8/2/2019 Portal Roles
1/59
Set t ing Up Por t a lRo les in SAPEnt erpr ise Por t a l 6.0
Julia Levedag, Vera GutbrodRIG and Product Management
SAP AG
8/2/2019 Portal Roles
2/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Learn ing Object ives
As a resu l t o f th is w orkshop, you w i l lbe ab le t o :
Understand the Concept of Portal Roles
Administer Roles and other Portal Content
Define Portal Navigation
Learn about the Context of Roles and Permissions
Understand the Concept of Delegated Administration
8/2/2019 Portal Roles
3/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Agenda
Introduction of Role Concept
Roles and Content Objects
Role Maintenance
Navigation and User Assignment
Permissions vs. Authorizations
Permissions and DelegatedAdministration
8/2/2019 Portal Roles
4/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Role Conc ept : Why Creat e Roles?
Role 2Role 1
User 1Group 1 Group 2
Content 1 Content 5Content 3Content 2 Content 4
Only by creating roles are you able to assign different pieces of content
to different groups of users.
8/2/2019 Portal Roles
5/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Role Management : Ex ampl es
Customer CreditManager
Project Leader
Market Analyst
One enterprise portal to cover different user roles
One enterprise portal to cover different user roles
8/2/2019 Portal Roles
6/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
What are Port a l Roles?
A role is a container for applications and
information that can be assigned to aparticular group of users.
The content of a role enables users to perform
the tasks in their respective job description.
The content of a role is based on the companystructure and on the information needs of the
portal users in the company.
The portal navigation structure is defined bythe sum of the roles assigned to the user.
Technically, a role is a hierarchy of folderscontaining other portal content objects.
Roles can be assigned to users or groups of
users, i.e. the portal role connects users (orgroups of users) to the portal content.
User Group 2
Role A
User Group 1
Role Assignment
8/2/2019 Portal Roles
7/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
What are Work set s?
A role usually consists of one or moreworksets that bundle applications andinformation.
A workset is a collection of applicationsand information that belong together froma semantic point of view because they arepart of the same activity area (e.g.controlling or budgeting) of a user.
Whereas a role is based on globalcompany structures, a workset is based onuser-specific tasks or activities (for
example, My Budget or My Staff areworksets in the Manager role).
Worksets are building blocks for roles:One workset can be used within severalroles, and one role can consist of severalworksets.
Technically, a workset is a hierarchy offolders that contains other portal content
objects. Worksets cannot be assigned to users
(only roles can be assigned to users).
Workset A
Role 1 Role 2
Workset Assignment
8/2/2019 Portal Roles
8/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Relat ionship Bet w een Roles and Work sets: Ex am ple
Sales Manager
TeamLead
KeyAccountManager
PromotionManager
MarketWatch
Budget
Role
Worksets
Monitoring
Planning
Approving
Forecasting
Activity assignmentHiringCommunication
Sell productsImprove relationshipsSend product
informationTrack order fulfillmentNegotiate
Monitor/analyze keyfiguresWatch competitors
Create sales/promotion strategiesExplore market
Create promotionsRun promotionsTrack status
Analyze impact
Activities
8/2/2019 Portal Roles
9/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Roles, Users and Cont ent
User 1 User 2
Assignment Assignment
Role A Role B Role CRole D
Role E
8/2/2019 Portal Roles
10/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Port a l Roles and SAP Roles
Concept of roles and worksetsConcept of single and compositeroles
Carrier of the navigation information
for the portal user
Carrier of authorization profile
information
Classification of users according to
information needs
competence and responsibility
Classification of users according to
task
authorization
Based on the structure of thecompany and the information needed
by the users
Based on user tasks in a SAPsystem; relevant for creation of the
role-based SAP Easy Access Menu
Independent of application; contain all
kinds of information (heterogeneouscontent): SAP and non-SAPapplications, documents, Internet andIntranet information
Depend on SAP component (FI, BC
etc.); content of a SAP role alwaysrefers to a certain SAP system
Portal RolesSAP Roles
8/2/2019 Portal Roles
11/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Summary
Portal roles define
the content and tasks that a user can access in the portal
how the user can access the content (=navigation options inthe portal)
Note: Portal roles have no effect on authorizations in the backendsystem.
