Access rights

This section maps sensitive operations for a resource to the roles required to perform the operations. Sensitive operations include simple tasks like viewing a portlet on a specific page, and complex, high-risk tasks like running XML configuration interface scripts.

A role combines a set of permissions with a specific resource. This set of permissions is called a role type. Roles are denoted as RoleType@Resource.

Notes: These notes apply to the table that follows:

It lists minimum role assignments that are necessary to perform a sensitive operation.
Minimum role assignment refers to the fact that some role types imply other role types as described in the Roles section. An example is the sensitive operation Install Web Module which requires a role of type Editor on the virtual resource Web Modules. Because the role of type Manager implies the Editor role type, assigning a Manager role at the Web Modules virtual resource also allows for installing Web modules.
Role assignments that manage application templates and composite applications for business users are defined in Access to applications and components. While the roles can have any name, the role names listed here help indicate whether the task is editing the configuration of a certain application, or managing the membership of a certain application.
Note: The name of an application role does not indicate its application role type. To determine which application role type is associated with a specific application role, please refer to the roles portlet and check out the specific application role's additional management permissions.
When access rights are granted to any listed resource, it inherently requires access to the resource Access Control Administration.
Changing the owner of a resource can be done by using the Access Control Administration. Refer to the Access Control Administration, Modify the owner of a resource section of the table.
The resources listed could be different depending on other products that might be installed with the product. Some roles are required on virtual resources; other roles must be on resource instances.
Users might also have access rights for some operations through ownership of resources. For information about access rights of owners, refer to Roles.
Definition of terms:
private

