Sie sind auf Seite 1von 59

Setting Up Portal

Roles in SAP
Enterprise Portal 6.0
Julia Levedag, Vera Gutbrod
RIG and Product Management
SAP AG

Learning Objectives

As a result of this workshop, you will


be able to:
Understand the Concept of Portal Roles
Administer Roles and other Portal Content
Define Portal Navigation
Learn about the Context of Roles and Permissions
Understand the Concept of Delegated Administration

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Agenda

Introduction of Role Concept


Roles and Content Objects
Role Maintenance
Navigation and User Assignment
Permissions vs. Authorizations
Permissions and Delegated
Administration

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Role Concept: Why Create Roles?


Only by creating roles are you able to assign different pieces of content
to different groups of users.

Role 1

Role 2
Group 1

Content 1

Content 2

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

User 1

Content 3

Group 2

Content 4

Content 5

Role Management: Examples

Project Leader

Market Analyst

Customer Credit
Manager

One
Oneenterprise
enterpriseportal
portalto
tocover
coverdifferent
differentuser
userroles
roles
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

What are Portal Roles?


A role is a container for applications and
information that can be assigned to a
particular group of users.
The content of a role enables users to perform
the tasks in their respective job description.
The content of a role is based on the company
structure and on the information needs of the
portal users in the company.
The portal navigation structure is defined by
the sum of the roles assigned to the user.

Role A

Role Assignment

Technically, a role is a hierarchy of folders


containing other portal content objects.
Roles can be assigned to users or groups of
users, i.e. the portal role connects users (or
groups of users) to the portal content.
User Group 1

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

User Group 2

What are Worksets?


A role usually consists of one or more
worksets that bundle applications and
information.
A workset is a collection of applications
and information that belong together from
a semantic point of view because they are
part of the same activity area (e.g.
controlling or budgeting) of a user.
Whereas a role is based on global
company structures, a workset is based on
user-specific tasks or activities (for
example, My Budget or My Staff are
worksets in the Manager role).
Worksets are building blocks for roles:
One workset can be used within several
roles, and one role can consist of several
worksets.
Technically, a workset is a hierarchy of
folders that contains other portal content
objects.
Worksets cannot be assigned to users
(only roles can be assigned to users).

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Workset A

Workset Assignment

Role 1

Role 2

Relationship Between Roles and Worksets: Example

Role

Worksets
Activities

Sales Manager

Budget

Team
Lead

Key
Account
Manager

Promotion
Manager

Market
Watch

Monitoring
Planning
Approving

Activity assignment
Hiring
Communication

Forecasting

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Sell products
Improve relationships
Send product
information
Track order fulfillment
Negotiate

Create promotions
Run promotions
Track status
Analyze impact

Monitor/analyze key
figures
Watch competitors
Create sales/
promotion strategies
Explore market

Roles, Users and Content

User 1

Assignment

User 2

Assignment

Role E
Role A

Role B

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Role C
Role D

Portal Roles and SAP Roles


SAP Roles

Portal Roles

Depend on SAP component (FI, BC


etc.); content of a SAP role always
refers to a certain SAP system

Independent of application; contain all


kinds of information (heterogeneous
content): SAP and non-SAP
applications, documents, Internet and
Intranet information

Based on user tasks in a SAP


system; relevant for creation of the
role-based SAP Easy Access Menu

Based on the structure of the


company and the information needed
by the users

Classification of users according to

Classification of users according to

task

information needs

authorization

competence and responsibility

Carrier of authorization profile


information

Carrier of the navigation information


for the portal user

Concept of single and composite


roles

Concept of roles and worksets

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Summary

Portal roles define


the content and tasks that a user can access in the portal
how the user can access the content (=navigation options in
the portal)

Note: Portal roles have no effect on authorizations in the backend


system.

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Agenda

Introduction of Role Concept


Roles and Content Objects
Role Maintenance
Navigation and User Assignment
Permissions vs. Authorizations
Permissions and Delegated
Administration

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Portal Content Directory (PCD)


The Portal Content Directory (PCD) is the central persistence store for all portal
objects. This includes, for example, storage of the metadata for the content
objects (roles, worksets, etc.) and the relationship between the objects.

Portal Content
(Portal Content
Directory)
Roles
Worksets
Pages
iViews

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

iViews and Pages on the Portal Desktop

A portal page is a container for


different iViews.

