Access rights
A role combines a set of permissions with a specific resource. This set of permissions is called a role type. Roles are denoted as RoleType@Resource.
The table below...
- Lists minimum role assignments that are necessary to perform a sensitive operation.
Minimum role assignment refers to the fact that some role types imply other role types. An example is the sensitive operation Install Web Module which requires a role of type Editor on the virtual resource Web Modules. Because the role of type Manager implies the Editor role type, assigning a Manager role at the Web Modules virtual resource also allows for installing Web modules.
- When access rights are granted to any listed resource, it inherently requires access to the resource Access Control Administration.
- Changing the owner of a resource can be done by using the Access Control Administration.
- The resources listed could be different depending on other products that might be installed with the product. Some roles are required on virtual resources; other roles must be on resource instances.
- Users might also have access rights for some operations through ownership of resources.
- Definition of terms:
- private
- only accessible by the owner of the resource
- non-private
- accessible by those people having been granted access to the resource
- public
- accessible without authentication
Resource Sensitive Operation and Description Required role assignment Access Control Administration View the access control configuration of a resource R If R is under internal PORTAL protection: Security Administrator@R or Security Administrator@PORTAL (PORTAL is a virtual resource) If R is under external protection: Security Administrator@R or Security Administrator@PORTAL + Security Administrator@EXTERNAL_ACCESS_CONTROL
PORTAL and EXTERNAL_ACCESS_CONTROL are virtual resources
The Security Administrator@EXTERNAL_ACCESS_CONTROL role is created and managed in the External Security Manager (ESM). It must be modified using the ESM management tools.
For example, use the IBM Tivoli Access Manager pdadmin> command line or the eTrust SiteMinder administrative console.
Create a new role of role type RT on resource R If R is under PORTAL protection: Security Administrator@R + RT@R or Security Administrator@PORTAL If R is under external protection: Security Administrator@R + RT@R or Security Administrator@PORTAL + Security Administrator@EXTERNAL_ACCESS_CONTROL
PORTAL and EXTERNAL_ACCESS_CONTROL are virtual resources
The Security Administrator@EXTERNAL_ACCESS_CONTROL role is created and managed in the External Security Manager (ESM). It must be modified using the ESM management tools.
For example, use the Tivoli Access Manager pdadmin> command line or the eTrust SiteMinder administrative console.
Delete a role created from role type RT on resource R. All corresponding role mappings are also deleted. If R is under internal PORTAL protection: Security Administrator@R + RT@R + Delegator role on all assigned principals or Security Administrator@PORTAL If R is under external protection: Security Administrator@R + RT@R + Delegator role on all assigned principals or Security Administrator@PORTAL + Security Administrator@EXTERNAL_ACCESS_CONTROL
PORTAL and EXTERNAL_ACCESS_CONTROL are virtual resources
The Security Administrator@EXTERNAL_ACCESS_CONTROL role is created and managed in the External Security Manager (ESM). It must be modified using the ESM management tools.
For example, use the Tivoli Access Manager pdadmin> command line or the eTrust SiteMinder administrative console.
Create/delete a role assignment for user or group U created from Role Type RT on resource R If R is under internal PORTAL protection: Security Administrator@R + RT@R + Delegator@U or Security Administrator@PORTAL If R is under external protection: Security Administrator@R + RT@R + Delegator@U or Security Administrator@PORTAL + Security Administrator@EXTERNAL_ACCESS_CONTROL
PORTAL and EXTERNAL_ACCESS_CONTROL are virtual resources
The Security Administrator@EXTERNAL_ACCESS_CONTROL role is created and managed in the External Security Manager (ESM). It must be modified using the ESM management tools.
For example, use the Tivoli Access Manager pdadmin> command line or the eTrust SiteMinder administrative console.
Create/delete a role block for all roles created from role type RT on resource R If R is under internal PORTAL protection: Security Administrator@R + RT@R or Security Administrator@PORTAL If R is under external protection: Security Administrator@R + RT@R or Security Administrator@PORTAL + Security Administrator@EXTERNAL_ACCESS_CONTROL
A Security Administrator on this resource is always implicitly a Delegator on this resource. For all other role types, the Security Administrator@R plus the assignments listed above are required.
