Table of Contents
Advertisement
Understanding the hierarchy of protected resources is the key to having a clear picture of the
permissions assigned to the nodes on the tree. The permission inheritance plays a crucial
role in the runtime decision making of the portal access control. Figure 4-3 shows the tree of
protected resources within WebSphere Portal.
Web
Portlet
Modules
Applications
Portlet
Web
Application
Module
Definition
Portlet
Virtual Resource
Protected Resource
Implicity Protected Resource
Figure 4-3 The tree of WebSphere Portal protected resources
PAC is the single decision point within the WebSphere Portal. It controls the access to all
protected portal resources. Figure 4-4 on page 95 showed the basic components of PAC. The
central piece of PAC is the Access Control Engine that implements the PAC API and provides
the core support functions to different components:
The dynamic permission configuration is accomplished through one of the three ways: the
admin portlets, Resource Permission Portlet, and User and Group Permissions Portlet, the
configuration utility called XMLaccess, or the Portal Scripting Interface (wpscript). They
directly call a set of Access Control commands that in turn call the
AccessControlConfigService.
The portal runtime decision module is triggered when a resource is accessed by a user.
Most of the permission configurations should be assigned to groups, which is more
efficient than assigning them to individual users. Thus, one should carefully design the
LDAP group structure and user membership assignment. WebSphere Member Manager
Portal supports different group structures: static, dynamic, mixed, and nested groups.
Portal runtime access decision are made by calling AccessControlService.
When WebSphere Portal is configured to use an external authorization engine, such as
the Tivoli Access Control authorization server, portal provides a set of Service Provider
Interfaces (SPIs) that can directly interact with Portal Access Control Engine by calling
ExternalAccessControlSerivce.
94
IBM WebSphere Portal V6 Self Help Guide
Content
User
Nodes
Groups
Content
User
Root
Group
User
Content
Node
WSRP
Export
Content
Node
Propagates permissions on
WMM/S Membership
Portal
Users
User Self-
Enrollment
User
URL Mapping
WSRP
Contexts
WSRP
URL
Producer
Mapping
Context
WSRP
URL
Producer
Mapping
Context
External
Access
Control
PSE
Markups
Sources
XML
Access
PSE
Source
Event
Handlers
Portal
Settings
Virtual
Portal URL
Mappings
Template
Deployment
Advertisement
Table of Contents
Troubleshooting
