Professional Documents
Culture Documents
Portal Roles
Portal Roles
0
Julia Levedag, Vera Gutbrod RIG and Product Management
SAP AG
Learning Objectives
Agenda
Introduction of Role Concept Roles and Content Objects Role Maintenance Navigation and User Assignment Permissions vs. Authorizations Permissions and Delegated Administration
Role 1
Group 1 User 1
Role 2
Group 2
Content 1
Content 2
Content 3
Content 4
Content 5
Project Leader
Market Analyst
One enterprise portal to cover different user roles One enterprise portal to cover different user roles
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Role A
Role Assignment
Workset A
Workset Assignment
Role 1
Role 2
Role
Sales Manager
Team Lead Key Account Manager
Sell products Improve relationships Send product information Track order fulfillment Negotiate
Worksets Activities
Budget
Promotion Manager
Market Watch
Monitoring Planning Approving Forecasting Activity assignment Hiring Communication Create promotions Run promotions Track status Analyze impact Monitor/analyze key figures Watch competitors Create sales/ promotion strategies Explore market
User 1
User 2
Assignment
Assignment
Based on user tasks in a SAP system; relevant for creation of the role-based SAP Easy Access Menu Classification of users according to task authorization Carrier of authorization profile information Concept of single and composite roles
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Summary
Portal roles define the content and tasks that a user can access in the portal how the user can access the content (=navigation options in the portal)
Agenda
Introduction of Role Concept Roles and Content Objects Role Maintenance Navigation and User Assignment Permissions vs. Authorizations Permissions and Delegated Administration
Roles
Role Roles are the largest semantic units within content objects. They include folder hierarchies consisting of folders, worksets, pages and iViews. The role structure also defines the navigation structure of the portal. Roles are assigned to users.
Workset
Folder
Page
iView
Agenda
Introduction of Role Concept Roles and Content Objects Role Maintenance Navigation and User Assignment Permissions vs. Authorizations Permissions and Delegated Administration
The Portal Catalog provides a central access point to all portal content objects stored in the PCD. It permits you to store, manage and organize content in a structured hierarchy.
The Portal Content Studio provides a central environment for developing and managing portal content, including iViews, pages, layouts, worksets, roles and transport packages.
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
You create roles by clicking the right mouse button. The wizard for creating new roles is started.
Enter the folder for storing the new role in the Portal Catalog.
Check all properties. The new role is created and is now visible in the Role Editor.
Create the role hierarchy and add content objects (roles, worksets, pages, iViews) to the role as delta link. You create worksets in the same way as roles. For worksets, use the Workset Editor.
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Delta Links
All content objects can be related to each other using delta links. A delta link is a relationship between two objects (source and target object) of the Portal Content Directory. The source object is the object that passes its property values to a target object that is derived from the source object (=principle of inheritance of properties). Delta links allow you to change the target objects, that means additions, deletions and changes to property values and structure hierarchies. Thus delta links are valid for structural hierarchies (for example in roles and worksets) and properties values (for example in iViews and pages). Changes made to the source object are copied to the target object and are visible there. Changes made to the target object have no effect on the source object. Source objects are protected against modifications.
Workset 1 Structure Properties Source object
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Delta link
1. Log on as super administrator or content administator. 2. Open Portal Catalog. 3. Create new role. 4. Specify storage of role. 5. Add objects to role. 6. Define entry points. 7. Save.
Role Editor
Agenda
Introduction of Role Concept Roles and Content Objects Role Maintenance Navigation and User Assignment Permissions vs. Authorizations Permissions and Delegated Administration
Roles and Worksets Define the Navigational Structure of SAP Enterprise Portal
Portal content (pages and iViews) can be navigated by clicking entries in the top-level navigation and/or detailed navigation. The navigation entries are derived from the structures of roles and worksets. The administrator defines which nodes of a role or workset should be visible as navigation entries for the user of the portal.
Entry points: these are the nodes in a role or workset structure that are defined as tabs (entry points) for top-level navigation.
In the Role Editor: Click on a role node in the role structure and define it as the entry point. Entry points are highlighted in the role structure.
Detailed Navigation
First level (= entry point) Second level of top-level navigation Third level (inside detailed navigation)
Everything in the role structure that is on the third level and lower appears in the detailed navigation.
2.