8/2/2019 Portal Roles
12/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Agenda
Introduction of Role Concept
Roles and Content Objects
Role Maintenance
Navigation and User Assignment
Permissions vs. Authorizations
Permissions and DelegatedAdministration
8/2/2019 Portal Roles
13/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Por ta l Cont en t Di rec t ory (PCD)
The Portal Content Directory (PCD) is the central persistence store for all portalobjects. This includes, for example, storage of the metadata for the contentobjects (roles, worksets, etc.) and the relationship between the objects.
Portal Content(Portal Content
Directory)
Roles
Pages
iViews
Worksets
8/2/2019 Portal Roles
14/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
i Vi ew s a nd Pa ge s o n t h e Po rt a l De sk t o p
A portal page is a container fordifferent iViews.
8/2/2019 Portal Roles
15/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Roles
Roles are the largest
semantic units withincontent objects.
They include folderhierarchies consistingof folders, worksets,
pages and iViews.The role structure alsodefines the navigationstructure of the portal.
Roles are assigned tousers.
iViews and
Pages
WorksetRole
Folder Page iView
8/2/2019 Portal Roles
16/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Agenda
Introduction of Role Concept
Roles and Content Objects
Role Maintenance
Navigation and User Assignment
Permissions vs. Authorizations
Permissions and DelegatedAdministration
8/2/2019 Portal Roles
17/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Port a l Cat a log and Port a l Cont ent St ud io
All content objects (like roles, worksets, iViews, and pages) are available
in the Portal Catalog and are maintained in the Portal Content Studio:
The Portal Content Studio provides a central
environment for developing and managing portal content,including iViews, pages, layouts, worksets, roles and
transport packages.
The Portal Catalogprovides a centralaccess point to allportal contentobjects stored in
the PCD. It permitsyou to store,manage andorganize content ina structured
hierarchy.
8/2/2019 Portal Roles
18/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Creat i ng Roles (1)
In the content administration role, choose Content Administration-> Portal Content.
You create roles by clickingthe right mouse button. The
wizard for creating
new roles is started.
8/2/2019 Portal Roles
19/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Creat ing Rol es (2): Role Wizard
Enter general propertiesfor the new role.
Enter the folder for storingthe new role in the Portal Catalog.
Check all properties. Thenew role is created and is now visible
in the Role Editor.
8/2/2019 Portal Roles
20/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Creat i ng Roles (3): Role Edi t or
Create the role hierarchyand add content objects(roles, worksets, pages,
iViews) to the role asdelta link.
Change the properties inthe Property Editor
(optional)
You create worksets in the same way as roles.For worksets, use the Workset Editor.
8/2/2019 Portal Roles
21/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Roles and Worksets as Conta iners o f Other Objec t s
Roles and worksets are created by:
Building structural hierarchies
Adding content objects to these hierarchies
Objects that can be added to a role: roles, worksets, iViews, pages
Objects that can be added to a workset: worksets, iViews, pages
Page 1
Workset 1
Role 1
Role A
Delta link
Delta link
Delta link
iView 1Delta link
Role 1
Workset 1
Page 1
iView 1
add as
add as
add as
add as
Objects are added toroles and worksets as
delta links.
8/2/2019 Portal Roles
22/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Del ta L ink s
All content objects can be related to each other using delta links.
A delta linkis a relationship between two objects (source and target
object) of the Portal Content Directory. The source object is theobject that passes its property values to a target object that isderived from the source object (=principle of inheritance ofproperties).
Delta links allow you to change the target objects, that means
additions, deletions and changes to property values and structurehierarchies. Thus delta links are valid for structural hierarchies (for
example in roles and worksets) and properties values (for example iniViews and pages).
Changes made to the source object are copied to the target objectand are visible there. Changes made to the target object have noeffect on the source object. Source objects are protected againstmodifications.
