Setting up and Securing the Publisher Folder Structure

One of the primary tasks of users in the Administrator role in Publisher is to set up and secure the folder structure of Publisher. Administrators can delegate ownership and maintenance of the content organizational structure, but only users in the Administrator role can set up and secure the top level of folders.

Defining a folder structure.
Securing access to the folders.
Configuring publishing targets and preview sites (where content items are published by Publisher and accessed by the portal)
Attaching workflow to top-level folders.

For a discussion of how to set up and attach workflow to Publisher folders, see Using Workflow.

Defining Your Folder Structure and Managing Folders

This section provides an overview of the Publisher folder structure. It also discusses how to create new folders.

Publisher Folder Structure

Users with the Administrator role are responsible for creating the top-level Publisher folders. The folder structure, along with the security attached to each folder, determines the extent to which content management responsibility is concentrated in a small group of administrators or distributed to a number of content managers.

You can set up your Publisher folder structure in any way that suits your organizational needs. You should, however, consider the following:

Every Publisher folder has security assigned to it or inherits the security of the next folder up in the hierarchy. This means that the Publisher folder structure represents a picture of how your organization administers and delegates the work of managing content. It makes sense, then, to organize your Publisher folders according to a security hierarchy.

For more information on security settings, see Setting Up Security.

Your Publisher folder structure should be closely related to your portal administration folder structure to the extent that content and community management responsibilities are shared by the same set of users and groups. This is especially true for portal administration folders that include portlets and portlet templates created in Publisher, since, when you create portlets and portlet templates in Publisher, you also create objects in the portal’s administrative hierarchy that are associated with the Publisher objects. You usually want users with access to the portlets and portlet templates in portal administration to have appropriate access to the associated Publisher objects.

For more information on mapping portal and Publisher security, see Mapping Portal Security to Publisher Security.

By default, the folder structure on the web server where you publish content items (the publishing target) follows the Publisher folder structure. That is, every time you publish a content item, Publisher places it in a folder structure on the target web server that, by default, exactly matches the folder structure in Publisher. Users in the Administrator and Folder Administrator roles can override this default mirroring of the Publisher and web server folder structures, but the closer your Publisher folder structure is to the web server folder structure you want, the less often you will have to specify the publishing targets for folders and content items. Therefore, you should consider your web server folder structure when you organize your Publisher folders.

For more information on publishing targets and how to override the default web server folder structure, see Configuring Publishing Targets and Preview Sites.

Publisher objects that work together as a single application—such as a group of portlets that function as an employee services or customer support application—should be grouped into the same folder or folders, when possible. This makes it easier to maintain them and to apply consistent security.

A high-level example of a folder structure based on departmental and administrative responsibilities would be the following:

COMMUNITIES

Engineering
Marketing
Support Center

IMAGES

Branding
Icons
Technical Publications

PORTAL ADMINISTRATION

Home Page

PORTLET TEMPLATES

Articles
Banners
Community

TESTING

New portlet templates
New portlets

In this example, the content administrator has organized the high-level folder structure according to security access and a function-based taxonomy.

The following table lists the security that the administrator in this example has provided for the contents of each top-level folder:

Table 4-1 Example of Security Assignments for Publisher Top-Level Folders
Folder	Groups with Access and their Roles	Comments
Communities	Portal Management Team: Folder Administrator Community Managers: Editor	Each community folder contains portlets for that community. For each community folder (such as Engineering and Marketing), the appropriate community manager has a Folder Administrator role.
Portal Administration	Portal Management Team: Folder Administrator	Contains portlets to be displayed on the portal home page, such as corporate announcement or holiday schedule.
Portlet Templates	Portal Management Team: Folder Administrator or Producer (depending on administrative versus web development roles) Community Managers: Editor	The portlet templates are organized into folders representing portlet template types. Since portlet templates are most likely to be created by web developers on the portal management team, they have greater access to the top-level folder than do community managers, who are the primary users of portlet templates.
Images	Portal Management Team: Folder Administrator Marketing Team: Producer Developer Team: Editor	Keeping images in a single folder with the Image Service as publishing target enables non-gatewayed access to images. Giving the marketing team Producer access enables them to control consistent imaging across portlets.
Testing	Portal Management Team: Folder Administrator Developer Team: Folder Administrator	A top-level testing folder is useful as sandbox for testing portlet applications before rolling them out.

