Portal Roles

8/2/2019 Portal Roles

1/59

Set t ing Up Por t a lRo les in SAPEnt erpr ise Por t a l 6.0

Julia Levedag, Vera GutbrodRIG and Product Management

SAP AG


2/59

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Learn ing Object ives

As a resu l t o f th is w orkshop, you w i l lbe ab le t o :

Understand the Concept of Portal Roles

Administer Roles and other Portal Content

Define Portal Navigation

Learn about the Context of Roles and Permissions

Understand the Concept of Delegated Administration


3/59


Agenda

Introduction of Role Concept

Roles and Content Objects

Role Maintenance

Navigation and User Assignment

Permissions vs. Authorizations

Permissions and DelegatedAdministration


4/59


Role Conc ept : Why Creat e Roles?

Role 2Role 1

User 1Group 1 Group 2

Content 1 Content 5Content 3Content 2 Content 4

Only by creating roles are you able to assign different pieces of content

to different groups of users.


5/59


Role Management : Ex ampl es

Customer CreditManager

Project Leader

Market Analyst

One enterprise portal to cover different user roles

One enterprise portal to cover different user roles


6/59


What are Port a l Roles?

A role is a container for applications and

information that can be assigned to aparticular group of users.

The content of a role enables users to perform

the tasks in their respective job description.

The content of a role is based on the companystructure and on the information needs of the

portal users in the company.

The portal navigation structure is defined bythe sum of the roles assigned to the user.

Technically, a role is a hierarchy of folderscontaining other portal content objects.

Roles can be assigned to users or groups of

users, i.e. the portal role connects users (orgroups of users) to the portal content.

User Group 2

Role A

User Group 1

Role Assignment


7/59


What are Work set s?

A role usually consists of one or moreworksets that bundle applications andinformation.

A workset is a collection of applicationsand information that belong together froma semantic point of view because they arepart of the same activity area (e.g.controlling or budgeting) of a user.

Whereas a role is based on globalcompany structures, a workset is based onuser-specific tasks or activities (for

example, My Budget or My Staff areworksets in the Manager role).

Worksets are building blocks for roles:One workset can be used within severalroles, and one role can consist of severalworksets.

Technically, a workset is a hierarchy offolders that contains other portal content

objects. Worksets cannot be assigned to users

(only roles can be assigned to users).

Workset A

Role 1 Role 2

Workset Assignment


8/59


Relat ionship Bet w een Roles and Work sets: Ex am ple

Sales Manager

TeamLead

KeyAccountManager

PromotionManager

MarketWatch

Budget

Role

Worksets

Monitoring

Planning

Approving

Forecasting

Activity assignmentHiringCommunication

Sell productsImprove relationshipsSend product

informationTrack order fulfillmentNegotiate

Monitor/analyze keyfiguresWatch competitors

Create sales/promotion strategiesExplore market

Create promotionsRun promotionsTrack status

Analyze impact

Activities


9/59


Roles, Users and Cont ent

User 1 User 2

Assignment Assignment

Role A Role B Role CRole D

Role E


10/59


Port a l Roles and SAP Roles

Concept of roles and worksetsConcept of single and compositeroles

Carrier of the navigation information

for the portal user

Carrier of authorization profile

information

Classification of users according to

information needs

competence and responsibility

Classification of users according to

task

authorization

Based on the structure of thecompany and the information needed

by the users

Based on user tasks in a SAPsystem; relevant for creation of the

role-based SAP Easy Access Menu

Independent of application; contain all

kinds of information (heterogeneouscontent): SAP and non-SAPapplications, documents, Internet andIntranet information

Depend on SAP component (FI, BC

etc.); content of a SAP role alwaysrefers to a certain SAP system

Portal RolesSAP Roles


11/59


Summary

Portal roles define

the content and tasks that a user can access in the portal

how the user can access the content (=navigation options inthe portal)

Note: Portal roles have no effect on authorizations in the backendsystem.


12/59


Agenda



Role Maintenance





13/59


Por ta l Cont en t Di rec t ory (PCD)

The Portal Content Directory (PCD) is the central persistence store for all portalobjects. This includes, for example, storage of the metadata for the contentobjects (roles, worksets, etc.) and the relationship between the objects.

Portal Content(Portal Content

Directory)

Roles

Pages

iViews

Worksets


14/59


i Vi ew s a nd Pa ge s o n t h e Po rt a l De sk t o p

A portal page is a container fordifferent iViews.


15/59


Roles

Roles are the largest

semantic units withincontent objects.

They include folderhierarchies consistingof folders, worksets,

pages and iViews.The role structure alsodefines the navigationstructure of the portal.