Workset 1 Workset 2
Structure
Properties
Structure
Properties
Delta link
Source object Target object
8/2/2019 Portal Roles
23/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Creat i on of Port a l Roles: Sum m ary
1. Log on as super administrator orcontent administator.
2. Open Portal Catalog.3. Create new role.4. Specify storage of role.5. Add objects to role.
6. Define entry points.7. Save.
Portal Catalog
Role Wizard
Role Editor
8/2/2019 Portal Roles
24/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Agenda
Introduction of Role Concept
Roles and Content Objects
Role Maintenance
Navigation and User Assignment
Permissions vs. Authorizations
Permissions and DelegatedAdministration
8/2/2019 Portal Roles
25/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Rol es and Wor k set s De fi ne t h e N av ig at i onalSt ruc t ure o f SAP Enterpr ise Por ta l
Top-Level Navigation
Detailed Navigation
Portal content (pages and iViews) can be navigated by clicking
entries in the top-level navigation and/or detailed navigation.The navigation entries are derived from the structures of rolesand worksets. The administrator defines which nodes of a roleor workset should be visible as navigation entries for the user
of the portal.
8/2/2019 Portal Roles
26/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Top-Level Nav iga t ion and Ent ry Po in ts
Entry points: these are the nodesin a role or workset structure thatare defined as tabs (entry points)for top-level navigation.
8/2/2019 Portal Roles
27/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
De fi ni ng En t ry Po in t s
In the Role Editor: Click on a role node in the rolestructure and define it as the entry point.Entry points are highlighted in the role structure.
8/2/2019 Portal Roles
28/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Deta il ed Nav iga t i on
Everything in the role structure that ison the third level and lower appears
in the detailed navigation.
First level (= entry point)
Second level of top-level navigation
Third level (inside detailed
navigation)
8/2/2019 Portal Roles
29/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Role Assignm ent t o Users/User Groups
In the user administration role, choose User Administration-> Role Assignment.
1. Select the users and groups to which you want to assign a role. Search for the roles
and add them to the selected user or group:
2. Select the roles to which you want to
assign a user or group. Search for theusers and groups and add them to the
selected roles:
8/2/2019 Portal Roles
30/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Agenda
Introduction of Role Concept
Roles and Content Objects
Role Maintenance
Navigation and User Assignment
Permissions vs. Authorizations
Permissions and DelegatedAdministration
8/2/2019 Portal Roles
31/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Port a l Permiss ions
Portal permissions define the access rights of portal users to portalobjects. Permissions in the portal are based on access control list(ACL) methodology.
By defining permissions, you enable the delegation of administrativetasks and content in the portal environment.
Objects in the Portal Content Directory (PCD) have two sets ofpermissions: administrator and end user. This distinction isnecessary to control what an administrator sees in the portal
administration environment (at design time) and what is seen in theend user environment (at runtime).
Note: Permissions in SAP Enterprise Portal are not authorizations in thebackend system.
8/2/2019 Portal Roles
32/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Port a l Roles vs. Author izat ions
EnterprisePortal
SAPSystems
EnterpriseApps
CMSystems
Others
Role
Definition
RoleDefinition
AuthorizationsAuthorizations
No maintenance of authorizations forSAP systems in SAP Enterprise Portal.Authorizations are still maintained in
the SAP system.
8/2/2019 Portal Roles
33/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Port a l Roles and Author izat ions i n SAP System s
Portal role in
SAP Enterprise Portal
Portal role in
SAP Enterprise Portal
Authorization role
in the SAP system
Authorization role
in the SAP system
Portal Roles Authorization Roles
Contain transactionsfrom different SAP systems
Contain transactionsfrom different SAP systems
Export / Distribution
Authorization roles are created in theSAP systems and assigned to users.Authorizations are still maintained with
Transaction PFCG
Authorization roles are created in theSAP systems and assigned to users.Authorizations are still maintained with
Transaction PFCG
8/2/2019 Portal Roles
34/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Agenda
Introduction of Role Concept
Roles and Content Objects
Role Maintenance
Navigation and User Assignment
Permissions vs. Authorizations
Permissions and DelegatedAdministration
8/2/2019 Portal Roles
35/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Ro les & Pe rm iss ions
A typical use case to understand the context of roles andpermissions is to understand the principles of delegated
administration.
Roles will provide the assigned users with content.
Permissions in the portal context will provide access to contentobjects stored in the Portal Content Directory:
Administrators:With ACLs access to any object in the Portal Catalog is defined for
administrators. End Users:
With ACLs access for end-users is defined content structures withinthe Portal Catalog are visible; iViews can be executed by end users ornot.
8/2/2019 Portal Roles
36/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Delega ted Admin is t ra t ion
Delegated Administration needs to be realised to distributeadministration tasks within a complex organisation.
