Portal Roles

Setting Up Portal Roles in SAP Enterprise Portal 6.
0
Julia Levedag, Vera Gutbrod RIG and Product Management
SAP AG
Learning Objectives
As a result of this workshop, you will be able to:

Understand the Concept of Portal Roles Administer Roles and other Portal Content Define Portal Navigation Learn about the Context of Roles and Permissions Understand the Concept of Delegated Administration
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Agenda
Introduction of Role Concept Roles and Content Objects Role Maintenance Navigation and User Assignment Permissions vs. Authorizations Permissions and Delegated Administration
Role Concept: Why Create Roles?

Only by creating roles are you able to assign different pieces of content to different groups of users.
Role 1
Group 1 User 1
Role 2
Group 2
Content 1
Content 2
Content 3
Content 4
Content 5
Role Management: Examples
Project Leader
Market Analyst
Customer Credit Manager
One enterprise portal to cover different user roles One enterprise portal to cover different user roles
What are Portal Roles?

A role is a container for applications and information that can be assigned to a particular group of users. The content of a role enables users to perform the tasks in their respective job description. The content of a role is based on the company structure and on the information needs of the portal users in the company. The portal navigation structure is defined by the sum of the roles assigned to the user. Technically, a role is a hierarchy of folders containing other portal content objects. Roles can be assigned to users or groups of users, i.e. the portal role connects users (or groups of users) to the portal content. User Group 1 User Group 2
Role A
Role Assignment
What are Worksets?

A role usually consists of one or more worksets that bundle applications and information. A workset is a collection of applications and information that belong together from a semantic point of view because they are part of the same activity area (e.g. controlling or budgeting) of a user. Whereas a role is based on global company structures, a workset is based on user-specific tasks or activities (for example, My Budget or My Staff are worksets in the Manager role). Worksets are building blocks for roles: One workset can be used within several roles, and one role can consist of several worksets. Technically, a workset is a hierarchy of folders that contains other portal content objects. Worksets cannot be assigned to users (only roles can be assigned to users).
Workset A
Workset Assignment
Role 1
Role 2
Relationship Between Roles and Worksets: Example
Role
Sales Manager
Team Lead Key Account Manager
Sell products Improve relationships Send product information Track order fulfillment Negotiate
Worksets Activities
Budget
Promotion Manager
Market Watch
Monitoring Planning Approving Forecasting Activity assignment Hiring Communication Create promotions Run promotions Track status Analyze impact Monitor/analyze key figures Watch competitors Create sales/ promotion strategies Explore market
Roles, Users and Content
User 1
User 2
Assignment
Assignment
Role E Role A Role B Role C Role D
Portal Roles and SAP Roles

SAP Roles Depend on SAP component (FI, BC etc.); content of a SAP role always refers to a certain SAP system Portal Roles Independent of application; contain all kinds of information (heterogeneous content): SAP and non-SAP applications, documents, Internet and Intranet information Based on the structure of the company and the information needed by the users Classification of users according to information needs competence and responsibility Carrier of the navigation information for the portal user Concept of roles and worksets
Based on user tasks in a SAP system; relevant for creation of the role-based SAP Easy Access Menu Classification of users according to task authorization Carrier of authorization profile information Concept of single and composite roles
Summary
Portal roles define the content and tasks that a user can access in the portal how the user can access the content (=navigation options in the portal)
Note: Portal roles have no effect on authorizations in the backend system.
Agenda
Portal Content Directory (PCD)

The Portal Content Directory (PCD) is the central persistence store for all portal objects. This includes, for example, storage of the metadata for the content objects (roles, worksets, etc.) and the relationship between the objects.
Portal Content (Portal Content Directory) Roles Worksets Pages iViews
iViews and Pages on the Portal Desktop
A portal page is a container for different iViews.
Roles
Role Roles are the largest semantic units within content objects. They include folder hierarchies consisting of folders, worksets, pages and iViews. The role structure also defines the navigation structure of the portal. Roles are assigned to users.
Workset
iViews and Pages
Folder
Page
iView
Agenda
Portal Catalog and Portal Content Studio