only accessible by the owner of the resource

non-private

accessible by those people having been granted access to the resource

public

accessible without authentication

Resource	Sensitive Operation and Description	Required role assignment
Access Control Administration	Viewing the access control configuration of a resource `R`	If `R` is under internal PORTAL protection: Security Administrator@`R` or Security Administrator@`PORTAL` (PORTAL is a virtual resource) If `R` is under external protection: Security Administrator@`R` or Security Administrator@`PORTAL` + Security Administrator@`EXTERNAL_ACCESS_CONTROL` Notes: `Portal` and `EXTERNAL_ACCESS_CONTROL` are virtual resources The Security Administrator@`EXTERNAL_ACCESS_CONTROL` role is created and managed in the External Security Manager (ESM). It must be modified using the ESM management tools. For example, use the IBM^® Tivoli^® Access Manager for e-business `pdadmin>` command line or the Computer Associates eTrust SiteMinder administrative console.
	Creating a new role of role type `RT` on resource `R`	If `R` is under PORTAL protection: Security Administrator@`R` + `RT`@`R` or Security Administrator@`PORTAL` If `R` is under external protection: Security Administrator@`R` + `RT`@`R` or Security Administrator@`PORTAL` + Security Administrator@`EXTERNAL_ACCESS_CONTROL` Notes: `Portal` and `EXTERNAL_ACCESS_CONTROL` are virtual resources The Security Administrator@`EXTERNAL_ACCESS_CONTROL` role is created and managed in the External Security Manager (ESM). It must be modified using the ESM management tools. For example, use the Tivoli Access Manager `pdadmin>` command line or the eTrust SiteMinder administrative console.
	Deleting a role created from role type `RT` on resource `R`. All corresponding role mappings are also deleted.	If `R` is under internal PORTAL protection: Security Administrator@`R` + `RT`@`R` + Delegator role on all assigned principals or `Security Administrator@PORTAL` If `R` is under external protection: Security Administrator@`R` + `RT`@`R` + Delegator role on all assigned principals or `Security Administrator@PORTAL` + Security Administrator@`EXTERNAL_ACCESS_CONTROL` Notes: `Portal` and `EXTERNAL_ACCESS_CONTROL` are virtual resources The Security Administrator@`EXTERNAL_ACCESS_CONTROL` role is created and managed in the External Security Manager (ESM). It must be modified using the ESM management tools. For example, use the Tivoli Access Manager `pdadmin>` command line or the eTrust SiteMinder administrative console.
	Creating/deleting a role assignment for user or group `U` created from Role Type `RT` on resource `R`	If `R` is under internal PORTAL protection: Security Administrator@`R` + `RT`@`R` + Delegator@`U` or `Security Administrator@PORTAL` If `R` is under external protection: Security Administrator@`R` + `RT`@`R` + Delegator@`U` or `Security Administrator@PORTAL` + Security Administrator@`EXTERNAL_ACCESS_CONTROL` Notes: `Portal` and `EXTERNAL_ACCESS_CONTROL` are virtual resources The Security Administrator@`EXTERNAL_ACCESS_CONTROL` role is created and managed in the External Security Manager (ESM). It must be modified using the ESM management tools. For example, use the Tivoli Access Manager `pdadmin>` command line or the eTrust SiteMinder administrative console.
	Creating/deleting a role block for all roles created from role type `RT` on resource `R`	If `R` is under internal PORTAL protection: Security Administrator@`R` + `RT`@`R` or `Security Administrator@PORTAL` If `R` is under external protection: Security Administrator@`R` + `RT`@`R` or `Security Administrator@PORTAL` + Security Administrator@`EXTERNAL_ACCESS_CONTROL` Note: A Security Administrator on this resource is always implicitly a Delegator on this resource. For all other role types, the Security Administrator@`R` plus the assignments listed above are required. Notes: `Portal` and `EXTERNAL_ACCESS_CONTROL` are virtual resources The Security Administrator@`EXTERNAL_ACCESS_CONTROL` role is created and managed in the External Security Manager (ESM). It must be modified using the ESM management tools. For example, use the Tivoli Access Manager `pdadmin>` command line or the eTrust SiteMinder administrative console.
	Externalize/internalize resources: Moving a resource `R` back and forth from internal to external control. All non-private child resources of `R` move with it. Private resources cannot be externalized.	Security Administrator@`R` + Security Administrator@`EXTERNAL_ACCESS_CONTROL` or `Security Administrator@Portal` + Security Administrator@`EXTERNAL_ACCESS_CONTROL` Notes: `Portal` and `EXTERNAL_ACCESS_CONTROL` are virtual resources The Security Administrator@`EXTERNAL_ACCESS_CONTROL` role is created and managed in the External Security Manager (ESM). It must be modified using the ESM management tools. For example, use the Tivoli Access Manager `pdadmin>` command line or the eTrust SiteMinder administrative console.
	Modify the owner of a resource: Setting a user or group `U1` as new owner of the non-private resource `R`, where the old owner was `U2`	Delegator@`U1`, Delegator@`U2`, Manager@`R`, and Security_Administrator@`R`
Applications	Creating an Application based on an existing Template `T` in Template Category `TC`	User@`TC`
	Creating/editing/deleting application roles of Application `A`	Application manager