That means you have to distribute and controle...
Administration and Maintenance of content like portal roles
Administration and Maintenance of system configuration like UMconfiguration, monitoring configuration, service configuration, etc.
Administration and Maintenance of user information (e.g. Users,
Groups, User-Role Assignment, ...)
Delegated Administration is realised by different portal tools like
Predefined customizable administration roles
ACLs on folder hierarchies in the portal content catalog
User Admin permissions on the User Administration role
8/2/2019 Portal Roles
37/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Delegated Admin is t ra t ion : Bus iness Scenar io
I. Create a system ABC
II. Create iView for system ABC
III. Assign iView to page/ role
IV. Assign Role to users
Delegation of tasks
System ABC iView ABCiview page/role assignment user-role assignment
Definition of ACLs for the different administration views
of portal content catalog necessary!
System Administrator Content Administrator Content Administrator User Administrator
Roles
8/2/2019 Portal Roles
38/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Concepts De legated Admi n is t ra t ion
Delegated Administration
How to define accessto PCD objects?
Who is administrator?How to put PCD objects
in the right order?
Create organisational
tree for administrators
Define permissions
on folders and objects
Define folder structure forPortal Catalog
How to establish an administration process among different administrators?
8/2/2019 Portal Roles
39/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Precon figu red Adminis t ra t ion Ro les
access on all tools for user administration to create and maintain users,
administrate the role-user assignment, user mapping administration, user
Replication, Group administration, etc.
User
Administrator
access on all tools for system administration such as system configuration,
transports, permissions, monitoring, support, portal display
access on all parts of tree hierarchy of Portal Content Catalogs if the right
Acls have been defined
System
Administrator
access on all Content Administration tools for creation of roles, worksets,
pages, iViews, layouts
access on all editors to maintain content e.g. Permission Editor, Property
Editor
access on all parts of tree hierarchy of Portal Content Catalog if the right
ACLs have been defined
Content
Administrator
assigned to initial SAP* User
Full Control access on whole Portal Content Catalog Tree
Access on all admin tools
of Content Administrator Role
of System Administrator Role
of User Administration Role
Super
Administrator
FunctionRole
8/2/2019 Portal Roles
40/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Admin Ro les and Por ta l Cata log Objec t s
Content administrators areresponsible for content objects
in the Portal Catalog. ACLs define the access and
allowed action for contentobjects like folders, roles,worksets, pages, iViews andtemplates.
System administrators are
responsible for systemadministration tasks andobjects. ACLs define the access and
allowed actions for objects liketransport packages or systems.
User administrators are
responsible for users relatedtasks. Role-User Assignment can be
controlled by permissions setfor user management role.
Super admin
Content admin 1
Content admin 2
Content admin 3
System admin 1
System admin 2
System admin 3
User admin 1
User admin 2
User admin 3
+ ACL
+ ACL
+ ACL
+ ACL
+ ACL
+ ACL
Set Action
Set Action
Set Action
8/2/2019 Portal Roles
41/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Designt ime Perm ission (Adm in is t ra t i on )
Administrator Permissions
Check during creationprocess for objects
Check when accessingobjects
Worksets
Pages
Systems
Folder & objects
visible Edit object properties
Edit assigned deltalinks
Edit permissions
Delete objects
Create fromTemplates withREAD permission
OWNER
Folder & objectsvisible
Edit object properties
Edit assigned deltalinks
Delete objects
Create fromTemplates withREAD permission
FULLCONTROL
Folder & objects
visible
Edit object properties
Edit assigned delta
links
No delete!
Create fromTemplates withREAD permission
READ/
WRITE
Folder & objectsvisible
Copy objects
No Edit
Create fromTemplates withREAD permission
READ
Folder & objects notvisible
Folder & objectsnot visible
NONE
Edit ObjectsCreate/ Delete
Objects
ACL Checkon FolderLevel and onObject Level
Portal Catalog
8/2/2019 Portal Roles
42/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Runt ime Perm issions (End User )
End User Permissions
Check for Navigation
Check for in PersonalizePage Component
Check if calling componentvia URL
Worksets
Pages
Systems
Direct access to an iView USEpermission is required
Direct URL access to a
component: Users may accessportal components through URLwithout an intermediate iView if
they are granted USEpermission in the appropriate
security zone.
