The portal security descriptor describes application roles for
a portal application and maps those roles to actual users and groups of the
console. The following example shows the ibm-portal-security.xml for
the page layout sample.
Description of the portal security elements
- <ibm-portal-security/>
- Root element of the portal security descriptor. This element contains
the following element.
- <application-role/>
- Optional and multiple allowed. Specifies an application role for the portal
application. An application role maps a set of permissions, or role type,
to a specific resource defined in the application's topology descriptor. The
following attribute is used with this element.
- uniqueName
- Required. Specifies the administrative role for this application. The
role can be one of the existing roles that are provided by the application
server or you can specify a new role for the application that is created during
deployment.
- When you specify one of the application server roles, make sure you use
all lower case (for example, administrator, operator, monitor,
or configurator) rather than the initial capitalization that appears
in the console interface (Administrator, Operator, Monitor,
or Configurator). If there is a mismatch in upper or lower casing (MOnitor instead
of monitor), then the role cannot be created.
- When you specify a new role for an application, use lowercase characters
as a guideline.
- The administrative console also provides the all authenticated portal
users virtual role. Resources with all authenticated portal users permission
are available to all authenticated users.
- When you specify a new role, it inherits the access rights of the monitor role
when it is created. A user with the new administrative role has access to
the same resources as a user with the monitor role.
- When you specify a resource in the topology descriptor without protecting
it with an administrative role or virtual role, it becomes unavailable to
any role.
To guarantee uniqueness, see Console module elements - guidelines for unique identifiers.
The following element makes up the content of the application
role.
- <portal-role/>
- Optional and multiple allowed. Associates a resource with a role type.
The role type determines what actions a user can perform on that resource.
The following attributes can be used with this element.
- object-ref
- Specifies the unique name of a resource in the topology descriptor. For
this release, only portlet entities and navigation elements are supported.
- role-type
- Specifies the set of actions the user with this role type can perform
on the resource. The following values are allowed (case-sensitive):
- User
A user with this role type is allowed to view the resource
and access help.
- Privileged User
A user with this role type is allowed to view
the resource, edit preferences, and access help.
For this release, role-type has meaning only for portlet entities,
however, role-type must be specified for both. You should specify role-type="User" for
navigation elements.
These role mappings cannot be changed through the
console. Instead, you can update the descriptor in its extracted location
on the server. You must delete and redeploy the application to cause the changes
to take effect.
The console module samples provide examples of how to develop
the elements of the portal security descriptor.