+

Search Tips   |   Advanced Search

Access control scenarios


These scenarios provide helpful illustrations on how access control can be set up.

This section describes basic tasks for administering access control. The following examples use a hypothetical portal user called Mary and a hypothetical group called the Sales group. The following graphic helps illustrate the examples described in this topic.

The tasks described here can be performed using either the administrative portlets or xmlaccess.sh. For instructions about using the portlets mentioned here, refer to the portlet helps. For instructions about using xmlaccess.sh, see xmlaccess.sh section of the information center.


Give a user full access to the portal

Give the user the Administrator@Portal role. The Administrator@Portal role permits unrestricted access to all portal resources except the private pages of other users.

Give users this role in one of two ways:


Allow a user to manage portlet applications with the Manage Applications portlet

Suppose that Mary needs to manage certain portlet applications. She must use the Manage Applications portlet to do this. Give Mary the following roles:

There are two ways to give Mary these roles:


Allow users to access a page and some subset of its child pages

Create an inheritance block on the appropriate page.

For example, give the Sales group the Editor@Market News Page role. This allows members of the Sales group to edit the Market News page and all of its current and future child pages, including the Europe Market News page and the USA Market News page. To allow the Sales group to edit the USA Market News page, but not the Europe Market News page, insert an inheritance role block for the Editor role type on the Europe Market News Page. Use the Resource Permissions portlet or xmlaccess.sh to insert this role block. This role block prevents members of the Sales group (and all other users and groups with an inherited or implicit Editor role on any parent pages of the Europe Market News page) from editing the Europe Market News page and all of its current and future child pages.


Allow users to access a portlet on a page

Give the group a role assignment on both the page and the portlet. Role assignments on a page do not contain access rights for portlets that appear on the page. Use the Resource Permissions portlet, the User and Group Permissions portlet, or xmlaccess.sh to assign these roles.

For example, suppose there is a Market Targets portlet on the Market News Page. Give the Sales group (or a user group containing the Sales group) the Editor@Market Targets Portlet role and the Editor@Market News Page role.


Allow users to access a page, but not its child pages

Use the Resource permissions portlet to create a propagation block on the appropriate page.

For example, give the Sales group Editor access to the Market News page. To prevent this group from editing the USA Market News page and the Europe Market News page, create a propagation block for the Editor role type on the Market News page. It is not necessary to create a propagation block on the Market News child pages. This Market News page role block prevents the Sales group (and all other users and groups with an inherited or implicit Editor@Market News Page role) from editing all current and future child pages of the Market News Page.


Allow users to view and personalize a page and all of its child pages

Give the group the Privileged User role on the page and any portlets that appear on the page or its child pages.

For example, give the Sales group to the Privileged User@Market News Page role. This allows all members of this group to view and personalize the Market News page and all of its current and future child pages. Then give the Sales group the Privileged User role on all portlets and portlet applications that appear on the Market News page and any of its child pages.

Giving the Sales group the Privileged User role instead of the Editor role allows members to create new private pages that are children of the Market News Page, but prevents members from creating new non-private pages.

The Editor role blocks created in the previous examples do not affect Privileged User roles in any way.


Allow a user to assign roles on a specific resource to members of a specific group

For example, to allow Mary to assign the Sales group to the role Privileged User@Market News Page, do either of the following steps:

To administer access control through the administrative portlets, Mary must have role assignmento that allow her to view the User Group Permissions or the Resource Permissions portlets and the pages containing these portlets. To administer access control through xmlaccess.sh, Mary must have a role assignment that allows her to access the XmlAccess virtual resource.


Parent: Controlling access