For detailed descriptions of the access provided by each Publisher role, see Publisher Roles.

Creating New Folders

You can create folders using Publisher Explorer or by creating a published content portlet using the Configure Portlet Wizard.

Publisher Explorer

Navigate to the folder in which you want to create the new folder.

To create new top-level folders, navigate to the root folder.

Click New | Folder in the menu bar or right-click in the table pane and choose New | Folder.
Enter a name for the folder and click OK.

Note:

If you use the Map a Web Folder feature to view the Publisher folder structure using Windows Explorer, you should avoid using folder names that include the following characters: \ / : * ? " < >. Windows Explorer does not allow file or folder names that include these characters, and any such folders will not appear in the Publisher folder structure when viewed with Windows Explorer.

Published Content Portlet Folders

When you create published content portlets using the Configure Portlet Wizard, Publisher creates the corresponding portlet folder automatically in the folder specified as the save-to location.

You can also use Publisher Explorer to create portlet folders, just as you do with any lower-level folder.

Portlet folders have some particular requirements and functions that differentiate them from other folders in the Publisher folder structure.

Setting Up Security

Assign the Administer Publisher and Configure Workflow activity rights.
Assign users and roles to Publisher folders.
Map portal security to Publisher folder security.

Publisher Security Overview

Security in Publisher is role-based and is set at the folder level. Each Publisher role has a defined level of access to Publisher functions. For each folder you create in Publisher, you can specify which AquaLogic Interaction users and groups are assigned to which Publisher roles, or you can choose to have the folder inherit its security from the next folder up in the hierarchy. Administrators can assign security to all Publisher folders, including top-level folders. Folder Administrators can assign security to lower-level folders.

For example, let us say you, as Administrator, have created a Marketing folder for all marketing community portlets and content. You want the Marketing community manager to have the ability to edit, delete, rename, reassign security, override workflow, and publish the portlets in the folder, so you assign the community manager the Folder Administrator role, which gives him access to these functions for the folder. You want the web master to be able to modify the Presentation Templates and Data Entry Templates for the Marketing community portlets, so you assign her the Producer role, which gives her access to those functions, but without the ability to change security settings, delete, or rename the folder. And you want certain community members to be able to view version history and publishing information for the portlets in the folder, so you give them the Contributor role. By default, the Administrator role always has full access to all Publisher folders and functions.

Publisher Roles

Access to content and features in Publisher is controlled through the following roles:

Reader: enables you to view content and—if you have been assigned an item in workflow—approve or reject the item, or transfer your workflow assignment to another user.
Submitter: enables you to create, preview, edit and submit articles to workflow, as well as approve or reject an item you have been assigned in workflow.
Contributor: provides the same permissions as Submitter, but also allows you to view content item notes, workflow, version history, publishing information, and publishing schedule.
Editor: provides the same permissions as Contributor, but also allows you to publish items to the web server and to the portal Knowledge Directory.
Producer: provides the same permissions as Editor, but also allows you to create and edit folders, Data Entry Templates, selection lists, and Presentation Templates; preview and publish content items both individually and by folder; edit content items assigned to others; and configure folders to publish and preview.
Folder Administrator: provides the same permissions as Producer, but also allows you to undo other users' check-outs, manage published content portlets, attach workflow to folders, and set Publisher security on folders. In short, Folder Administrators can perform all Publisher functions on the folders for which they have the role.
Administrator: provides access to every folder and every feature in Publisher, including top-level folders. Administrators do not automatically have access to Workflow administration, however. That access is granted by the Configure Workflow activity right. The Administrator role is granted automatically to users in the portal Administrators group and can also be assigned to other users through the Administer Publisher activity right.