Select the roles to which you want to assign a user or group. Search for the users and groups and add them to the selected roles:
Agenda
Introduction of Role Concept Roles and Content Objects Role Maintenance Navigation and User Assignment Permissions vs. Authorizations Permissions and Delegated Administration
Portal Permissions
Portal permissions define the access rights of portal users to portal objects. Permissions in the portal are based on access control list (ACL) methodology. By defining permissions, you enable the delegation of administrative tasks and content in the portal environment. Objects in the Portal Content Directory (PCD) have two sets of permissions: administrator and end user. This distinction is necessary to control what an administrator sees in the portal administration environment (at design time) and what is seen in the end user environment (at runtime).
Note: Permissions in SAP Enterprise Portal are not authorizations in the backend system.
Enterprise Portal
Role Definition
SAP Systems
Enterprise Apps
CM Systems
Others
Authorizations
No maintenance of authorizations for SAP systems in SAP Enterprise Portal. Authorizations are still maintained in the SAP system.
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Export / Distribution
Contain transactions Contain transactions from different SAP systems from different SAP systems
Authorization roles are created in the Authorization roles are created in the SAP systems and assigned to users. SAP systems and assigned to users. Authorizations are still maintained with Authorizations are still with Transaction PFCG Transaction PFCG
Agenda
Introduction of Role Concept Roles and Content Objects Role Maintenance Navigation and User Assignment Permissions vs. Authorizations Permissions and Delegated Administration
Delegated Administration
Delegated Administration needs to be realised to distribute administration tasks within a complex organisation. That means you have to distribute and controle...
Administration and Maintenance of content like portal roles Administration and Maintenance of system configuration like UM configuration, monitoring configuration, service configuration, etc. Administration and Maintenance of user information (e.g. Users, Groups, User-Role Assignment, ...)
User Administrator
Roles
System ABC iView ABCiview page/role assignment user-role assignment
Definition of ACLs for the different administration views of portal content catalog necessary!
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Who is administrator?
Define permissions on folders and objects How to establish an administration process among different administrators?
Function
Content administrators are responsible for content objects in the Portal Catalog.
ACLs define the access and allowed action for content objects like folders, roles, worksets, pages, iViews and templates.
System administrators are responsible for system administration tasks and objects.
ACLs define the access and allowed actions for objects like transport packages or systems.
Edit Objects
Folder & objects not visible Folder & objects visible Copy objects No Edit Folder & objects visible Edit object properties Edit assigned delta links Folder & objects visible Edit object properties Edit assigned delta links Folder & objects visible Edit object properties Edit assigned delta links Edit permissions
No delete! Create from Templates with READ permission Delete objects Create from Templates with READ permission Delete objects Create from Templates with READ permission
FULL CONTROL
Administrator Permissions Check during creation process for objects Check when accessing objects
OWNER
Navigation
Navigation iViews (TLN, detailed navigation, Drag&Relate targets, related links) only display roles and objects that have end-user permission. For display of objects in navigation the ACL is checked on the object level. Direct URL access to a component: Users may access portal components through URL without an intermediate iView if they are granted USE permission in the appropriate security zone. Direct access to an iView USE permission is required
Personalization
User Interfaces in the end user environment that display the portal content catalog (such as personalize page) only display objects that have end user permission.
End User Permissions Check for Navigation Check for in Personalize Page Component Check if calling component via URL
Edit_1 Editor_A => includes all objects of area edit_1 such as iViews, pages, worksets and roles iViews Pages Worksets
Roles Editor_B => includes all objects of area edit_1 Public Templates News
A user assigned to the system administrator role can import any packages stored in the import directory. The import into the Portal Content Directory can only be done if the reuqest user has READ/WRITE permission to any folder in which the transported object needs to be stored.
Delegated User Administrators can add, modify and delete users that belong to the same company as the delegated user administrator.
2.
1. 3.
Define the required companies Create a role for delegated user administrators Enable Check ACL for Role Assignment Component Assign appropriate properties to delegated user administration role Define one or more delegated user administrators for each company Assign users to companies using options like
Overall user administrator uses administration console User is registered via approval workflow Overall user administrator uses user import function and use the Org_ID attribute to assign a company to users
If the company concept is enabled, the list of users for role assignment is limited
Add the original user administrator role per delta link to a new role Assign the role user_admin
Summary
Roles define what content can be seen by the end user/administator.
Roles are a standard portal feature for structuring content for user groups and/ or single users.