WebSphere Portal, Express Beta Version 6.1
Operating systems: i5/OS, Linux,Windows

 

Managing access control with external security managers

WebSphere Portal Express externalizes roles and uses access control to control role membership. From the perspective of the external security manager, these externalized roles contain only one permission: membership in the role. WebSphere Portal Express always determines the permissions associated with each role.

For example, if you externalize the Editor@Market News Page role, use the external security manager to edit the ACL for that role. WebSphere Portal Express still determines the permissions that are associated with the Editor role type. Roles are always associated with a specific resource, so the role Editor@Market News Page contains specific permissions on the Market News Page only. Use the Resource Permissions portlet or the XML configuration interface to move resources back and forth from internal to external access control.

By default, externalized roles appear in the external security manager as Role Type@Resource Type/Name/Object ID. For example, Administrator@PORTLET_APPLICATION/Welcome/1_1_1G.

You can change this format to Resource Type/Name/Object ID@Role type. This format change groups the roles by resource name instead of by role type. For example, PORTLET_APPLICATION/Welcome/1_0_1G@Administrator. This format change is visible only when the roles are externalized. This change does not affect the way roles are displayed in WebSphere Portal Express.

The Administrator@VIRTUAL/wps.EXTERNAL ACCESS CONTROL/1 role is never affected by this format change. This role always appears with the role type "Administrator" on the left.

Perform the following steps to manage access control with external security managers:

  1. On the WebSphere Portal Express machine, find the PortalServer_root/config/properties/AccessControlDataManagementService.properties file and make a backup copy.

  2. Internalize the roles.

  3. Open the file using a text editor and change the value of the accessControlDataManagement.reorderRoleNames parameter to true. (If this property does not exist in the file, add it.)

  4. Save your changes.

  5. Externalize the roles. Example of roles list with reorderRoleNames=false:
    Administrator@WEB_MODULE/Tracing.war/1_0_3K
        Administrator@PORTLET_APPLICATION/Welcome/1_0_1G
        User@WEB_MODULE/Tracing.war/1_0_3K
        Privileged User@WEB_MODULE/Tracing.war/1_0_3K
        Privileged User@PORTLET_APPLICATION/Welcome/1_0_1G
    Example of roles list with reorderRoleNames=true:
    PORTLET_APPLICATION/Welcome/1_0_1G@Administrator
        PORTLET_APPLICATION/Welcome/1_0_1G@Privileged User
        WEB_MODULE/Tracing.war/1_0_3K@Administrator
        WEB_MODULE/Tracing.war/1_0_3K@Privileged User
        WEB_MODULE/Tracing.war/1_0_3K@User
Parent topic: External security managers
Library | Support | Terms of use |