All content objects (like roles, worksets, iViews, and pages) are available in the Portal Catalog and are maintained in the Portal Content Studio:
The Portal Catalog provides a central access point to all portal content objects stored in the PCD. It permits you to store, manage and organize content in a structured hierarchy.
The Portal Content Studio provides a central environment for developing and managing portal content, including iViews, pages, layouts, worksets, roles and transport packages.
Creating Roles (1)

In the content administration role, choose Content Administration -> Portal Content.
You create roles by clicking the right mouse button. The wizard for creating new roles is started.
Creating Roles (2): Role Wizard
Enter general properties for the new role.
Enter the folder for storing the new role in the Portal Catalog.
Check all properties. The new role is created and is now visible in the Role Editor.
Creating Roles (3): Role Editor
Create the role hierarchy and add content objects (roles, worksets, pages, iViews) to the role as delta link. You create worksets in the same way as roles. For worksets, use the Workset Editor.
Change the properties in the Property Editor (optional)
Roles and Worksets as Containers of Other Objects

Roles and worksets are created by:
Building structural hierarchies Adding content objects to these hierarchies
Objects that can be added to a role: roles, worksets, iViews, pages Objects that can be added to a workset: worksets, iViews, pages
Objects are added to roles and worksets as delta links.
Role A Role 1 Workset 1 Page 1 iView 1

add as add as add as add as
Delta link Delta link Delta link Delta link
Role 1 Workset 1 Page 1 iView 1
Delta Links
All content objects can be related to each other using delta links. A delta link is a relationship between two objects (source and target object) of the Portal Content Directory. The source object is the object that passes its property values to a target object that is derived from the source object (=principle of inheritance of properties). Delta links allow you to change the target objects, that means additions, deletions and changes to property values and structure hierarchies. Thus delta links are valid for structural hierarchies (for example in roles and worksets) and properties values (for example in iViews and pages). Changes made to the source object are copied to the target object and are visible there. Changes made to the target object have no effect on the source object. Source objects are protected against modifications.
Workset 1 Structure Properties Source object
Delta link
Workset 2 Structure Properties Target object
Creation of Portal Roles: Summary
1. Log on as super administrator or content administator. 2. Open Portal Catalog. 3. Create new role. 4. Specify storage of role. 5. Add objects to role. 6. Define entry points. 7. Save.
Portal Catalog Role Wizard
Role Editor
Agenda
Roles and Worksets Define the Navigational Structure of SAP Enterprise Portal
Top-Level Navigation Detailed Navigation
Portal content (pages and iViews) can be navigated by clicking entries in the top-level navigation and/or detailed navigation. The navigation entries are derived from the structures of roles and worksets. The administrator defines which nodes of a role or workset should be visible as navigation entries for the user of the portal.
Top-Level Navigation and Entry Points
Entry points: these are the nodes in a role or workset structure that are defined as tabs (entry points) for top-level navigation.
Defining Entry Points
In the Role Editor: Click on a role node in the role structure and define it as the entry point. Entry points are highlighted in the role structure.
Detailed Navigation
First level (= entry point) Second level of top-level navigation Third level (inside detailed navigation)
Everything in the role structure that is on the third level and lower appears in the detailed navigation.
Role Assignment to Users/User Groups

In the user administration role, choose User Administration -> Role Assignment. 1. Select the users and groups to which you want to assign a role. Search for the roles and add them to the selected user or group:
2.
Select the roles to which you want to assign a user or group. Search for the users and groups and add them to the selected roles:
Agenda
Portal Permissions
Portal permissions define the access rights of portal users to portal objects. Permissions in the portal are based on access control list (ACL) methodology. By defining permissions, you enable the delegation of administrative tasks and content in the portal environment. Objects in the Portal Content Directory (PCD) have two sets of permissions: administrator and end user. This distinction is necessary to control what an administrator sees in the portal administration environment (at design time) and what is seen in the end user environment (at runtime).
Note: Permissions in SAP Enterprise Portal are not authorizations in the backend system.
Portal Roles vs. Authorizations
Enterprise Portal
Role Definition
SAP Systems
Enterprise Apps
CM Systems
Others
Authorizations
No maintenance of authorizations for SAP systems in SAP Enterprise Portal. Authorizations are still maintained in the SAP system.
Portal Roles and Authorizations in SAP Systems

