WebSphere Portal Security

Initial Access Control Settings

 

When you install portal server,the installation program will ask you for administrative user name.That user will become administrator of the portal. In addition to thatthe installation program will also create administrative group usuallywpsadmins that group will get Administrative role on the portal.

This is set of permissions that portal installation program will assign

• Administrative User: Gets unlimited access on all resources


• Administrative Group(wpsadmins): Same as that of administrative user


• All Authenticated Portal User:Gets User or Privileged User rights on preinstalled portlets and someof the pages that get created as part of install process


• Anonymous Portal User: Gets User rights on public pages such as login, selfcare, sitemap,..

Take a look at Initial Access Control Settings for further information on what all rights are assigned to various user/groups during portal install

 

Virtual Users and Groups

 

The portal supports predefined virtual users and groups that allow foraccess control configuration that applies to abstract sets of users.These virtual users and groups are not stored in the user registry.They only exist within the access control context. You cannot changegroup membership or other attributes of these virtual users and groups

 

1. Anonymous Portal User:This virtual user models a portal user who has not yet logged into theportal. Assigning roles to this user on a resource allows access tothis resource prior to authentication to the portal server.This isuseful for creating public welcome pages. The Anonymous Portal User isnot considered to be a member of any group within the portal.On pagesand their virtual resource parents CONTENT_NODES and PORTAL, you canonly assign the Anonymous Portal User to the User role type


2. All Authenticated Portal Users: This virtual user groupmodels the set of all users who are known by the portal. Aftersuccessfully logging in to the portal, users lose the Anonymous Portal User identityand become authenticated members of the All Authenticated Portal Usersvirtual user group. Roles assigned to this user group allowestablishment of permissions that will apply to all authenticated usersand thus support setting up the default privileges for authenticatedportal access.


3. All Portal User Groups:This virtual user group contains all non-virtual user groups.

Delegated Administrative Policy

 

An administrator is a user who is authorized to modify the accesscontrol configuration by changing role assignments and creating ordeleting role blocks. When you install portal or create new VP, you setan administrator user, who becomes the domain administrator and canadmister all the resources in that domain.

WebSphere Portal also supports delegated administration, what that means is Portal Admin can give certain access rights to other user and that user can pass some of his user rights to other administrator. Take a look at this diagram.The wpsadmin is portal administrator, so he can assign say Editor orPrivleged User role to Sunil for particular page in Asia Marketingteam. He can also delegate administrative rights for Marketing team toMark and then mark would be able to assign rights to Sunil forparticular page or he can pass the Admin rights for pages under AsiaMarketing to James and James would be able to assign the appropriateuser Rights to Sunil.



WebSpherePortal has delegated administration policy that determines how usersare permitted to delegate their privileges to other users or groups.The general policy for creating or deleting role assignment is asfollows. A user Mark/marketingadmin can assign a Editor role to Sunilonly in one of the following cases are met

1. Mark has the Administrator@Portal or Security Administrator@Portal role. That means he is the super admin for portal.


2. SinceMark is not super admin, he can assign Editor Role to sunil on one ofthe Marketing Portal pages only if all of the following conditions aremet
   
   
   
   • Mark has the Security Administrator@Markeing Page or Administrator@Marketing Page role
   
   
   • Mark has atleast Editor@Marketing Page role.
   
   
   • Markhas the Delegator@Sunil, Security Administrator@Sunil orAdministrator@Sunil role. Its better to createasiamarketingusers/marketinguser group and assign admin rights to Markon that group
   
   
   So if Mark wants toassign Editor role to Sunil on Asia Marketing Page then he must haveDelegator@Sunil + Security_Administrator@Asia Marketing Page +Editor@Asia Marketing Page.