PORTAL and EXTERNAL_ACCESS_CONTROL are virtual resources
The Security Administrator@EXTERNAL_ACCESS_CONTROL role is created and managed in the External Security Manager (ESM). It must be modified using the ESM management tools.
For example, use the Tivoli Access Manager pdadmin> command line or the eTrust SiteMinder administrative console.
Externalize/internalize resources: Moving a resource R back and forth from internal to external control. All non-private child resources of R move with it. Private resources cannot be externalized. Security Administrator@R + Security Administrator@EXTERNAL_ACCESS_CONTROL or Security Administrator@Portal + Security Administrator@EXTERNAL_ACCESS_CONTROL PORTAL and EXTERNAL_ACCESS_CONTROL are virtual resources
The Security Administrator@EXTERNAL_ACCESS_CONTROL role is created and managed in the External Security Manager (ESM). It must be modified using the ESM management tools.
For example, use the Tivoli Access Manager pdadmin> command line or the eTrust SiteMinder administrative console.
Modify the owner of a resource: Setting a user or group U1 as new owner of the non-private resource R, where the old owner was U2 Delegator@U1, Delegator@U2, Manager@R, and Security_Administrator@R Applications Create an Application based on an existing Template T in Template Category TC User@TC
Create, edit, delete application roles of Application A Application manager
Adding/removing/reassigning members to application roles Application membership manager
Save Application A as a Template T in Template Category TC Application manager + Contributor@TC
Edit layout of Application A Application manager
Changing owner of Application A Application owner –OR–
Application manager
Only the application owner or an administrator is allowed to set a new owner
Delete an Application A Application manager Application Template Categories Create a Template Category TC New in Template Category TC_Parent Contributor@TC_Parent
View a Template Category TC User@TC Application Templates Create a Template from an existing Application: Serializing an existing Application A and creating a new Template T under Template Category TC
Application manager + Contributor@TC
Deploy or importing a new Template T in Template Category TC Contributor@TC + Editor@TEMPLATE DEPLOYMENT
TEMPLATE DEPLOYMENT is a virtual resource
Create a new Template T in Template Category TC Contributor@TC
Export a Template T in Template Category TC User@T + User@TC
Edit a Template T in Template Category TC Editor@T + User@TC
Changing owner of Template A Delegator@Template
Only the template owner or an administrator is allowed to set a new owner
Delete a Template T in Template Category TC Manager@T + Editor@TC
View a Template T in Template Category TC User@T + User@TC
In most cases User@T will be inherited by the permission on the Template Category (TC) because the TC is the parent of the Template resource, but setting a propagation block for the TC could prevent a user from getting the permission User@T. In this case the access right for T would be an additional setting.
Business Rules (Personalization) View a Business Rule User@Business Rules Workspace Set this permission on the Business Rules Workspace in the Personalization navigator by selecting the root node and then choosing Extra Action > Edit Access from the menu.
Create a Business Rule Contributor@Business Rules Workspace Contributor@Business Rules Workspace is the minimum required access right to create a Business Rule, though it is not recommended. Editor@Business Rules Workspace is recommended to create and maintain business rules and use the Portal administration facilities.
Delete a Business Rule Manager@Business Rules Workspace
Assigning a Business rule to a page P For non-private pages: Editor@P and User@Business Rules Workspace For private pages: Priviliged User@P and User@Business Rules Workspace
Assigning a Business rule to a portlet PO on page P For non-private pages: Editor@P, User@PO and User@Business Rules Workspace For private pages: Privileged User@P, User@PO and User@Business Rules Workspace
Extra Actions When you use the Set Access button in Personalization to add a user or a group to a role on the root of the workspace, this automatically gives the same role to that user or group for all Web Content Management libraries, policies and templates. Content Node (pages, labels, and URLs) The table column detailing sensitive operations and descriptions for this resource refers to pages only, but those operations and descriptions, when applicable, also apply to labels and URLs.