Portal role in SAP Enterprise Portal
Portal Roles
Authorization role in the SAP system

Authorization Roles
Export / Distribution
Contain transactions Contain transactions from different SAP systems from different SAP systems
Authorization roles are created in the Authorization roles are created in the SAP systems and assigned to users. SAP systems and assigned to users. Authorizations are still maintained with Authorizations are still with Transaction PFCG Transaction PFCG
Agenda
Roles & Permissions

A typical use case to understand the context of roles and permissions is to understand the principles of delegated administration.
Roles will provide the assigned users with content. Permissions in the portal context will provide access to content objects stored in the Portal Content Directory:
Administrators: With ACLs access to any object in the Portal Catalog is defined for administrators. End Users: With ACLs access for end-users is defined content structures within the Portal Catalog are visible; iViews can be executed by end users or not.
Delegated Administration
Delegated Administration needs to be realised to distribute administration tasks within a complex organisation. That means you have to distribute and controle...
Administration and Maintenance of content like portal roles Administration and Maintenance of system configuration like UM configuration, monitoring configuration, service configuration, etc. Administration and Maintenance of user information (e.g. Users, Groups, User-Role Assignment, ...)
Delegated Administration is realised by different portal tools like

Predefined customizable administration roles ACLs on folder hierarchies in the portal content catalog User Admin permissions on the User Administration role
Delegated Administration: Business Scenario

Delegation of tasks
I. Create a system ABC II. Create iView for system ABC III. Assign iView to page/ role IV. Assign Role to users
System Administrator Content Administrator Content Administrator
User Administrator
Roles
System ABC iView ABCiview page/role assignment user-role assignment
Definition of ACLs for the different administration views of portal content catalog necessary!
Concepts Delegated Administration

Delegated Administration
Who is administrator?
How to put PCD objects in the right order?
Create organisational tree for administrators
How to define access to PCD objects?
Define folder structure for Portal Catalog
Define permissions on folders and objects How to establish an administration process among different administrators?
Preconfigured Administration Roles

Role
Super Administrator assigned to initial SAP* User Full Control access on whole Portal Content Catalog Tree Access on all admin tools of Content Administrator Role of System Administrator Role of User Administration Role Content Administrator access on all Content Administration tools for creation of roles, worksets, pages, iViews, layouts access on all editors to maintain content e.g. Permission Editor, Property Editor access on all parts of tree hierarchy of Portal Content Catalog if the right ACLs have been defined System Administrator access on all tools for system administration such as system configuration, transports, permissions, monitoring, support, portal display access on all parts of tree hierarchy of Portal Content Catalogs if the right Acls have been defined User Administrator access on all tools for user administration to create and maintain users, administrate the role-user assignment, user mapping administration, user Replication, Group administration, etc.
Function
Admin Roles and Portal Catalog Objects

Super admin Content admin 1 Content admin 2 Content admin 3 System admin 1 System admin 2 System admin 3 + ACL + ACL + ACL + ACL + ACL + ACL
Content administrators are responsible for content objects in the Portal Catalog.
ACLs define the access and allowed action for content objects like folders, roles, worksets, pages, iViews and templates.
System administrators are responsible for system administration tasks and objects.
ACLs define the access and allowed actions for objects like transport packages or systems.
User admin 1 User admin 2 User admin 3
Set Action Set Action Set Action
User administrators are responsible for users related tasks.

