+

Search Tips   |   Advanced Search

Manage access control with external security managers

IBM WebSphere Portal externalized roles and uses access control to control role membership. From the perspective of the external security manager, these externalized roles contain only one permission: membership in the role. WebSphere Portal always determines the permissions associated with each role.

It is not possible to combine the usage of externalizes roles and externalized role mappings with portal managed pages feature. Portal pages cannot be externalized when being edited within a project and externalized resources cannot be added to projects. For example, if you externalize the Editor@Market News Page role, use the external security manager to edit the access control for that role. WebSphere Portal still determines the permissions associated with the Editor role type. Roles are always associated with a specific resource, so the role Editor@Market News Page contains specific permissions on the Market News Page only. Use the Resource Permissions portlet or the XML configuration interface to move resources back and forth from internal to external access control.

By default, externalized roles appear in the external security manager as Role Type@Resource Type/Name/Object ID. For example, Administrator@PORTLET_APPLICATION/Welcome/1_1_1G.

We can change this format to Resource Type/Name/Object ID@Role type. This format change groups the roles by resource name instead of by role type. For example, PORTLET_APPLICATION/Welcome/1_0_1G@Administrator. This format change is visible only when the roles are externalized. This change does not affect the way roles are displayed in WebSphere Portal.

The Administrator@VIRTUAL/wps.EXTERNAL ACCESS CONTROL/1 role is never affected by this format change. This role always appears with the role type Administrator.

To manage access control with external security managers:

  1. Use the Resource Permissions portlet to internalize any external roles.

  2. Log on to the WAS admin console.

  3. Modify the WP AccessControlDataManagementService Resource Environment Provider; change the accessControlDataManagement.reorderRoleNames parameter to true.

    Add the accessControlDataManagement.reorderRoleNames parameter if it does not exist.

  4. Save the changes and restart the WebSphere_Portal server.

  5. Use the Resource Permissions portlet to externalize the resources you internalized in the first step.


Example

Example of roles list with reorderRoleNames=false:

Administrator@WEB_MODULE/Tracing.war/1_0_3K
Administrator@PORTLET_APPLICATION/Welcome/1_0_1G
User@WEB_MODULE/Tracing.war/1_0_3K
Privileged User@WEB_MODULE/Tracing.war/1_0_3K
Privileged User@PORTLET_APPLICATION/Welcome/1_0_1G

Example of roles list with reorderRoleNames=true:

PORTLET_APPLICATION/Welcome/1_0_1G@Administrator
PORTLET_APPLICATION/Welcome/1_0_1G@Privileged User WEB_MODULE/Tracing.war/1_0_3K@Administrator
WEB_MODULE/Tracing.war/1_0_3K@Privileged User WEB_MODULE/Tracing.war/1_0_3K@User


Parent External security managers