Traverse a page: View the navigation of a page P User@P or @ some child resource of P
View the content of a page P, including page decoration and potentially the portlets on that page. The portlets on a page are protected separately. See the portlets on pages row of this table for more information. User@P
Modify page properties includes:
- Adding/removing a markup
- Adding/removing a locale
- Adding/removing parameters
to/from a page P
Editor@P
Changing the theme of a page P Editor@P
Modify the layout of a page P includes:
- Adding/removing wires
- manage actions
For non-private pages: Editor@P For private pages: Privileged User@P
For managing receiving actions of a portlet on a target page: Editor@P and Editor@PO
Customize the layout of a non-private page: Create a private, implicitly derived copy of a non-private page P
Privileged User@P
Adding a root page: Create and adding a new top level page P For non-private pages: Editor@Pages For private pages: Privileged User@Pages
(Pages is a virtual resource)
Adding a page: Create a new page under a given Page P For non-private pages: Editor@P For private pages: Privileged User@P
Create a derived page: Create a new page underneath P1 that is explicitly derived from page P2
New page is private: Privileged User@P1 + Editor@P2 New page is non-private: Editor@P1 + Editor@P2
Delete a page P and all descendant pages, including further subpages and the portlets on those pages Manager@P
Move page P1 to a new parent page P2 For non-private pages: Manager@P1 + Editor@P2 For private pages: Manager@P1 + Privileged User@P2
Locking or unlocking the contents of a non-private page P Editor@P + User@portlet (Page Locks) + User@page (Locks) Credential Vault Portlet Add, view, or delete a vault segment Management of the Credential Vault via the Credential Vault Portlet requires access to an instance of the Credential Vault Portlet
Add,view, delete, or edit a vault slot Management of the Credential Vault via the Credential Vault Portlet requires access to an instance of the Credential Vault Portlet Enable Tracing Portlet Add or delete a portal trace setting Add or delete portal trace setting via the Enable Tracing Portlet requires access to an instance of the Enable Tracing Portlet Event Handlers Manage event handlers: Create, modify, and delete event handlers Security Administrator@Event Handlers Event Handlers is a virtual resource
Manage Clients portlet Manage clients: View the portlet; deleting, modifying, and adding clients in the Manage Clients portlet User@Manage Clients Manage Search Create a new search index Editor@PSE_Sources PSE_Sources is a virtual resource
Manage Virtual Portal Create the New Virtual Portal Security Administrator@Portal Portal is a virtual resource
View the Virtual Portal Security Administrator@Portal Portal is a virtual resource
Delete the Virtual Portal Security Administrator@Portal Portal is a virtual resource
Edit the Virtual Portal Security Administrator@Portal Portal is a virtual resource
Markups Manage Markups: Create, deleting, or modifying a Markup
Editor@Markups Markups is a virtual resource
Policies Create a new Policy under a given Policy Editor@Policy and User@Business Rules Workspace Contributor@Policy is the minimum required access right to create a new Policy under a given Policy, though it is not recommended. Editor@Policy is recommended to create and maintain policies and use the Portal administration utilities.
If a rule has to be created or edited during the creation of a Policy, then Editor@Business Rules Workspace and Editor@Policy is also required.
Business Rules Workspace is the root node in the Personalization navigator for Business Rules resources. Set permissions on this node by selecting the workspace node and then choosing Extra Action > Edit Access from the menu.
Assigning a Business rule to a Policy User@Business Rules and Editor@Policy
Edit a Policy Editor@Policy and User@Business Rules If a rule has to be created or edited during the creation of a Policy, then Editor@Business Rules is also required.
View a Policy User@Policy + User@Business Rules
Import a new Policy Editor@Policy_Root Contributor@Policy_Root is the minimum required access right to import a new Policy, though it is not recommended. Editor@Policy_Root is recommended to import and maintain policies and use the Portal administration utilities.
Delete a Policy Manager@Policy + User@Business Rules When deleting a policy the associated rule is not deleted.