	Adding/removing/reassigning members to application roles	Application membership manager + Delegator@ManagedMember
	Saving Application `A` as a Template `T` in Template Category `TC`	Application manager + Contributor@`TC` Note: Contributor@`TC` is the minimum required access right to save an Application as a Template in a Template Category, though it is not recommended. Editor@`TC` is recommended to save an Application as a Template in a Template Category and use the Portal administration utilities.
	Editing layout of Application `A`	Application manager
	Changing owner of Application `A`	Application owner + Application manager + Delegator@NewOwner + Delegator@OldOwner Note: Only the application owner or an administrator is allowed to set a new owner The new owner must be a member of the application
	Deleting an Application `A`	Application manager
Application Template Categories	Creating a Template Category `TC`	Contributor@Template Application Document Library Notes: Template Application Document Library is a single protected resource of the type Application Template Root Contributor@Template Application Document Library is the minimum required access right to create a Template Category, though it is not recommended. Editor@Template Application Document Library is recommended to create and maintain Template Categories and use the Portal administration utilities.
Application Template Categories	Viewing a Template Category `TC`	User@`TC`
Application Templates	Creating a Template from an existing Application: Serializing an existing Application `A` and creating a new Template `T` under Template Category `TC`	Application manager + Contributor@`TC` Note: Contributor@`TC` is the minimum required access right to create a Template from an existing Application, though it is not recommended. Editor@`TC` is recommended to create a Template from an existing Application and use the Portal administration utilities.
	Deploying or importing a new Template `T` in Template Category `TC`	Contributor@`TC` + Editor@Template_Deployment Notes: Template_Deployment is a virtual resource Contributor@`TC` is the minimum required access right to deploy or import a new Template in a Template Category, though it is not recommended. Editor@`TC` is recommended to deploy or import a new Template in a Template Category and use the Portal administration utilities.
	Creating a new Template `T` in Template Category `TC`	Contributor@`TC` Note: Contributor@`TC` is the minimum required access right to create a new Template in a Template Category, though it is not recommended. Editor@`TC` is recommended to create a new Template in a Template Category and use the Portal administration utilities.
	Exporting a Template `T` in Template Category `TC`	User@`T` + User@`TC`
	Editing a Template `T` in Template Category `TC`	Editor@`T` + User@`TC`
	Changing owner of Template `A`	For U1 to change owner to U2, you need: Delegator@U1 Delegator@U2 User@U2 Delegator@Template Note: Only the template owner or an administrator is allowed to set a new owner
	Deleting a Template `T` in Template Category `TC`	Manager@`T` + Editor@`TC`
Viewing a Template `T` in Template Category `TC`	User@`T` + User@`TC` Note: In most cases User@`T` will be inherited by the permission on the Template Category (`TC`) because the `TC` is the parent of the Template resource, but setting a propagation block for the `TC` could prevent a user from getting the permission User@`T`. In this case the access right for `T` would be an additional setting.
Business Rules (Personalization)	Viewing a Business Rule	User@Business Rules Workspace Set this permission on the Business Rules Workspace in the Personalization navigator by selecting the root node and then choosing Extra Action > Edit Access from the menu.
	Creating a Business Rule	Contributor@Business Rules Workspace Note: Contributor@Business Rules Workspace is the minimum required access right to create a Business Rule, though it is not recommended. Editor@Business Rules Workspace is recommended to create and maintain business rules and use the Portal administration facilities.
	Deleting a Business Rule	Manager@Business Rules Workspace
	Assigning a Business rule to a page `P`	For non-private pages: Editor@`P` and User@Business Rules Workspace For private pages: Priviliged User@`P` and User@Business Rules Workspace
	Assigning a Business rule to a portlet `PO` on page `P`	For non-private pages: Editor@`P`, User@`PO` and User@Business Rules Workspace For private pages: Privileged User@`P`, User@`PO` and User@Business Rules Workspace
	Extra Actions	When you use the Set Access button in Personalization to add a user or a group to a role on the root of the workspace, this automatically gives the same role to that user or group for all Document Manager and Web Content Management libraries, policies and templates. To prevent the propagation of the role into Document Manager, click Administration, then under Portal Content, click Document Libraries. In Document Libraries, click Set Access on Root. Click to deselect the Allow Inheritance check box next to the role that was added in Personalization, then click Apply. It is recommended that you deselect Allow Inheritance for all roles. Note: The Administrator and Security Administrator role cannot be blocked. Those two roles will always be inherited.