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Roles

Role
Roles are the largest
semantic units within
content objects.
They include folder
hierarchies consisting
of folders, worksets,
pages and iViews.
The role structure also
defines the navigation
structure of the portal.
Roles are assigned to
users.

Folder

Page

iView

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Workset

iViews and
Pages

Agenda

Introduction of Role Concept


Roles and Content Objects
Role Maintenance
Navigation and User Assignment
Permissions vs. Authorizations
Permissions and Delegated
Administration

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Portal Catalog and Portal Content Studio


All content objects (like roles, worksets, iViews, and pages) are available
in the Portal Catalog and are maintained in the Portal Content Studio:

The Portal Catalog


provides a central
access point to all
portal content
objects stored in
the PCD. It permits
you to store,
manage and
organize content in
a structured
hierarchy.

The Portal Content Studio provides a central


environment for developing and managing portal content,
including iViews, pages, layouts, worksets, roles and
transport packages.
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Creating Roles (1)


In the content administration role, choose Content Administration -> Portal Content.

You create roles by clicking


the right mouse button. The
wizard for creating
new roles is started.

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Creating Roles (2): Role Wizard

Enter general properties


for the new role.

Enter the folder for storing


the new role in the Portal Catalog.

Check all properties. The


new role is created and is now visible
in the Role Editor.

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Creating Roles (3): Role Editor

Create the role hierarchy


and add content objects
(roles, worksets, pages,
iViews) to the role as
delta link.
You create worksets in the same way as roles.
For worksets, use the Workset Editor.
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Change the properties in


the Property Editor
(optional)

Roles and Worksets as Containers of Other Objects


Roles and worksets are created by:
Building structural hierarchies
Adding content objects to these hierarchies
Objects that can be added to a role: roles, worksets, iViews, pages
Objects that can be added to a workset: worksets, iViews, pages

Objects are added to


roles and worksets as
delta links.

Role A
Role 1

add as

Delta link

Workset 1

add as

Delta link

add as

Delta link

add as

Delta link

Page 1
iView 1

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Role 1
Workset 1
Page 1
iView 1

Delta Links
All content objects can be related to each other using delta links.
A delta link is a relationship between two objects (source and target
object) of the Portal Content Directory. The source object is the
object that passes its property values to a target object that is
derived from the source object (=principle of inheritance of
properties).
Delta links allow you to change the target objects, that means
additions, deletions and changes to property values and structure
hierarchies. Thus delta links are valid for structural hierarchies (for
example in roles and worksets) and properties values (for example in
iViews and pages).
Changes made to the source object are copied to the target object
and are visible there. Changes made to the target object have no
effect on the source object. Source objects are protected against
modifications.
Workset 1
Structure
Properties
Source object
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Delta link

Workset 2
Structure
Properties
Target object

Creation of Portal Roles: Summary

1. Log on as super administrator or


content administator.
2. Open Portal Catalog.
3. Create new role.
4. Specify storage of role.
5. Add objects to role.
6. Define entry points.
7. Save.

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Portal Catalog
Role Wizard

Role Editor

Agenda

Introduction of Role Concept


Roles and Content Objects
Role Maintenance
Navigation and User Assignment
Permissions vs. Authorizations
Permissions and Delegated
Administration

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Roles and Worksets Define the Navigational


Structure of SAP Enterprise Portal

Top-Level Navigation
Detailed Navigation

Portal content (pages and iViews) can be navigated by clicking


entries in the top-level navigation and/or detailed navigation.
The navigation entries are derived from the structures of roles
and worksets. The administrator defines which nodes of a role
or workset should be visible as navigation entries for the user
of the portal.

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Top-Level Navigation and Entry Points

Entry points: these are the nodes


in a role or workset structure that
are defined as tabs (entry points)
for top-level navigation.

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Defining Entry Points

In the Role Editor: Click on a role node in the role


structure and define it as the entry point.
Entry points are highlighted in the role structure.

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Detailed Navigation

First level (= entry point)


Second level of top-level navigation
Third level (inside detailed
navigation)

Everything in the role structure that is


on the third level and lower appears
in the detailed navigation.

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Role Assignment to Users/User Groups


In the user administration role, choose User Administration -> Role Assignment.
1.

Select the users and groups to which you want to assign a role. Search for the roles
and add them to the selected user or group:

2.