The following table provides a detailed list of Publisher functions and the roles that have access to them.

Table 4-2 Publisher Functions and Roles
Key: R = Reader; S = Submitter; C = Contributor; E = Editor; P = Producer; FA = Folder Administrator; A = Administrator.
Function	Roles with Access
Create top-level folders	A
Copy, rename, move, and delete top-level folders	A, FA
Security: assign users, groups, and roles to folders	A, FA
Detach portlet from folder	A, FA
Attach workflow to a folder in Publisher Explorer	A, FA
Override workflow	A, FA
Undo checkout (by other user)	A, FA
Create, delete, copy, move, and rename lower-level folders (move requires permission on both the move from and move to folders)	A, FA, P
Create new Data Entry Templates, Presentation Templates, and selection lists	A, FA, P
Edit content items assigned to another user in workflow	A, FA, P
Set publishing targets	A, FA, P
Publish to directory	A, FA, P, E
Publish content item or folder	A, FA, P, E
View and edit publishing information in Content Item Editor	A, FA, P, E
Schedule publishing and expiration	A, FA, P, E
View and restore versions in Content Item Editor	A, FA, P, E, C
Create, edit, copy, delete, and rename content items	A, FA, P, E, C, S
Preview content items	A, FA, P, E, C, S
Check content items in and out	A, FA, P, E, C, S
Use WebEdit when creating and editing content items	A, FA, P, E, C, S
Access WebDAV and set up a Web folder for Publisher	A, FA, P, E, C, S
Set user Quicklinks and preferences in Publisher Explorer	A, FA, P, E, C, S
Use the Copy to function in Publisher Explorer (security applies to the folder copied to)	A, FA, P, E, C, S
Use the Move to function in Publisher Explorer (security applies to the folder moved to)	A, FA, P, E, C, S
Create a new folder in a Community Directory portlet	A, FA, P, E, C, S
Browse, search, and view published content portlets	A, FA, P, E, C, S, R
Browse, search, and view intrinsic Publisher portlets	A, FA, P, E, C, S, R
Be assigned to workflow activities	A, FA, P, E, C, S, R
Approve or reject a work item	A, FA, P, E, C, S, R

Publisher and Workflow Activity Rights

Users are given the Administrator role by being granted the Administer Publisher activity right. An activity right is a security function that assigns access to a set of administrative activities. By giving access to the Administrator role, the Administer Publisher activity right provides complete access to all Publisher functions except workflow administration.

The Configure Workflow activity right is required to give access to all Workflow Administration features, and we recommend that it be granted to all users in the Administrator role.

Users in the Administrators group in portal security have the Administer Publisher and Configure Workflow activity rights by default, and users in this group can delegate their authority by assigning it to any other portal group. Most organizations assign the Administer Publisher and Configure Workflow rights to their information technology manager, portal manager, or web master.

Assigning the Administer Publisher and Configure Workflow Activity Rights

For information on assigning activity rights in the portal, see the Administrator Guide for AquaLogic Interaction.

Assigning Users and Roles to Publisher Folders

Once a user has been assigned the Administrator role through the Administer Publisher activity right (which is granted by default through membership in the portal Administrators group), that user can set up security for the top-level Publisher folders. Once an Administrator has set up security for the top-level folders, users in the Folder Administrator role can assign security for any folders for which they have that role, including top-level folders. By default, security settings cascade down from folders higher in the hierarchy to all lower-level folders, unless an Administrator or Folder Administrator overrides the security inheritance for the lower-level folder.

Before you can assign Publisher security, the users and groups must already be defined in portal administration.