Content Node (pages, labels, and URLs) Note: The table column detailing sensitive operations and descriptions for this resource refers to pages only, but those operations and descriptions, when applicable, also apply to labels and URLs.	Traverse a page: Viewing the navigation of a page `P`	User@`P` or @ some child resource of `P`
	Viewing the content of a page `P`, including page decoration and potentially the portlets on that page. The portlets on a page are protected separately. See the portlets on pages row of this table for more information.	User@`P`
	Modifying page properties includes: Adding/removing a markup Adding/removing a locale Adding/removing parameters to/from a page `P`	Editor@`P`
	Changing the theme of a page `P`	Editor@`P`
	Modifying the layout of a page `P` includes: Adding/removing wires manage actions	For non-private pages: Editor@`P` For private pages: Privileged User@`P` For managing receiving actions of a portlet on a target page: Editor@`P` and Editor@`PO`
	Customizing the layout of a non-private page: Creating a private, implicitly derived copy of a non-private page `P`	Privileged User@`P`
	Adding a root page: Creating and adding a new top level page `P`	For non-private pages: `Editor@Pages` For private pages: `Privileged User@Pages` (`Pages` is a virtual resource)
	Adding a page: Creating a new page under a given Page `P`	For non-private pages: Editor@`P` For private pages: Privileged User@`P`
	Creating a derived page: Creating a new page underneath `P1` that is explicitly derived from page `P2`	New page is private: Privileged User@`P1` + Editor@`P2` New page is non-private: Editor@`P1` + Editor@`P2`
	Deleting a page `P` and all descendant pages, including further subpages and the portlets on those pages	Manager@`P`
	Moving page `P1` to a new parent page `P2`	For non-private pages: Manager@`P1` + Editor@`P2` For private pages: Manager@`P1` + Privileged User@`P2`
	Locking or unlocking the contents of a non-private page `P`	Editor@`P` + User@portlet (Page Locks) + User@page (Locks)
Credential Vault Portlet	Adding, viewing, or deleting a vault segment	Management of the Credential Vault via the Credential Vault Portlet requires access to an instance of the Credential Vault Portlet
Credential Vault Portlet	Adding, viewing, deleting, or editing a vault slot	Management of the Credential Vault via the Credential Vault Portlet requires access to an instance of the Credential Vault Portlet
Document Libraries	Creating a Document Library	Editor@Content Root Note: Contributor@Content Root is the minimum required access right to create a Document Library, although it is not recommended. Editor@Content Root is recommended to create and maintain Document Libraries and use the Portal administration facilities.
	Viewing the Document Library	User@Document Library
	Deleting the Document Library	Manager@Document Library
	Importing documents into the Document Library	Editor@parent (Document Library/Folder)
	Moving the Copy Document Library	Editor@ Content Root
	Editing the Document Library	Editor@Document Library
	Creating a New Document	Editor@parent (Folder)
	Viewing a Document	User@Document
	Deleting a Document	Manager@Document
	Importing a Document	Editor@parent (Folder)
	Moving a Document	Manager@Document and Editor@target Folder
	Editing a Document	Editor@Document
	Locking a Document	Editor@Document
	Unlocking a Document	Editor@Document and User@UserVR
	Creating a New Folder	Editor@parent (Folder)
	Viewing a Folder	User@Folder
	Deleting a Folder	Manager@Folder
	Moving a Folder	Manager@Folder and Editor@target Folder
	Editing a Folder	Editor@Folder
Enable Tracing Portlet	Adding or deleting a portal trace setting	Adding or deleting portal trace setting via the Enable Tracing Portlet requires access to an instance of the Enable Tracing Portlet
Event Handlers	Managing event handlers: Creating, modifying, and deleting event handlers	Security Administrator@Event Handlers Note: Event Handlers is a virtual resource
Manage Clients portlet	Managing clients: Viewing the portlet; deleting, modifying, and adding clients in the `Manage Clients` portlet	`User@Manage Clients`
Manage Search	Creating a new search index	`Editor@PSE_Sources` Note: `PSE_Sources` is a virtual resource
Manage Virtual Portal	Creating the New Virtual Portal	Security Administrator@Portal Note: Portal is a virtual resource
	Viewing the Virtual Portal	Security Administrator@Portal Note: Portal is a virtual resource
	Deleting the Virtual Portal	Security Administrator@Portal Note: Portal is a virtual resource
	Editing the Virtual Portal	Security Administrator@Portal Note: Portal is a virtual resource
Markups	Managing Markups: Creating, deleting, or modifying a Markup	`Editor@Markups` Note: `Markups` is a virtual resource
Policies	Creating a new Policy under a given Policy	Editor@Policy and User@Business Rules Workspace Notes: Contributor@Policy is the minimum required access right to create a new Policy under a given Policy, though it is not recommended. Editor@Policy is recommended to create and maintain policies and use the Portal administration utilities. If a rule has to be created or edited during the creation of a Policy, then Editor@Business Rules Workspace and Editor@Policy is also required. Business Rules Workspace is the root node in the Personalization navigator for Business Rules resources. Set permissions on this node by selecting the workspace node and then choosing Extra Action > Edit Access from the menu.