Role-User Assignment can be controlled by permissions set for user management role.
Designtime Permission (Administration)

Portal Catalog
NONE READ
Create/ Delete Objects

Folder & objects not visible Create from Templates with READ permission
Edit Objects
Folder & objects not visible Folder & objects visible Copy objects No Edit Folder & objects visible Edit object properties Edit assigned delta links Folder & objects visible Edit object properties Edit assigned delta links Folder & objects visible Edit object properties Edit assigned delta links Edit permissions
Worksets Pages Systems

ACL Check on Folder Level and on Object Level READ/ WRITE
No delete! Create from Templates with READ permission Delete objects Create from Templates with READ permission Delete objects Create from Templates with READ permission
FULL CONTROL
Administrator Permissions Check during creation process for objects Check when accessing objects
OWNER
Runtime Permissions (End User)

Personalize Page
USE
Navigation
Navigation iViews (TLN, detailed navigation, Drag&Relate targets, related links) only display roles and objects that have end-user permission. For display of objects in navigation the ACL is checked on the object level. Direct URL access to a component: Users may access portal components through URL without an intermediate iView if they are granted USE permission in the appropriate security zone. Direct access to an iView USE permission is required
Personalization
User Interfaces in the end user environment that display the portal content catalog (such as personalize page) only display objects that have end user permission.
Worksets Pages Systems

ACL Check on Folder Level and on Object Level
End User Permissions Check for Navigation Check for in Personalize Page Component Check if calling component via URL
Example: Delegated Content Administration *

Portal Content
Editing
A all = READ B all = READ
Edit_1 Editor_A => includes all objects of area edit_1 such as iViews, pages, worksets and roles iViews Pages Worksets
User A = FULL CONTROL User B = READ
User A = FULL CONTROL User B = None User C = WRITE
Roles Editor_B => includes all objects of area edit_1 Public Templates News
User A = FULL CONTROL User B = Read
Knowledge Portal Personalization Administrator Ressources
* View of a Portal Administrator on the Portal Catalog!

Example: Delegated System Administration

System Administrators have access to different views of the Portal Catalog. The role system administrator comprises several tools to access objects like
Transport Packages stored in the Portal Catalog Permissions to be maintained through the Portal Catalog System Landscape Objects - to be defined in the Portal Catalog. Access to several portal objects is limited to the role system administrator. Access to certain folders and objects for users with role system administrator will be defined via ACL.
Delegated System Administration Transport

When creating transport packages to export content READ/WRITE access is required on a particular folder.
Delegated System Administration Export

When defining content to be included into a transport package ACLs are checked as follows:
Only objects can be included if as a minimum READ permission for the object is given. During export depending objects are only included if the request user has READ permission for them.
Delegated System Administration Import
A user assigned to the system administrator role can import any packages stored in the import directory. The import into the Portal Content Directory can only be done if the reuqest user has READ/WRITE permission to any folder in which the transported object needs to be stored.
Delegated System Administration Create Systems

For creating a new system the request user needs to have the following ACLs:
READ/WRITE for the folder in which the system object will be created READ for the system template on which the object is based
Delegated System Administration Create Systems

When creating a system object based on a template at least READ permission is required for the request user. The permission needs to be defined for the template object. A system administrator may only create systems but cannot define an iView pointing to that system. To do so the content administrator role is needed.
Delegated Administration Systems & iViews

To create an iView based on that system it is necessary to be assigned to the content administration role. The content administrator therefore needs READ permission for the system to create a working iView based on the system object.
Example: Delegated User Administration

Delegated user administration allows you to distribute user administration between several administrators so that each administrator is responsible for a particular set of users. For Delegated User Administration you have to distinguish between
Overall User Administrators can add, modify and delete users of all companies. They can create and administer delegated user administrators and assign them appropriate roles and permissions. In addition the following tasks can only be performed by an overall user
Group Management Role Management User Mapping Import and Export of user data Replication of user data
Delegated User Administrators can add, modify and delete users that belong to the same company as the delegated user administrator.
Delegated User Administration Company Concept

Delegated User Administration based on company concept:
A company is a set of users User administration can be done per company, by a company administrator for all the users within that company
2.
1. 3.
Permissions assigned to User Administration Role

Contains permissions by an overall user admin: Administration of users belonging to any company and possibility of assigning users to companies Group management Role assignment User mapping Import and export of user data Manual replication of user data Contains permission required by an delegated user administrator: Administration of users belonging to the same company as the administrator Role assignment: Permissions to assign roles to users belonging to the same company as the administrator. No permissions to assign roles to groups. Any role to which this action is assigned has Owner permissions on all objects in the Portal Content Catalog. It is not possible to remove this permission in the permission editor. This action is designed for super administrators that are not responsible for overall user administration. A combination of the permissions of Full User Administration and Full ACL Administration. By default, this action is assigned to the Super Administration role only.
Full user administration
Delegated User Administration
Full ACL Administration Full User Administration, Full ACL Administration
Configuration of Delegated User Administration using Companies