Access the Content Security page. You can access this page the following ways:

From Publisher Explorer, right-click on the folder for which you want to assign security and click Content Security.
From the Configure Portlet Wizard, click the Security button. You can set security for any portlet folder for which you have the Folder Administrator role.
From the Configure Portlet Template Wizard, navigate to the Template Security page and click the Edit button. You can set security for any portlet template folder for which you have the Folder Administrator role.

On the Content Security page:

If you want the folder to inherit the Publisher security of the Publisher folder it resides in and you do not want to map a portal administration object’s portal security to the folder’s Publisher security, check the Inherit Security checkbox. This option is checked by default when you create a folder.
If you want to specify the Publisher security for the folder or you want to map a portal administration object’s portal security to the folder’s Publisher security, clear the Inherit Security check box. This activates the Add Users and Groups and Add Portlet Security Map buttons.

Note:

The Content Security page works slightly differently for Portlet Templates. For more information, see Accessing the Configure Portlet Template Wizard.

Use the Add Users and Groups button to select and add users and groups that should have access to the folder. Use the Role column to assign a Publisher role to each user and group.
If you want to map the folder’s Publisher security to a portal object’s portal security, click the Add Portlet Security Map button to activate the mapping fields.

For more information about mapping portlet security to Publisher security, see Mapping Portal Security to Publisher Security.

Click Finish to save the security settings.

Mapping Portal Security to Publisher Security

ALI portal security is maintained separately from Publisher security. For example, access to a portlet in the portal is maintained in portal administration and controls such things as the ability to add a portlet to a user My Page or view a portlet in a community. Security for the Publisher objects that make up the portlet (the portlet folder, subfolders, content items, Data Entry Templates, selection lists, and Presentation Templates) is defined entirely within Publisher. In general, users with access to a portlet in the portal should have the same level of access to the portlet in Publisher. Without this mapping of portal security to Publisher security, the following might occur:

Users who attempt to submit content through a portlet might be denied access to the underlying Publisher portlet folder and be unable to create the content item.
Users who attempt to create a portlet from a portlet template might be denied permission to copy the portlet template’s Publisher folder and objects and be unable to create the portlet.

You can use the Content Security page to map a portal object’s security to the Publisher security for a Publisher folder. When you do so, Publisher automatically adds all of the users on the portal object’s Access Control List (ACL) to the Publisher security list for the folder, with Publisher roles that you specify on the Content Security page. The following table provides an example:

Table 4-3 Portal to Publisher Security Mapping
Portal Object Security	Publisher Folder Security
Read	Submitter
Select	Submitter
Edit	Producer
Admin	Folder Admin

In this example, all of the users with Read access to the portlet in the portal will have Submitter access to the Publisher portlet folder, and so forth.

If a user’s access to a Publisher folder as defined by portal security mapping is not the same as the user’s explicit Publisher folder security (as defined in the Users/Groups and Role columns on the Content Security page), the higher access level applies. For example, if a user has the Submitter role for the Publisher folder by virtue of his or her portal security access level and the Contributor role by virtue of his or her explicit Publisher security for the folder, the user will have the Contributor role for the folder.

To map a portal object’s security to Publisher security for a Publisher folder:

Access the Content Security page for the folder (or portlet or portlet template).

See Assigning Users and Roles to Publisher Folders.

Click Add Portal Security Map to access the Portal Object dialog box, where you can select the portal objects from which you want to apply the security on the Publisher folder.

Note:

When you open the Content Security page from within the Configure Portlet Template Wizard, a shortcut button appears, labelled with the portlet template’s name. Click it to add the portlet template to the Portal Object column without opening the Portal Object dialog box.

When you have selected the portal object whose security you want to map, the portal object appears in the Portal Object column on the Content Security page.
In the Access Level to Role column, select the appropriate Publisher role for each portal security access level.