Select the roles to which you want to


assign a user or group. Search for the
users and groups and add them to the
selected roles:

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Agenda

Introduction of Role Concept


Roles and Content Objects
Role Maintenance
Navigation and User Assignment
Permissions vs. Authorizations
Permissions and Delegated
Administration

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Portal Permissions
Portal permissions define the access rights of portal users to portal
objects. Permissions in the portal are based on access control list
(ACL) methodology.
By defining permissions, you enable the delegation of administrative
tasks and content in the portal environment.
Objects in the Portal Content Directory (PCD) have two sets of
permissions: administrator and end user. This distinction is
necessary to control what an administrator sees in the portal
administration environment (at design time) and what is seen in the
end user environment (at runtime).

Note: Permissions in SAP Enterprise Portal are not authorizations in the


backend system.

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Portal Roles vs. Authorizations

Role
Definition

Enterprise
Portal

SAP
Systems

Enterprise
Apps

CM
Systems

Others

No maintenance of authorizations for


SAP systems in SAP Enterprise Portal.
Authorizations are still maintained in
the SAP system.
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Authorizations

Portal Roles and Authorizations in SAP Systems


Portal role in
SAP Enterprise Portal

Authorization role
in the SAP system

Portal Roles

Authorization Roles

Export / Distribution

Contain
Contain transactions
transactions
from
from different
different SAP
SAP systems
systems

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Authorization
Authorization roles
roles are
are created
created in
in the
the
SAP
SAP systems
systems and
and assigned
assigned to
to users.
users.
Authorizations
Authorizations are
are still
still maintained with
with
Transaction
Transaction PFCG
PFCG

Agenda

Introduction of Role Concept


Roles and Content Objects
Role Maintenance
Navigation and User Assignment
Permissions vs. Authorizations
Permissions and Delegated
Administration

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Roles & Permissions


A typical use case to understand the context of roles and
permissions is to understand the principles of delegated
administration.
Roles will provide the assigned users with content.
Permissions in the portal context will provide access to content
objects stored in the Portal Content Directory:
Administrators:
With ACLs access to any object in the Portal Catalog is defined for
administrators.
End Users:
With ACLs access for end-users is defined content structures within
the Portal Catalog are visible; iViews can be executed by end users or
not.

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Delegated Administration
Delegated Administration needs to be realised to distribute
administration tasks within a complex organisation.
That means you have to distribute and controle...
Administration and Maintenance of content like portal roles
Administration and Maintenance of system configuration like UM
configuration, monitoring configuration, service configuration, etc.
Administration and Maintenance of user information (e.g. Users,
Groups, User-Role Assignment, ...)

Delegated Administration is realised by different portal tools like


Predefined customizable administration roles
ACLs on folder hierarchies in the portal content catalog
User Admin permissions on the User Administration role

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Delegated Administration: Business Scenario


Delegation of tasks
I. Create a system ABC
II. Create iView for system ABC
III. Assign iView to page/ role
IV. Assign Role to users

System Administrator Content Administrator Content Administrator

User Administrator

Roles
System ABC

iView ABCiview

page/role assignment

user-role assignment

Definition of ACLs for the different administration views


of portal content catalog necessary!
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Concepts Delegated Administration


Delegated Administration

How to put PCD objects


in the right order?

Who is administrator?

Create organisational
tree for administrators

How to define access


to PCD objects?

Define folder structure for


Portal Catalog

Define permissions
on folders and objects
How to establish an administration process among different administrators?

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Preconfigured Administration Roles


Role
Super
Administrator

Function
assigned to initial SAP* User
Full Control access on whole Portal Content Catalog Tree
Access on all admin tools
of Content Administrator Role
of System Administrator Role
of User Administration Role

Content
Administrator

access on all Content Administration tools for creation of roles, worksets,


pages, iViews, layouts
access on all editors to maintain content e.g. Permission Editor, Property
Editor
access on all parts of tree hierarchy of Portal Content Catalog if the right
ACLs have been defined

System
Administrator

access on all tools for system administration such as system configuration,


transports, permissions, monitoring, support, portal display
access on all parts of tree hierarchy of Portal Content Catalogs if the right
Acls have been defined

User
Administrator

access on all tools for user administration to create and maintain users,
administrate the role-user assignment, user mapping administration, user
Replication, Group administration, etc.

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Admin Roles and Portal Catalog Objects


Content administrators are
responsible for content objects
in the Portal Catalog.