1. 2. 3. 4. 5. 6.
Define the required companies Create a role for delegated user administrators Enable Check ACL for Role Assignment Component Assign appropriate properties to delegated user administration role Define one or more delegated user administrators for each company Assign users to companies using options like
Overall user administrator uses administration console User is registered via approval workflow Overall user administrator uses user import function and use the Org_ID attribute to assign a company to users
If the company concept is enabled, the list of users for role assignment is limited
Create Delegated User Administrator Role

Create a different User Administrators
UserAdmin_1
Add the original user administrator role per delta link to a new role Assign the role user_admin
Enable Check ACLs for Role Assignment
For iView com.sap.portal.roleAssignment enable property CheckACL = true
Define Permission for delegated user admin role

The role for the Delegated User Administrators needs to be edited: Change property User Admin Permission to Delegated Administration.
Summary
Roles define what content can be seen by the end user/administator.
Roles are a standard portal feature for structuring content for user groups and/ or single users.
Roles define how content is represented at the users desktop.

Roles and navigation structures are closely interrelated.
Roles can be used as containers for portal content.

Portal content is provided by content objects such as worksets, pages and iViews. It becomes available to users by assignment to roles.
Roles connect the portal user with the content.

Roles can be assigned to users or user groups.
Roles and portal content need to be combined with permissions.

Access Control Lists (ACLs) define what content can be seen by which administrator. ACLs define what content the end user can execute.
Portal roles do not contain authorizations for SAP systems.

Authorizations for SAP systems are maintained in the SAP system.
Copyright 2003 SAP AG. All Rights Reserved

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, WINDOWS, NT, EXCEL, Word, PowerPoint and SQL Server are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix and Informix Dynamic ServerTM are trademarks of IBM Corporation in USA and/or other countries. ORACLE is a registered trademark of ORACLE Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, the Citrix logo, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, MultiWin and other Citrix product names referenced herein are trademarks of Citrix Systems, Inc. HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. JAVA is a registered trademark of Sun Microsystems, Inc. JAVASCRIPT is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MarketSet and Enterprise Buyer are jointly owned trademarks of SAP AG and Commerce One. SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies.

Portal Roles

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Portal Roles

Uploaded by

Copyright:

Available Formats

Setting Up Portal Roles in SAP Enterprise Portal 6.

As a result of this workshop, you will be able to:

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Role Concept: Why Create Roles?

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Role Management: Examples

Customer Credit Manager

What are Portal Roles?

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

What are Worksets?

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Relationship Between Roles and Worksets: Example

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Roles, Users and Content

Role E Role A Role B Role C Role D

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Portal Roles and SAP Roles

Note: Portal roles have no effect on authorizations in the backend system.

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Portal Content Directory (PCD)

Portal Content (Portal Content Directory) Roles Worksets Pages iViews

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

iViews and Pages on the Portal Desktop

A portal page is a container for different iViews.

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

iViews and Pages

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Portal Catalog and Portal Content Studio

Creating Roles (1)

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Creating Roles (2): Role Wizard

Enter general properties for the new role.

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Creating Roles (3): Role Editor

Change the properties in the Property Editor (optional)

Roles and Worksets as Containers of Other Objects

Objects are added to roles and worksets as delta links.

Role A Role 1 Workset 1 Page 1 iView 1

Delta link Delta link Delta link Delta link

Role 1 Workset 1 Page 1 iView 1

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Workset 2 Structure Properties Target object

Creation of Portal Roles: Summary

Portal Catalog Role Wizard

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Top-Level Navigation Detailed Navigation

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Top-Level Navigation and Entry Points

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Defining Entry Points

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Role Assignment to Users/User Groups

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Portal Roles vs. Authorizations

Portal Roles and Authorizations in SAP Systems

Authorization role in the SAP system