Initial Access Control Settings
When you install portal server , the installation program will ask you for administrative user name. That user will become administrator of the portal. In addition to that the installation program will also create administrative group usually wpsadmins that group will get Administrative role on the portal.
This is set of permissions that portal installation program will assign
- Administrative User:
Gets unlimited access on all resources
- Administrative Group(wpsadmins):
Same as that of administrative user
- All Authenticated Portal User:
Gets User or Privileged User rights on preinstalled portlets and some
of the pages that get created as part of install process
- Anonymous Portal User: Gets User rights on public pages such as login, selfcare, sitemap,..
Take a look at Initial Access Control Settings for further information on what all rights are assigned to various user/groups during portal install
Virtual Users and Groups
The portal supports predefined virtual users and groups that allow for access control configuration that applies to abstract sets of users. These virtual users and groups are not stored in the user registry. They only exist within the access control context. You cannot change group membership or other attributes of these virtual users and groups
- Anonymous Portal User:
This virtual user models a portal user who has not yet logged into the
portal. Assigning roles to this user on a resource allows access to
this resource prior to authentication to the portal server.This is
useful for creating public welcome pages. The Anonymous Portal User is
not considered to be a member of any group within the portal.On pages
and their virtual resource parents CONTENT_NODES and PORTAL, you can
only assign the Anonymous Portal User to the User role type
- All Authenticated Portal Users:
This virtual user group
models the set of all users who are known by the portal. After
successfully logging in to the portal, users lose the Anonymous Portal User identity
and become authenticated members of the All Authenticated Portal Users
virtual user group. Roles assigned to this user group allow
establishment of permissions that will apply to all authenticated users
and thus support setting up the default privileges for authenticated
portal access.
- All Portal User Groups: This virtual user group contains all non-virtual user groups.
Delegated Administrative Policy
An administrator is a user who is authorized to modify the access control configuration by changing role assignments and creating or deleting role blocks. When you install portal or create new VP, you set an administrator user, who becomes the domain administrator and can admister all the resources in that domain.
WebSphere Portal also supports delegated administration
, what that means is Portal Admin can give certain access rights
to other user and that user can pass some of his user rights
to other administrator. Take a look at this diagram.
The wpsadmin is portal administrator, so he can assign say Editor or
Privleged User role to Sunil for particular page in Asia Marketing
team. He can also delegate administrative rights for Marketing team to
Mark and then mark would be able to assign rights to Sunil for
particular page or he can pass the Admin rights for pages under Asia
Marketing to James and James would be able to assign the appropriate
user Rights to Sunil.
WebSphere
Portal has delegated administration policy that determines how users
are permitted to delegate their privileges to other users or groups.
The general policy for creating or deleting role assignment is as
follows. A user Mark/marketingadmin can assign a Editor role to Sunil
only in one of the following cases are met
- Mark has the Administrator@Portal or Security Administrator@Portal role. That means he is the super admin for portal.
- Since
Mark is not super admin, he can assign Editor Role to sunil on one of
the Marketing Portal pages only if all of the following conditions are
met
- Mark has the Security Administrator@Markeing Page or Administrator@Marketing Page role
- Mark has atleast Editor@Marketing Page role.
- Mark
has the Delegator@Sunil, Security Administrator@Sunil or
Administrator@Sunil role. Its better to create
asiamarketingusers/marketinguser group and assign admin rights to Mark
on that group