User Interfaces inthe end userenvironment thatdisplay the portalcontent catalog(such as personalizepage) only displayobjects that haveend user permission.
Navigation iViews (TLN, detailednavigation, Drag&Relate targets,related links) only display rolesand objects that have end-userpermission.
For display of objects innavigation the ACL is checkedon the object level.
USE
PersonalizationNavigation
ACL Checkon FolderLevel and onObject Level
Personalize Page
8/2/2019 Portal Roles
43/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Examp le: De lega ted Conten t Adm in i st ra t i on *
Editing
Edit_1
Editor_A => includes all objects of area edit_1
such as iViews, pages, worksets and roles
Portal Content
iViews
Pages
Worksets
Roles
Editor_B => includes all objects of area edit_1
News
Knowledge
Portal
Personalization
Administrator Ressources
A all = READB all = READ
User A = FULL CONTROLUser B = READ
User A = FULL CONTROLUser B = NoneUser C = WRITE
Public
Templates
User A = FULL CONTROL
User B = Read
* View of a Portal Administrator on the Portal Catalog!
8/2/2019 Portal Roles
44/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Exam p le: De lega ted Sys tem Adminis t ra t ion
System Administrators have access to different views of thePortal Catalog.
The role system administrator comprises several tools to
access objects like
Transport Packages stored in the Portal Catalog
Permissions to be maintained through the Portal Catalog
System Landscape Objects - to be defined in the Portal Catalog.
Access to several portal objects is limited to the role systemadministrator.
Access to certain folders and objects for users with role systemadministrator will be defined via ACL.
8/2/2019 Portal Roles
45/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Delega ted Sys tem Admin ist ra t ion Transpor t
When creatingtransport
packages toexport content
READ/WRITE
access isrequired on a
particular folder.
8/2/2019 Portal Roles
46/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Delega ted Sys tem Admin is t ra t ion Expor t
When definingcontent to be
included into atransport packageACLs are checkedas follows:
Only objectscan be includedif as a minimumREADpermission forthe object isgiven.
During exportdependingobjects are onlyincluded if the
request userhas READpermission forthem.
8/2/2019 Portal Roles
47/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Delega ted Sys tem Admin ist ra t ion Impor t
A user assigned to the system administrator role can import any
packages stored in the import directory.
The import into the Portal Content Directory can only be done ifthe reuqest user has READ/WRITE permission to any folder in
which the transported object needs to be stored.
8/2/2019 Portal Roles
48/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
De lega ted System Adm in is t rat i on Crea te Systems
For creating anew system the
request userneeds to have the
following ACLs:
READ/WRITEfor the folder in
which the
system objectwill be created
READ for thesystemtemplate onwhich theobject is based
8/2/2019 Portal Roles
49/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
De lega ted System Adm in is t rat i on Crea te Systems
When creating a systemobject based on a template
at least READ permission isrequired for the request
user.
The permission needs to be
defined for the template
object.
A system administrator may
only create systems butcannot define an iView
pointing to that system. Todo so the content
administrator role is
needed.
8/2/2019 Portal Roles
50/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
De legated Admin i st ra t i on Systems & iView s
To create an iView basedon that system it is
necessary to beassigned to the content
administration role.
The content
administrator therefore
needs READ permissionfor the system to create aworking iView based on
the system object.
8/2/2019 Portal Roles
51/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Ex ample: Delegated User Adm in is t ra t i on
Delegated user administration allows you to distribute useradministration between several administrators so that each
administrator is responsible for a particular set of users.
For Delegated User Administration you have to distinguishbetween
Overall User Administrators can add, modify and delete users of allcompanies. They can create and administer delegated useradministrators and assign them appropriate roles and permissions.
In addition the following tasks can only be performed by an overalluser
Group Management
Role Management
User Mapping
Import and Export of user data
Replication of user data
Delegated User Administrators can add, modify and delete users thatbelong to the same company as the delegated user administrator.
8/2/2019 Portal Roles
52/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Delegated User Admin is t ra t ion Company Concept
Delegated User Administration based on company concept:
A company is a set of users
User administration can be done per company, by a companyadministrator for all the users within that company
1.
2.
3.