Super admin
Content admin 1
Content admin 2
Content admin 3
System admin 1
System admin 2
System admin 3

User admin 1
User admin 2
User admin 3

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

+ ACL
+ ACL
+ ACL
+ ACL
+ ACL
+ ACL

Set Action
Set Action
Set Action

ACLs define the access and


allowed action for content
objects like folders, roles,
worksets, pages, iViews and
templates.

System administrators are


responsible for system
administration tasks and
objects.
ACLs define the access and
allowed actions for objects like
transport packages or systems.

User administrators are


responsible for users related
tasks.
Role-User Assignment can be
controlled by permissions set
for user management role.

Designtime Permission (Administration)


Portal Catalog

Create/ Delete
Objects
NONE

Folder & objects


not visible

Folder & objects not


visible

READ

Create from
Templates with
READ permission

Folder & objects


visible
Copy objects
No Edit

READ/
WRITE

No delete!
Create from
Templates with
READ permission

Folder & objects


visible
Edit object properties
Edit assigned delta
links

FULL
CONTROL

Delete objects
Create from
Templates with
READ permission

Folder & objects


visible
Edit object properties
Edit assigned delta
links

OWNER

Delete objects
Create from
Templates with
READ permission

Folder & objects


visible
Edit object properties
Edit assigned delta
links
Edit permissions

Worksets
Pages
Systems

ACL Check
on Folder
Level and on
Object Level

Administrator Permissions
Check during creation
process for objects
Check when accessing
objects

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Edit Objects

Runtime Permissions (End User)


Personalize Page
USE

Worksets
Pages
Systems

ACL Check
on Folder
Level and on
Object Level

End User Permissions


Check for Navigation
Check for in Personalize
Page Component
Check if calling component
via URL

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Navigation

Personalization

Navigation iViews (TLN, detailed


navigation, Drag&Relate targets,
related links) only display roles
and objects that have end-user
permission.

User Interfaces in
the end user
environment that
display the portal
content catalog
(such as personalize
page) only display
objects that have
end user permission.

For display of objects in


navigation the ACL is checked
on the object level.
Direct URL access to a
component: Users may access
portal components through URL
without an intermediate iView if
they are granted USE
permission in the appropriate
security zone.
Direct access to an iView USE
permission is required

Example: Delegated Content Administration *


Portal Content
Editing
A all = READ
B all = READ

Edit_1

User A = FULL CONTROL


User B = READ

Editor_A => includes all objects of area edit_1


such as iViews, pages, worksets and roles
iViews
Pages
Worksets

User A = FULL CONTROL


User B = None
User C = WRITE

Roles
Editor_B => includes all objects of area edit_1
Public
Templates
News

User A = FULL CONTROL


User B = Read

Knowledge
Portal
Personalization
Administrator Ressources

* View of a Portal Administrator on the Portal Catalog!


SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Example: Delegated System Administration


System Administrators have access to different views of the
Portal Catalog.
The role system administrator comprises several tools to
access objects like
Transport Packages stored in the Portal Catalog
Permissions to be maintained through the Portal Catalog
System Landscape Objects - to be defined in the Portal Catalog.
Access to several portal objects is limited to the role system
administrator.
Access to certain folders and objects for users with role system
administrator will be defined via ACL.

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Delegated System Administration Transport


When creating
transport
packages to
export content
READ/WRITE
access is
required on a
particular folder.

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Delegated System Administration Export


When defining
content to be
included into a
transport package
ACLs are checked
as follows:
Only objects
can be included
if as a minimum
READ
permission for
the object is
given.
During export
depending
objects are only
included if the
request user
has READ
permission for
them.
SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Delegated System Administration Import

A user assigned to the system administrator role can import any


packages stored in the import directory.
The import into the Portal Content Directory can only be done if
the reuqest user has READ/WRITE permission to any folder in
which the transported object needs to be stored.

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Delegated System Administration Create Systems


For creating a
new system the
request user
needs to have the
following ACLs:
READ/WRITE
for the folder in
which the
system object
will be created
READ for the
system
template on
which the
object is based

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Delegated System Administration Create Systems


When creating a system
object based on a template
at least READ permission is
required for the request
user.
The permission needs to be
defined for the template
object.
A system administrator may
only create systems but
cannot define an iView
pointing to that system. To
do so the content
administrator role is
needed.

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Delegated Administration Systems & iViews


To create an iView based
on that system it is
necessary to be
assigned to the content
administration role.
The content
administrator therefore
needs READ permission
for the system to create a
working iView based on
the system object.