	Assigning a Business rule to a Policy	User@Business Rules and Editor@Policy
	Editing a Policy	Editor@Policy and User@Business Rules Note: If a rule has to be created or edited during the creation of a Policy, then Editor@Business Rules is also required.
	Viewing a Policy	User@Policy + User@Business Rules
	Importing a new Policy	Editor@Policy_Root Note: Contributor@Policy_Root is the minimum required access right to import a new Policy, though it is not recommended. Editor@Policy_Root is recommended to import and maintain policies and use the Portal administration utilities.
	Deleting a Policy	Manager@Policy + User@Business Rules Note: When deleting a policy the associated rule is not deleted.
Portal Settings	Viewing current portal settings	User@Portal Settings Note: Portal Settings is a virtual resource
Portal Settings	Modifying current portal settings	Editor@Portal Settings Note: Portal Settings is a virtual resource
Portlet Applications	Viewing the portlet application definition information for a portlet application `PA`	User@`PA`
	Modifying a portlet application includes: Adding/removing a locale Setting default locale Modifying settings to/from/of the portlet application `PA`	Editor@`PA`
	Duplicating a portlet application: Creating a new portlet application based on an existing portlet application `PA`	`Editor@Portlet Applications` + User@`PA` Note: `Portlet Applications` is a virtual resource
	Deleting a portlet application and removing all corresponding portlets and portlet entities from all pages within the portal	Manager@`PA`
	Enabling/disabling a portlet application: Temporarily enabling or disabling the portlet application `PA`	Manager@`PA`
Portlets	Viewing an installed portlet: Viewing the portlet definition information of a portlet `PO`	User@`PO`
	Modifying an installed portlet includes: Adding/removing a locale Setting default locale Modifying settings to/from/of the portlet `PO`	For adding/removing locales and setting default locale: Editor@`PO` For modifying settings: Manager@`PO`
	Duplicating an installed portlet: Creating a new installed portlet based on an existing portlet `PO` that is part of a portlet application `PA`.	`Editor@Portlet Applications` + User@`PO`+ User@`PA` Note: `Portlet Applications` is a virtual resource
	Deleting an installed portlet `PO` and removing all corresponding portlet entities from all pages within the portal	Manager@`PO`
	Enabling/disabling an installed portlet: Temporarily enabling or disabling a portlet `PO`	Manager@`PO`
	Providing portlet `PO` as a WSRP service	`Editor@WSRP Export` and Editor@`PO` Note: `WSRP Export` is a virtual resource
	Withdrawing portlet `PO` from WSRP service	`Manager@WSRP Export` and Editor@`PO` Note: `WSRP Export` is a virtual resource
	Integrating the portlet of a WSRP Producer `PR` into the portal	If no portlet application exists for the group of portlets: Editor@`Portlet Applications` and User@`PR` Note: `Portlet Applications` is a virtual resource If a `Portlet Applications` `PA` already exists for the group of portlets: Editor@`PA` and User@`PR`
	Deleting an integrated WSRP portlet `PO` contained in the portlet application `PA` from the portal	If this is the last portlet in Portlet Applications: Manager@`PA` If more than one portlet resides in Portlet Applications: Manager@`PO`
Portlets on pages	Viewing a portlet `PO` on page `P`	User@`P` + User@`PO`
	Configuring an installed portlet: Entering the configure mode of a portlet `PO` and modifying its configuration	Manager@`PO`
	Modifying a portlet on a page: Entering the edit mode of a portlet `PO` on page `P` and modifying its configuration Note: If `P` is a non-private page and the user has no Editor role for this page, then modifying the configuration of the portlet results in the creation of an implicitly derived copy of page `P`.	Editor@`P` + Editor@`PO` Or Privileged User@`P` + Privileged User@`PO`
	Modifying page content: Adding/removing a portlet `PO` to/from a page `P` Note: If `P` is a non-private page and the user has no Editor role for this page, then modifying the content of `P` results in the creation of an implicitly derived copy of page `P`.	For non-private pages: Editor@`P` + User@`PO` Or For private pages: Privileged User@`P` + User@`PO`
	Restricting the content of a page: Adding/removing a portlet from the Allowed Portlet List of a page	Editor@`P` + User@`PO`
Property Broker	Operating with ActionSets/PropertySets for a portlet `PO`	User@`PO`
	Creating/Updating/Deleting a wire from a portlet `PO1` on Page `P1` to a portlet `PO2` on Page `P2`	Global wire: Editor@`P1`, User@`PO1`, Editor@`P2`, User@`PO2` Personal wire: Privileged User@`P1`, User@`PO1`, Privileged User@`P2`, User@`PO2` Note: In order to update or delete a personal wire, the user must have the above role assignments and created the wire they are updating or deleting.
	Executing a wire from a portlet PO1 on Page P1 to a portlet PO2 on Page P2	Global wire: User`@P1`, User@`PO1`, User@`P2`, User@`PO2` Personal wire: Privileged User@`P1`, User@`PO1`, Privileged User@`P2`, User@`PO2` Note: In order to execute a personal wire, the user must have the above role assignments and created the wire they are executing
