IBM BS029ML Self Help Guide - Page 108
admin portlets, Resource Permission Portlet, and User and Group Permissions Portlet, the, wpscript
View all IBM BS029ML manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 108 highlights
Understanding the hierarchy of protected resources is the key to having a clear picture of the permissions assigned to the nodes on the tree. The permission inheritance plays a crucial role in the runtime decision making of the portal access control. Figure 4-3 shows the tree of protected resources within WebSphere Portal. Portal Web Modules Portlet Applications Content Nodes User Groups Users PSE Sources External Access Control Markups Web Module Portlet Application Definition Content Root Portlet Content Node Content Node User Group User User SelfEnrollment User PSE Source WSRP URL Mapping Contexts WSRP Export WSRP Producer URL Mapping Context XML Access Event Handlers Portal Settings Virtual Portal URL Mappings WSRP Producer Virtual Resource Protected Resource Implicity Protected Resource Propagates permissions on WMM/S Membership Figure 4-3 The tree of WebSphere Portal protected resources URL Mapping Context Template Deployment PAC is the single decision point within the WebSphere Portal. It controls the access to all protected portal resources. Figure 4-4 on page 95 showed the basic components of PAC. The central piece of PAC is the Access Control Engine that implements the PAC API and provides the core support functions to different components: The dynamic permission configuration is accomplished through one of the three ways: the admin portlets, Resource Permission Portlet, and User and Group Permissions Portlet, the configuration utility called XMLaccess, or the Portal Scripting Interface (wpscript). They directly call a set of Access Control commands that in turn call the AccessControlConfigService. The portal runtime decision module is triggered when a resource is accessed by a user. Most of the permission configurations should be assigned to groups, which is more efficient than assigning them to individual users. Thus, one should carefully design the LDAP group structure and user membership assignment. WebSphere Member Manager Portal supports different group structures: static, dynamic, mixed, and nested groups. Portal runtime access decision are made by calling AccessControlService. When WebSphere Portal is configured to use an external authorization engine, such as the Tivoli Access Control authorization server, portal provides a set of Service Provider Interfaces (SPIs) that can directly interact with Portal Access Control Engine by calling ExternalAccessControlSerivce. 94 IBM WebSphere Portal V6 Self Help Guide