J2EE and security constraints
The Script Portlet Authors and Script Portlet Users roles define access to Script Portlet features.
The Script Portlet Authors role is used to control access to the editor and import features. This role allows authorized and trusted users to create, edit, and upload active content such as HTML, JavaScript, and CSS. This content is stored in WCM and used to render the user interface of a portlet built with the Script Portlet technology. The content, hand entered or imported, is not validated, inspected, or scanned in any way, therefore users you place into the Script Portlet Authors role have the ability to store arbitrary content on the server and use it to create portlets. Because of this ability we must be especially careful to put trusted users in this role.
By default the Script Portlet maps the Script Portlet Authors role to the wpsadmins group in Portal. This ensures that only users with administration-level access and trust can access the editor and import features. If the Portal environment does not contain the standard wpsadmins group, then the editor and import features will not be accessible to any users. However, we can modify this mapping to use whatever Portal group is appropriate in the environment.
The second role defined by the Script Porlet is named Script Portlet Users. This role is used to control view access to the portlets implemented with the Script Porlet technology. The Script Portlet Users role is mapped to the Portal Everyone special subject by default. If a user has view access to Web Content Manager portlets, then they will have view access to portlets implemented using the Script Portlet.
Parent Security overview