Roles are assigned tousers.

iViews and

Pages

WorksetRole

Folder Page iView


16/59


Agenda



Role Maintenance





17/59


Port a l Cat a log and Port a l Cont ent St ud io

All content objects (like roles, worksets, iViews, and pages) are available

in the Portal Catalog and are maintained in the Portal Content Studio:

The Portal Content Studio provides a central

environment for developing and managing portal content,including iViews, pages, layouts, worksets, roles and

transport packages.

The Portal Catalogprovides a centralaccess point to allportal contentobjects stored in

the PCD. It permitsyou to store,manage andorganize content ina structured

hierarchy.


18/59


Creat i ng Roles (1)

In the content administration role, choose Content Administration-> Portal Content.

You create roles by clickingthe right mouse button. The

wizard for creating

new roles is started.


19/59


Creat ing Rol es (2): Role Wizard

Enter general propertiesfor the new role.

Enter the folder for storingthe new role in the Portal Catalog.

Check all properties. Thenew role is created and is now visible

in the Role Editor.


20/59


Creat i ng Roles (3): Role Edi t or

Create the role hierarchyand add content objects(roles, worksets, pages,

iViews) to the role asdelta link.

Change the properties inthe Property Editor

(optional)

You create worksets in the same way as roles.For worksets, use the Workset Editor.


21/59


Roles and Worksets as Conta iners o f Other Objec t s

Roles and worksets are created by:

Building structural hierarchies

Adding content objects to these hierarchies

Objects that can be added to a role: roles, worksets, iViews, pages

Objects that can be added to a workset: worksets, iViews, pages

Page 1

Workset 1

Role 1

Role A

Delta link

Delta link

Delta link

iView 1Delta link

Role 1

Workset 1

Page 1

iView 1

add as

add as

add as

add as

Objects are added toroles and worksets as

delta links.


22/59


Del ta L ink s

All content objects can be related to each other using delta links.

A delta linkis a relationship between two objects (source and target

object) of the Portal Content Directory. The source object is theobject that passes its property values to a target object that isderived from the source object (=principle of inheritance ofproperties).

Delta links allow you to change the target objects, that means

additions, deletions and changes to property values and structurehierarchies. Thus delta links are valid for structural hierarchies (for

example in roles and worksets) and properties values (for example iniViews and pages).

Changes made to the source object are copied to the target objectand are visible there. Changes made to the target object have noeffect on the source object. Source objects are protected againstmodifications.

Workset 1 Workset 2

Structure

Properties

Structure

Properties

Delta link

Source object Target object


23/59


Creat i on of Port a l Roles: Sum m ary

1. Log on as super administrator orcontent administator.

2. Open Portal Catalog.3. Create new role.4. Specify storage of role.5. Add objects to role.

6. Define entry points.7. Save.

Portal Catalog

Role Wizard

Role Editor


24/59


Agenda



Role Maintenance





25/59


Rol es and Wor k set s De fi ne t h e N av ig at i onalSt ruc t ure o f SAP Enterpr ise Por ta l

Top-Level Navigation

Detailed Navigation

Portal content (pages and iViews) can be navigated by clicking

entries in the top-level navigation and/or detailed navigation.The navigation entries are derived from the structures of rolesand worksets. The administrator defines which nodes of a roleor workset should be visible as navigation entries for the user

of the portal.


26/59


Top-Level Nav iga t ion and Ent ry Po in ts

Entry points: these are the nodesin a role or workset structure thatare defined as tabs (entry points)for top-level navigation.


27/59


De fi ni ng En t ry Po in t s

In the Role Editor: Click on a role node in the rolestructure and define it as the entry point.Entry points are highlighted in the role structure.


28/59


Deta il ed Nav iga t i on

Everything in the role structure that ison the third level and lower appears

in the detailed navigation.

First level (= entry point)

Second level of top-level navigation

Third level (inside detailed

navigation)


29/59


Role Assignm ent t o Users/User Groups

In the user administration role, choose User Administration-> Role Assignment.

1. Select the users and groups to which you want to assign a role. Search for the roles

and add them to the selected user or group:

2. Select the roles to which you want to

assign a user or group. Search for theusers and groups and add them to the

selected roles:


30/59


Agenda



Role Maintenance





31/59


Port a l Permiss ions

Portal permissions define the access rights of portal users to portalobjects. Permissions in the portal are based on access control list(ACL) methodology.

By defining permissions, you enable the delegation of administrativetasks and content in the portal environment.