Portal Settings View current portal settings User@Portal Settings Portal Settings is a virtual resource
Modify current portal settings Editor@Portal Settings Portal Settings is a virtual resource
Portlet Applications View the portlet application definition information for a portlet application PA User@PA
Modify a portlet application includes:
- Adding/removing a locale
- Setting default locale
- Modify settings
to/from/of the portlet application PA
Editor@PA
Duplicating a portlet application: Create a new portlet application based on an existing portlet application PA Editor@Portlet Applications + User@PA Portlet Applications is a virtual resource
Delete a portlet application and removing all corresponding portlets and portlet entities from all pages within the portal Manager@PA
Enable/disabler a portlet application: Temporarily enabling or disabling the portlet application PA Manager@PA Portlets View an installed portlet: View the portlet definition information of a portlet PO User@PO
Modify an installed portlet includes:
- Adding/removing a locale
- Setting default locale
- Modify settings
to/from/of the portlet PO
For adding/removing locales and setting default locale: Editor@PO For modifying settings: Manager@PO
Duplicating an installed portlet: Create a new installed portlet based on an existing portlet PO that is part of a portlet application PA.
Editor@Portlet Applications + User@PO+ User@PA Portlet Applications is a virtual resource
Delete an installed portlet PO and removing all corresponding portlet entities from all pages within the portal Manager@PO
Enabling/disabling an installed portlet: Temporarily enabling or disabling a portlet PO Manager@PO
Providing portlet PO as a WSRP service Editor@WSRP Export and Editor@PO WSRP Export is a virtual resource
Withdrawing portlet PO from WSRP service Manager@WSRP Export and Editor@PO WSRP Export is a virtual resource
Integrate the portlet of a WSRP Producer PR into the portal If no portlet application exists for the group of portlets: Editor@Portlet Applications and User@PR Portlet Applications is a virtual resource
If a Portlet Applications PA already exists for the group of portlets:
Editor@PA and User@PR
Delete an integrated WSRP portlet PO contained in the portlet application PA from the portal If this is the last portlet in Portlet Applications: Manager@PA If more than one portlet resides in Portlet Applications: Manager@PO
Portlets on pages View a portlet PO on page P User@P + User@PO
Configure an installed portlet: Entering the configure mode of a portlet PO and modifying its configuration Manager@PO
Modify a portlet on a page: Entering the edit mode of a portlet PO on page P and modifying its configuration If P is a non-private page and the user has no Editor role for this page, then modifying the configuration of the portlet results in the creation of an implicitly derived copy of page P.
Editor@P + Editor@PO Or
Privileged User@P + Privileged User@PO
Modify page content: Adding/removing a portlet PO to/from a page P If P is a non-private page and the user has no Editor role for this page, then modifying the content of P results in the creation of an implicitly derived copy of page P.
For non-private pages: Editor@P + User@PO Or
For private pages: Privileged User@P + User@PO
Restricting the content of a page: Adding/removing a portlet from the Allowed Portlet List of a page Editor@P + User@PO Property Broker Operating with ActionSets/PropertySets for a portlet PO User@PO
Create/Updating/Delete a wire from a portlet PO1 on Page P1 to a portlet PO2 on Page P2 Global wire: Editor@P1, User@PO1, Editor@P2, User@PO2 Personal wire: Privileged User@P1, User@PO1, Privileged User@P2, User@PO2 In order to update or delete a personal wire, the user must have the above role assignments and created the wire they are updating or deleting.