8/2/2019 Portal Roles
53/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Permiss ions assigned to User Admin is t rat ion Ro le
A combination of the permissions of Full User Administrationand Full ACL
Administration.
By default, this action is assigned to the Super Administrationrole only.
Full User
Administration,Full ACLAdministration
Any role to which this action is assigned has Ownerpermissions on all
objects in the Portal Content Catalog.
It is not possible to remove this permission in the permission editor. Thisaction is designed for super administrators that are not responsible for overall
user administration.
Full ACLAdministration
Contains permission required by an delegated user administrator:
Administration of users belonging to the same company as theadministrator
Role assignment: Permissions to assign roles to users belonging to the
same company as the administrator. No permissions to assign roles togroups.
Delegated UserAdministration
Contains permissions by an overall user admin:
Administration of users belonging to any company and possibility ofassigning users to companies
Group management Role assignment
User mapping
Import and export of user data
Manual replication of user data
Full useradministration
Co nf ig ur at i on of De le ga t ed U se r A dm i ni st r a t i on u si ng
8/2/2019 Portal Roles
54/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Co nf ig ur at i on of De le ga t ed U se r A dm i ni st r a t i on u si ngCompanies
1. Define the required companies
2. Create a role for delegated user administrators
3. Enable Check ACL for Role Assignment Component
4. Assign appropriate properties to delegated user administration role
5. Define one or more delegated user administrators for each company
6. Assign users to companies using options like
Overall user administrator uses administration console
User is registered via approval workflow
Overall user administrator uses user import function and use theOrg_ID attribute to assign a company to users
If the company concept is enabled, the list of users for role
assignment is limited
8/2/2019 Portal Roles
55/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Create Delegat ed User Admin is t ra t or Role
Create a differentUser
Administrators UserAdmin_1
Add the original
useradministrator role
per delta link to anew role
Assign the role
user_admin
8/2/2019 Portal Roles
56/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
En ab le Che c k A CL s f or Rol e As si gn m ent
For iView com.sap.portal.roleAssignment enable
property CheckACL = true
8/2/2019 Portal Roles
57/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Def ine Perm iss ion for de legated user admin ro le
The role for theDelegated User
Administratorsneeds to be
edited:
Change property
User Admin
Permission toDelegatedAdministration.
8/2/2019 Portal Roles
58/59
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03
Summary
Roles define what content can be seen by the end user/administator.
Roles are a standard portal feature for structuring content for user
groups and/ or single users. Roles define how content is represented at the users desktop.
Roles and navigation structures are closely interrelated.
Roles can be used as containers for portal content.
Portal content is provided by content objects such as worksets, pagesand iViews. It becomes available to users by assignment to roles.
Roles connect the portal user with the content. Roles can be assigned to users or user groups.
Roles and portal content need to be combined with permissions.
Access Control Lists (ACLs) define what content can be seen by which
administrator.
ACLs define what content the end user can execute.
Portal roles do not contain authorizations for SAP systems. Authorizations for SAP systems are maintained in the SAP system.
C i h SAP AG All Ri h R d
8/2/2019 Portal Roles
59/59
No part of this publication may be reproduced or transmitted in any form or for any purpose without the expresspermission of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other
software vendors. Microsoft, WINDOWS, NT, EXCEL, Word, PowerPointand SQL Serverare registered trademarks of
Microsoft Corporation.
IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390,OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, Informixand InformixDynamic ServerTM are trademarks of IBM Corporation in USA and/or other countries.
ORACLE is a registered trademark of ORACLE Corporation.
UNIX, X/Open, OSF/1, and Motifare registered trademarks of the Open Group.
Citrix, the Citrix logo, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, MultiWinandother Citrix product names referenced herein are trademarks of Citrix Systems, Inc.
HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C, World Wide Web Consortium,Massachusetts Institute of Technology.
JAVAis a registered trademark of Sun Microsystems, Inc.
JAVASCRIPT is a registered trademark of Sun Microsystems, Inc., used under license for technology invented
and implemented by Netscape.
MarketSet and Enterprise Buyer are jointly owned trademarks of SAP AG and Commerce One.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver and other SAP products and services mentionedherein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and inseveral other countries all over the world. All other product and service names mentioned are the trademarks oftheir respective companies.
Copyright 2003 SAP AG. Al l Right s Reserved
Top Related