Objects in the Portal Content Directory (PCD) have two sets ofpermissions: administrator and end user. This distinction isnecessary to control what an administrator sees in the portal

administration environment (at design time) and what is seen in theend user environment (at runtime).

Note: Permissions in SAP Enterprise Portal are not authorizations in thebackend system.


32/59


Port a l Roles vs. Author izat ions

EnterprisePortal

SAPSystems

EnterpriseApps

CMSystems

Others

Role

Definition

RoleDefinition

AuthorizationsAuthorizations

No maintenance of authorizations forSAP systems in SAP Enterprise Portal.Authorizations are still maintained in

the SAP system.


33/59


Port a l Roles and Author izat ions i n SAP System s

Portal role in

SAP Enterprise Portal

Portal role in

SAP Enterprise Portal

Authorization role

in the SAP system

Authorization role

in the SAP system

Portal Roles Authorization Roles

Contain transactionsfrom different SAP systems

Contain transactionsfrom different SAP systems

Export / Distribution

Authorization roles are created in theSAP systems and assigned to users.Authorizations are still maintained with

Transaction PFCG

Authorization roles are created in theSAP systems and assigned to users.Authorizations are still maintained with

Transaction PFCG


34/59


Agenda



Role Maintenance





35/59


Ro les & Pe rm iss ions

A typical use case to understand the context of roles andpermissions is to understand the principles of delegated

administration.

Roles will provide the assigned users with content.

Permissions in the portal context will provide access to contentobjects stored in the Portal Content Directory:

Administrators:With ACLs access to any object in the Portal Catalog is defined for

administrators. End Users:

With ACLs access for end-users is defined content structures withinthe Portal Catalog are visible; iViews can be executed by end users ornot.


36/59


Delega ted Admin is t ra t ion

Delegated Administration needs to be realised to distributeadministration tasks within a complex organisation.

That means you have to distribute and controle...

Administration and Maintenance of content like portal roles

Administration and Maintenance of system configuration like UMconfiguration, monitoring configuration, service configuration, etc.

Administration and Maintenance of user information (e.g. Users,

Groups, User-Role Assignment, ...)

Delegated Administration is realised by different portal tools like

Predefined customizable administration roles

ACLs on folder hierarchies in the portal content catalog

User Admin permissions on the User Administration role


37/59


Delegated Admin is t ra t ion : Bus iness Scenar io

I. Create a system ABC

II. Create iView for system ABC

III. Assign iView to page/ role

IV. Assign Role to users

Delegation of tasks

System ABC iView ABCiview page/role assignment user-role assignment

Definition of ACLs for the different administration views

of portal content catalog necessary!

System Administrator Content Administrator Content Administrator User Administrator

Roles


38/59


Concepts De legated Admi n is t ra t ion

Delegated Administration

How to define accessto PCD objects?

Who is administrator?How to put PCD objects

in the right order?

Create organisational

tree for administrators

Define permissions

on folders and objects

Define folder structure forPortal Catalog

How to establish an administration process among different administrators?


39/59


Precon figu red Adminis t ra t ion Ro les

access on all tools for user administration to create and maintain users,

administrate the role-user assignment, user mapping administration, user

Replication, Group administration, etc.

User

Administrator

access on all tools for system administration such as system configuration,

transports, permissions, monitoring, support, portal display

access on all parts of tree hierarchy of Portal Content Catalogs if the right

Acls have been defined

System

Administrator

access on all Content Administration tools for creation of roles, worksets,

pages, iViews, layouts

access on all editors to maintain content e.g. Permission Editor, Property

Editor

access on all parts of tree hierarchy of Portal Content Catalog if the right

ACLs have been defined

Content

Administrator

assigned to initial SAP* User

Full Control access on whole Portal Content Catalog Tree

Access on all admin tools

of Content Administrator Role

of System Administrator Role

of User Administration Role

Super

Administrator

FunctionRole


40/59


Admin Ro les and Por ta l Cata log Objec t s

Content administrators areresponsible for content objects

in the Portal Catalog. ACLs define the access and

allowed action for contentobjects like folders, roles,worksets, pages, iViews andtemplates.

System administrators are

responsible for systemadministration tasks andobjects. ACLs define the access and

allowed actions for objects liketransport packages or systems.

User administrators are

responsible for users relatedtasks. Role-User Assignment can be

controlled by permissions setfor user management role.

