSRP Producer Producer	User@Producer
Delete remote WSRP Producer from the portal	Manager@Producer

Resource	Sensitive operation	Role assignment
Overlay reports	Can view overlay reports on a resource.	User@OverlayReports + User@Resource OVERLAY_REPORTS is a virtual resource.
Overlay reports	Can view all existing site promotions.	User@SitePromotions SITE_PROMOTIONS is a virtual resource.
Overlay reports	Can create a site promotion.	Editor@SitePromotions
Overlay reports	Can update an existing site promotion.	Editor@SitePromotions
Overlay reports	Can delete a site promotion.	Editor@SitePromotions
Overlay reports	Can add a site promotion assignment on specific resource.	Editor@SitePromotions + User@Resource
Overlay reports	Can view a site promotion assignment on specific resource.	User@SitePromotions + User@Resource
Site promotions	Can remove a site promotion assignment on specific resource.	Editor@SitePromotions + User@Resource