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Example: Delegated User Administration


Delegated user administration allows you to distribute user
administration between several administrators so that each
administrator is responsible for a particular set of users.
For Delegated User Administration you have to distinguish
between
Overall User Administrators can add, modify and delete users of all
companies. They can create and administer delegated user
administrators and assign them appropriate roles and permissions.
In addition the following tasks can only be performed by an overall
user
Group Management
Role Management
User Mapping
Import and Export of user data
Replication of user data

Delegated User Administrators can add, modify and delete users that
belong to the same company as the delegated user administrator.

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Delegated User Administration Company Concept


Delegated User Administration based on company concept:
A company is a set of users
User administration can be done per company, by a company
administrator for all the users within that company

2.

1.
3.

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Permissions assigned to User Administration Role

Full user
administration

Contains permissions by an overall user admin:


Administration of users belonging to any company and possibility of
assigning users to companies
Group management
Role assignment
User mapping
Import and export of user data
Manual replication of user data

Delegated User
Administration

Contains permission required by an delegated user administrator:


Administration of users belonging to the same company as the
administrator
Role assignment: Permissions to assign roles to users belonging to the
same company as the administrator. No permissions to assign roles to
groups.

Full ACL
Administration
Full User
Administration,
Full ACL
Administration

Any role to which this action is assigned has Owner permissions on all
objects in the Portal Content Catalog.
It is not possible to remove this permission in the permission editor. This
action is designed for super administrators that are not responsible for overall
user administration.
A combination of the permissions of Full User Administration and Full ACL
Administration.
By default, this action is assigned to the Super Administration role only.

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Configuration of Delegated User Administration using


Companies
1.

Define the required companies

2.

Create a role for delegated user administrators

3.

Enable Check ACL for Role Assignment Component

4.

Assign appropriate properties to delegated user administration role

5.

Define one or more delegated user administrators for each company

6.

Assign users to companies using options like

Overall user administrator uses administration console

User is registered via approval workflow


Overall user administrator uses user import function and use the
Org_ID attribute to assign a company to users

If the company concept is enabled, the list of users for role


assignment is limited

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Create Delegated User Administrator Role


Create a different
User
Administrators
UserAdmin_1

Add the original


user
administrator role
per delta link to a
new role
Assign the role
user_admin

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Enable Check ACLs for Role Assignment

For iView com.sap.portal.roleAssignment enable


property CheckACL = true

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Define Permission for delegated user admin role


The role for the
Delegated User
Administrators
needs to be
edited:
Change property
User Admin
Permission to
Delegated
Administration.

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Summary
Roles define what content can be seen by the end user/administator.
Roles are a standard portal feature for structuring content for user
groups and/ or single users.

Roles define how content is represented at the users desktop.


Roles and navigation structures are closely interrelated.

Roles can be used as containers for portal content.


Portal content is provided by content objects such as worksets, pages
and iViews. It becomes available to users by assignment to roles.

Roles connect the portal user with the content.


Roles can be assigned to users or user groups.

Roles and portal content need to be combined with permissions.


Access Control Lists (ACLs) define what content can be seen by which
administrator.
ACLs define what content the end user can execute.

Portal roles do not contain authorizations for SAP systems.


Authorizations for SAP systems are maintained in the SAP system.

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03

Copyright 2003 SAP AG. All Rights Reserved


No part of this publication may be reproduced or transmitted in any form or for any purpose without the express
permission of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other
software vendors.
Microsoft, WINDOWS, NT, EXCEL, Word, PowerPoint and SQL Server are registered trademarks of
Microsoft Corporation.
IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390,
OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix
and Informix Dynamic ServerTM are trademarks of IBM Corporation in USA and/or other countries.
ORACLE is a registered trademark of ORACLE Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, the Citrix logo, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, MultiWin and
other Citrix product names referenced herein are trademarks of Citrix Systems, Inc.
HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C, World Wide Web Consortium,
Massachusetts Institute of Technology.
JAVA is a registered trademark of Sun Microsystems, Inc.
JAVASCRIPT is a registered trademark of Sun Microsystems, Inc., used under license for technology invented
and implemented by Netscape.
MarketSet and Enterprise Buyer are jointly owned trademarks of SAP AG and Commerce One.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver and other SAP products and services mentioned
herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in
several other countries all over the world. All other product and service names mentioned are the trademarks of
their respective companies.

SAP AG 2003, TechED_Basel / Session PRTL-255, Levedag/Gutbrod / 02.10.03