Super admin

Content admin 1

Content admin 2

Content admin 3

System admin 1

System admin 2

System admin 3

User admin 1

User admin 2

User admin 3

+ ACL

+ ACL

+ ACL

+ ACL

+ ACL

+ ACL

Set Action

Set Action

Set Action


41/59


Designt ime Perm ission (Adm in is t ra t i on )

Administrator Permissions

Check during creationprocess for objects

Check when accessingobjects

Worksets

Pages

Systems

Folder & objects

visible Edit object properties

Edit assigned deltalinks

Edit permissions

Delete objects

Create fromTemplates withREAD permission

OWNER

Folder & objectsvisible

Edit object properties

Edit assigned deltalinks

Delete objects


FULLCONTROL

Folder & objects

visible

Edit object properties

Edit assigned delta

links

No delete!


READ/

WRITE

Folder & objectsvisible

Copy objects

No Edit


READ

Folder & objects notvisible

Folder & objectsnot visible

NONE

Edit ObjectsCreate/ Delete

Objects

ACL Checkon FolderLevel and onObject Level

Portal Catalog


42/59


Runt ime Perm issions (End User )

End User Permissions

Check for Navigation

Check for in PersonalizePage Component

Check if calling componentvia URL

Worksets

Pages

Systems

Direct access to an iView USEpermission is required

Direct URL access to a

component: Users may accessportal components through URLwithout an intermediate iView if

they are granted USEpermission in the appropriate

security zone.

User Interfaces inthe end userenvironment thatdisplay the portalcontent catalog(such as personalizepage) only displayobjects that haveend user permission.

Navigation iViews (TLN, detailednavigation, Drag&Relate targets,related links) only display rolesand objects that have end-userpermission.

For display of objects innavigation the ACL is checkedon the object level.

USE

PersonalizationNavigation

ACL Checkon FolderLevel and onObject Level

Personalize Page


43/59


Examp le: De lega ted Conten t Adm in i st ra t i on *

Editing

Edit_1

Editor_A => includes all objects of area edit_1

such as iViews, pages, worksets and roles

Portal Content

iViews

Pages

Worksets

Roles

Editor_B => includes all objects of area edit_1

News

Knowledge

Portal

Personalization

Administrator Ressources

A all = READB all = READ

User A = FULL CONTROLUser B = READ

User A = FULL CONTROLUser B = NoneUser C = WRITE

Public

Templates

User A = FULL CONTROL

User B = Read

* View of a Portal Administrator on the Portal Catalog!


44/59


Exam p le: De lega ted Sys tem Adminis t ra t ion

System Administrators have access to different views of thePortal Catalog.

The role system administrator comprises several tools to

access objects like

Transport Packages stored in the Portal Catalog

Permissions to be maintained through the Portal Catalog

System Landscape Objects - to be defined in the Portal Catalog.

Access to several portal objects is limited to the role systemadministrator.

Access to certain folders and objects for users with role systemadministrator will be defined via ACL.


45/59


Delega ted Sys tem Admin ist ra t ion Transpor t

When creatingtransport

packages toexport content

READ/WRITE

access isrequired on a

particular folder.


46/59


Delega ted Sys tem Admin is t ra t ion Expor t

When definingcontent to be

included into atransport packageACLs are checkedas follows:

Only objectscan be includedif as a minimumREADpermission forthe object isgiven.

During exportdependingobjects are onlyincluded if the

request userhas READpermission forthem.


47/59


Delega ted Sys tem Admin ist ra t ion Impor t

A user assigned to the system administrator role can import any

packages stored in the import directory.

The import into the Portal Content Directory can only be done ifthe reuqest user has READ/WRITE permission to any folder in

which the transported object needs to be stored.


48/59


De lega ted System Adm in is t rat i on Crea te Systems

For creating anew system the

request userneeds to have the

following ACLs:

READ/WRITEfor the folder in

which the

system objectwill be created

READ for thesystemtemplate onwhich theobject is based


49/59


De lega ted System Adm in is t rat i on Crea te Systems

When creating a systemobject based on a template

at least READ permission isrequired for the request

user.

The permission needs to be

defined for the template

object.

A system administrator may

only create systems butcannot define an iView

pointing to that system. Todo so the content

administrator role is

needed.


50/59


De legated Admin i st ra t i on Systems & iView s

To create an iView basedon that system it is

necessary to beassigned to the content

administration role.

The content

administrator therefore

needs READ permissionfor the system to create aworking iView based on

the system object.


51/59


Ex ample: Delegated User Adm in is t ra t i on

Delegated user administration allows you to distribute useradministration between several administrators so that each

administrator is responsible for a particular set of users.

For Delegated User Administration you have to distinguishbetween

Overall User Administrators can add, modify and delete users of allcompanies. They can create and administer delegated useradministrators and assign them appropriate roles and permissions.

