Authorizations

Authorizations define which objects users can access and which actions they can perform. The portal has an authorization concept that is implemented using permissions, security zones, UME actions, and the AuthRequirement property. These are described in more detail below.

We recommend that before you deploy a production portal, you check that the authorizations assigned in the portal do not allow unauthorized users to access sensitive content such as administrative tools or confidential data.

?     Permissions: permissions for all Portal Content Directory (PCD) objects. Portal permissions define portal user access rights to portal objects in the PCD and are based on access control list (ACL) methodology. Essentially, every portal object can be assigned directly to an individual user or collectively to groups of users through user groups and roles. Portal content objects for which you can set permissions are folders (Portal Catalog folders, not role folders), iViews, pages, layouts, roles, worksets, packages, and systems. When any portal user accesses a portal tool that displays portal objects stored in the PCD, those objects are filtered according to the user’s access permissions. If a user is permitted to access a portal object, the permission level set for the user defines which actions and operations the user can perform on that object. Permissions also define which objects are available to end users in a runtime portal environment.

In EP 6.0 SP9 and higher, the default permissions assigned to portal objects after installation are set in a manner that permits only the Super Admin role full access to the entire portal and its initial content. The remaining pre-configured administration and business user roles shipped with the portal are permitted access to the out-of-the-box tools and user interfaces relevant to each role; however, access to objects within these tools is not permitted.

After installation, you can configure the permissions to enable the preconfigured portal roles to access initial content objects relevant to their role. To help you with this task, see the guide Configuring Permissions for Initial Content in SAP EP 6.0 which you can find on SAP Service Marketplace at service.sap.com/nw-howtoguides ® Portal, KM and Collaboration ® Portal ® Configuring Permissions for Initial Content in SAP EP 6.0.

We recommend that if you change the permissions, you provide users with the minimum set of permissions that they require to fulfill their tasks. You should check the permissions carefully before deploying a test or production portal.

For more information on permissions, see Portal Permissions and Default Permissions.

Security Zones: Control which portal components and portal services users can launch and are defined in the development phase. If a portal component or service is not assigned a complete security zone in its descriptor file, the portal runtime assigns it to a predefined security zone folder for unspecified components or services. The portal provides default permissions for the standard security zone folders in which the portal applications shipped with the portal’s initial content reside. These permissions provide a high level of security for a freshly installed portal. We recommend that you become familiar with the standard security zones created by SAP and also the default permissions assigned to them. If necessary, adjust the default permissions to suit your environment. We highly recommend that you use the security zones structure of SAP for your own content. For your own content, you should make sure that the permissions on the security zones provide appropriate protection against unauthorized access and adjust them if required.

Security zones control access to portal components whether they are accessed by a direct URL or through a role-assigned iView based on that portal component.

For more information on security zones, see Security Zones.

·        UME Actions: the User Management Engine (UME) equivalent of portal permissions. The UME verifies that users have the appropriate UME actions assigned to them before granting them access to UME iViews and functions. All other portal services do not use UME actions.

For more information on UME actions, see UME Actions in the Portal.

Pay particular attention to the UME action UME.AclSuperUser. This action provides Owner permissions on all objects in the Portal Content Catalog and should be used very restrictively. It should only be assigned to the Super Administration role in the portal. It should not be assigned to any other roles.

Also be careful to whom you assign the UME.Manage_Roles action. Users with this action can assign themselves the Administrator role in the UME Web-based administration tool and thus gain full administrator rights on the J2EE Engine. In particular, DO NOT assign this action to delegated user administrators.

·        AuthRequirement property: This is a master iView property used in EP 5.0 that defines which users are authorized to access a master iView or Java iViews derived from a master iView. For backward compatibility with iViews developed for EP 5.0, EP 6.0 supports this property.

For details on the AuthRequirement property, see SAP Enterprise Portal 5.0 Administration Guide ® iViews ® Master iViews ® Master iView Properties ® Portal Component Properties.