	Viewing a wire from a portlet PO1 on Page P1 to a portlet PO2 on Page P2	Global wire: User`@P1`, User@`PO1`, User@`P2`, User@`PO2` Personal wire: Privileged User@`P1`, User@`PO1`, Privileged User@`P2`, User@`PO2` Note: In order to view a personal wire, the user must have the above role assignments and created the wire they are viewing
PSE Sources	Creating a PSE Source: Creating a search collection	Editor@PSE Sources Note: PSE Sources is a virtual resource
	Viewing a PSE Source: Viewing a search collection `SC`	User@`SC`
	Facilitating a PSE Source: Using a search collection `SC`	User@`SC`
	Editing a PSE Source: Editing a search collection `SC`	Editor@`SC`
	Deleting a PSE Source: Deleting a search collection `SC`	Manager@`SC`
Themes and Skins portlet	Managing themes and skins: Viewing the portlet; deleting, modifying, and adding themes and skins in the Themes and Skins portlet	`User@Themes` and `Skins`
Unique Names portlet	Managing unique names: Viewing the portlet; deleting, modifying, and adding unique names in the Unique Names portlet	Editor@`R` + User@Unique Names
URL Mapping Contexts	Creating a new URL mapping context `UMC`	`Editor@URL Mapping Contexts` Note: URL Mapping Contexts is a virtual resource
	Traversing a URL mapping context: The ability to traverse a URL mapping context due to a role assignment to some child context of `UMC`	User@`UMC` or @ some child context of `UMC`
	Viewing the definition of a URL mapping context `UMC`	User@`UMC`
	Assigning a URL: Creating or editing a mapping between a URL mapping context `UMC` and a portal resource `R`	Editor@`UMC` + User@`R`
	Modifying a URL mapping context: Changing the properties of an existing URL mapping context `UMC`; for example editing the label	Editor@`UMC` If Virtual Portal Mapping: Editor@VP URL Mappings Note: VP URL Mappings is a virtual resource
	Deleting a URL mapping context `UMC` and all of its child contexts	Manager@`UMC`
User Groups	Creating a new User group within the user registry	`Editor@User Groups` Note: `User Groups` is a virtual resource
	Viewing the User group profile information of a user group `UG`	User@`UG`
	Modifying the profile information of a User group `UG`	Editor@`UG`
	Adding/removing an existing User `U` or a User group `UG2` to or from an existing User group `UG1`	`Security Administrator@Users` + Editor@`UG1` Note: `Users` is a virtual resource
	Deleting a user group `UG`	Manager@`UG` Note: The owner of the user group can also delete it.
Users	Creating a new user in the user registry	`Editor@User Self Enrollment` Note: `User Self Enrollment` is a virtual resource
	Viewing the user profile information of a user `U`	User@`UG` and U is a member of user group `UG` or `User@Users` Note: `Users` is a virtual resource
	Modifying the profile information of a user `U`	Editor@`UG` and U is a member of user group UG or `Editor@Users` Note: `Users` is a virtual resource
	Deleting a user from the user registry and deleting all private pages created by this user	`Manager@Users` Note: `Users` is a virtual resource
Web Clipping	Creating new clippings	`Editor@Portlet Applications` Note: `Portlet Applications` is a virtual resource
Web modules	Installing a new portlet application WAR file	`Editor@Web Modules` Note: `Web Modules` is a virtual resource
	Updating a Web module `WM` by installing a corresponding WAR file	`Editor@Web Modules` + Manager@`WM`
	Uninstalling a Web module and removing all corresponding portlet applications and portlets from all pages within the portal	Manager@`WM` + Manager @ all portlet applications contained in `WM`
WSRP Producers (on the Consumer side)	Adding a remote WSRP Producer `PR` to the Portal	`Editor@WSRP Producers` Note: `WSRP Producers` is a virtual resource
	Editing the settings of a remote Producer `PR`	Editor@`PR`
	Viewing the settings or display the list of portlets that are provided by a remote WSRP Producer `PR`	`User@PR`
	Delete a remote WSRP Producer from the portal	`Manager@PR`
XML Access	Running commands using the XML configuration interface	Security Administrator@`Portal` + Editor@`XML Access` Note: `Portal` and `XML Access` are virtual resources

Role Mappings and WSRP services

On the WSRP producer side, the enforcement of the access control decision for provided portlets can be enabled or suppressed by setting the configuration property wsrp.security.enabled, in Configuration Service. If this property value is set to true, as described in Setting configuration properties, then all access control decisions in the producing portal are based on the authenticated principal. If wsrp.security.enabled is set to false, then the producing portal does not enforce any access control on incoming client portal WSRP requests.

When using identity propagation, the user authenticated on the client portal needs to have the required role assignments. If no identity propagation is configured, but SSL client certificate authentication is enabled, then the ID of the certificate needs to have the required role assignments. If none of the previously mentioned authentication methods is used, then the request is treated as if coming from the Anonymous Portal Users. In the latter case, the required roles need to be assigned to the Anonymous Portal User, which implies allowing unauthenticated access to the corresponding resources for all users who can access the producer portal.