In addition the following tasks can only be performed by an overalluser

Group Management

Role Management

User Mapping

Import and Export of user data

Replication of user data

Delegated User Administrators can add, modify and delete users thatbelong to the same company as the delegated user administrator.


52/59


Delegated User Admin is t ra t ion Company Concept

Delegated User Administration based on company concept:

A company is a set of users

User administration can be done per company, by a companyadministrator for all the users within that company

1.

2.

3.


53/59


Permiss ions assigned to User Admin is t rat ion Ro le

A combination of the permissions of Full User Administrationand Full ACL

Administration.

By default, this action is assigned to the Super Administrationrole only.

Full User

Administration,Full ACLAdministration

Any role to which this action is assigned has Ownerpermissions on all

objects in the Portal Content Catalog.

It is not possible to remove this permission in the permission editor. Thisaction is designed for super administrators that are not responsible for overall

user administration.

Full ACLAdministration

Contains permission required by an delegated user administrator:

Administration of users belonging to the same company as theadministrator

Role assignment: Permissions to assign roles to users belonging to the

same company as the administrator. No permissions to assign roles togroups.

Delegated UserAdministration

Contains permissions by an overall user admin:

Administration of users belonging to any company and possibility ofassigning users to companies

Group management Role assignment

User mapping

Import and export of user data

Manual replication of user data

Full useradministration

Co nf ig ur at i on of De le ga t ed U se r A dm i ni st r a t i on u si ng


54/59


Co nf ig ur at i on of De le ga t ed U se r A dm i ni st r a t i on u si ngCompanies

1. Define the required companies

2. Create a role for delegated user administrators

3. Enable Check ACL for Role Assignment Component

4. Assign appropriate properties to delegated user administration role

5. Define one or more delegated user administrators for each company

6. Assign users to companies using options like

Overall user administrator uses administration console

User is registered via approval workflow

Overall user administrator uses user import function and use theOrg_ID attribute to assign a company to users

If the company concept is enabled, the list of users for role

assignment is limited


55/59


Create Delegat ed User Admin is t ra t or Role

Create a differentUser

Administrators UserAdmin_1

Add the original

useradministrator role

per delta link to anew role

Assign the role

user_admin


56/59


En ab le Che c k A CL s f or Rol e As si gn m ent

For iView com.sap.portal.roleAssignment enable

property CheckACL = true


57/59


Def ine Perm iss ion for de legated user admin ro le

The role for theDelegated User

Administratorsneeds to be

edited:

Change property

User Admin

Permission toDelegatedAdministration.


58/59


Summary

Roles define what content can be seen by the end user/administator.

Roles are a standard portal feature for structuring content for user

groups and/ or single users. Roles define how content is represented at the users desktop.

Roles and navigation structures are closely interrelated.

Roles can be used as containers for portal content.

Portal content is provided by content objects such as worksets, pagesand iViews. It becomes available to users by assignment to roles.

Roles connect the portal user with the content. Roles can be assigned to users or user groups.

Roles and portal content need to be combined with permissions.

Access Control Lists (ACLs) define what content can be seen by which

administrator.

ACLs define what content the end user can execute.

Portal roles do not contain authorizations for SAP systems. Authorizations for SAP systems are maintained in the SAP system.

C i h SAP AG All Ri h R d


59/59

No part of this publication may be reproduced or transmitted in any form or for any purpose without the expresspermission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other

software vendors. Microsoft, WINDOWS, NT, EXCEL, Word, PowerPointand SQL Serverare registered trademarks of

Microsoft Corporation.

IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390,OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, Informixand InformixDynamic ServerTM are trademarks of IBM Corporation in USA and/or other countries.

ORACLE is a registered trademark of ORACLE Corporation.

UNIX, X/Open, OSF/1, and Motifare registered trademarks of the Open Group.

Citrix, the Citrix logo, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, MultiWinandother Citrix product names referenced herein are trademarks of Citrix Systems, Inc.

HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C, World Wide Web Consortium,Massachusetts Institute of Technology.

JAVAis a registered trademark of Sun Microsystems, Inc.

JAVASCRIPT is a registered trademark of Sun Microsystems, Inc., used under license for technology invented

and implemented by Netscape.

MarketSet and Enterprise Buyer are jointly owned trademarks of SAP AG and Commerce One.

SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver and other SAP products and services mentionedherein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and inseveral other countries all over the world. All other product and service names mentioned are the trademarks oftheir respective companies.

Copyright 2003 SAP AG. Al l Right s Reserved

Date post:	05-Apr-2018
Category:	Documents
Upload:	andro666
View:	230 times
Download:	0 times

Portal Roles

Documents