Executing a wire from a portlet PO1 on Page P1 to a portlet PO2 on Page P2 Global wire: User@P1, User@PO1, User@P2, User@PO2 Personal wire: Privileged User@P1, User@PO1, Privileged User@P2, User@PO2
In order to execute a personal wire, the user must have the above role assignments and created the wire they are executing
View a wire from a portlet PO1 on Page P1 to a portlet PO2 on Page P2 Global wire: User@P1, User@PO1, User@P2, User@PO2 Personal wire: Privileged User@P1, User@PO1, Privileged User@P2, User@PO2
In order to view a personal wire, the user must have the above role assignments and created the wire they are viewing
PSE Sources Create a PSE Source: Create a search collection Editor@PSE Sources PSE Sources is a virtual resource
View a PSE Source: View a search collection SC User@SC
Facilitating a PSE Source: Using a search collection SC User@SC
Edit a PSE Source: Editing a search collection SC Editor@SC
Delete a PSE Source: Delete a search collection SC Manager@SC Themes and Skins portlet Manage themes and skins: View the portlet; deleting, modifying, and adding themes and skins in the Themes and Skins portlet User@Themes and Skins Unique Names portlet Manage unique names: View the portlet; deleting, modifying, and adding unique names in the Unique Names portlet Editor@R + User@Unique Names URL Mapping Contexts Create a new URL mapping context UMC Editor@URL Mapping Contexts URL Mapping Contexts is a virtual resource
Traversing a URL mapping context: The ability to traverse a URL mapping context due to a role assignment to some child context of UMC
User@UMC or @ some child context of UMC
View the definition of a URL mapping context UMC User@UMC
Assigning a URL: Create a mapping between a URL mapping context UMC and a portal resource R Editor@UMC + User@R
Modify a URL mapping context: Changing the properties of an existing URL mapping context UMC; for example editing the label Editor@UMCIf Virtual Portal Mapping:
Editor@VP URL Mappings
VP URL Mappings is a virtual resource
Delete a URL mapping context UMC and all of its child contexts Manager@UMC User Groups Create a new User group within the user registry Editor@User Groups User Groups is a virtual resource
View the User group profile information of a user group UG User@UG
Modify the profile information of a User group UG Editor@UG
Adding/removing an existing User U or a User group UG2 to or from an existing User group UG1 Security Administrator@Users + Editor@UG1 Users is a virtual resource
Delete a user group UG Manager@UG The owner of the user group can also delete it.
Users Create a new user in the user registry Editor@User Self Enrollment User Self Enrollment is a virtual resource
View the user profile information of a user U User@UG and U is a member of user group UG or User@Users Users is a virtual resource
Modify the profile information of a user U Editor@UG and U is a member of user group UG or Editor@Users Users is a virtual resource
Delete a user from the user registry and deleting all private pages created by this user Manager@Users Users is a virtual resource
Web Clipping Create new clippings Editor@Portlet Applications Portlet Applications is a virtual resource
Web modules Installing a new portlet application WAR file Editor@Web Modules Web Modules is a virtual resource
Updating a Web module WM by installing a corresponding WAR file Editor@Web Modules + Manager@WM
Uninstalling a Web module and removing all corresponding portlet applications and portlets from all pages within the portal Manager@WM + Manager @ all portlet applications contained in WM WSRP Producers (on the Consumer side) Adding a remote WSRP Producer PR to the Portal Editor@WSRP Producers WSRP Producers is a virtual resource
Edit the settings of a remote Producer PR Editor@PR
View the settings or display the list of portlets that are provided by a remote WSRP Producer PR User@PR
Delete a remote WSRP Producer from the portal Manager@PR XML Access Running commands using the XML configuration interface Security Administrator@Portal + Editor@XML Access Portal and XML Access are virtual resources
Role Mappings and WSRP services
On the WSRP producer side, you can set the configuration property wsrp.security.enabled to enforce the access control decision for the provided portlets. If this property value is set to true, then all access control decisions in the producing portal are based on the authenticated principal. If wsrp.security.enabled is set to false, then the producing portal does not enforce any access control on incoming client portal WSRP requests.
When using identity propagation, the user authenticated on the client portal needs to have the required role assignments. If no identity propagation is configured, but SSL client certificate authentication is enabled, then the ID of the certificate needs to have the required role assignments. If none of the previously mentioned authentication methods is used, then the request is treated as if coming from the Anonymous Portal Users. In the latter case, the required roles need to be assigned to the Anonymous Portal User, which implies allowing unauthenticated access to the corresponding resources for all users who can access the producer portal.
Parent topic:
Resources, roles, and policies
Related tasks
Assigning access to policies
Prepare security for a WSRP Producer portal
Prepare security for a WSRP Consumer portal
Disable and enabling Portal Access Control for a WSRP Producer portal
Assigning access to policies