Figure 4-1 Content Security Page Displaying Portlet Mapping Fields

Content Security Page Displaying Portlet Mapping Fields

For example, let us say you are assigning security to a Technical Publications News portlet folder, and the portal object whose security you are mapping is the community. If you map the Select portal access level to the Submitter role, all users with Select portal access to the community will have Submitter access to the portlet folder in Publisher, and will be able to create, edit, and review content items for the portlet.

Click Finish to save the security settings.

Configuring Publishing Targets and Preview Sites

This section provides an overview of publishing targets and preview sites and discusses how to:

Configure the publishing target and preview site for the root folder.
Configure publishing targets and preview sites for all other folders.

Publishing Targets and Preview Sites

After you set up your folder structure in Publisher, you must designate where the content items in your Publisher folders will be previewed and published.

The Preview Site is the file location where the formatted, web-ready content item is staged for viewing during content item editing and workflow, prior to publishing.
The Publishing Target is the file location where the formatted, web-ready content item is published to the portal or other web server.

Publisher must have access to these locations either over the network or FTP, and must have write access to the folder. To configure a Publisher publishing target, determine the location of the server and how it is accessed over the network and Internet:

Transfer Path: Publisher uses the transfer path to save content items to the publishing target. You can use standard file transfer or FTP:

If the publishing target is located on the same server or on a mapped network drive, you can upload content items using standard file transfer, over a path that includes the drive letter and folders. For example: file://localhost/w:/website/wwwroot/. Or you can use UNC paths if your publishing target is located on a different server. For example, file:////machinename/wwwroot.
To use FTP, you must know the name of the FTP server and its security requirements. You might be allowed to upload to the server anonymously, or you might be required to provide a valid user name and password. FTP transfer paths take the form ftp://host:port/path/. For example: ftp://ftp.mycompany.com/wwwroot/

Browser Path: No matter how you upload files to a site, you must also determine the browser path (URL or web address) so that Internet browsers can display the content. Links to published content use this path to access items from the publishing target through a web browser.
Publish images to a separate location: If you find that performance is slower when published images are gatewayed, you can specify a different publishing target for images and publish them to a server outside the gateway space. If you click the Publish images to a separate location check box, you can configure the image’s publishing target the same way you would configure the other content types. The following image publishing options display: Transfer using, Transfer Path, Browser Path, and Test Images Publish Target.

Note:

If you want folders that do not have a proper entry point (such as index.html or default.html) to display a listing of their contents, you must enable directory browsing for your web server.

Users in the Administrator role configure the publishing target and preview site for the root folder. Users in the Producer role and above can configure publishing and preview targets for all other folders.

By default, each folder inherits publishing and preview locations from its parent folder in the hierarchy. For example, let us say that the root folder’s publishing target is the following:

And let us say that there is a content item in the following folder within the Publisher folder structure: Root/Communities/Marketing/Marketing News. The default publishing target for that content item would be:

file://localhost/C:/Program Files/mycompany/ptcs/publishedcontent/publish/communities/marketing/marketing news/<content item>

The publishing target directory structure, by default, mirrors the Publisher folder structure. You can break this default web server directory structure by overriding the publishing target inherited from the parent folder at any folder level by configuring a different publishing target for the folder. All subfolders of that folder then inherit the new publishing target.

Taking the above example, let us say that you want the content items in the Marketing folder to be published to the following folder on the web server:

file://localhost/C:/Program Files/mycompany/ptcs/publishedcontent/publish/communities/sales_and_marketing

You would change the publishing target for the Marketing folder to that new file path. All folders below the Marketing folder level would inherit this publishing target (unless you in turn change their publishing targets). And the content item in the above example would now be published to the following target:

file://localhost/C:/Program Files/mycompany/ptcs/publishedcontent/publish/communities/sales_and_marketing/marketing news/<content item>

Configuring the Publishing Target and Preview Site for the Root Folder

A user in the Administrator role must configure the publishing target and preview site for the root folder before configuring any other folders. To configure the root folder for publication and preview:

Open Publisher Explorer.
Right-click the root folder and select Publishing Target.
Click the Publish tab.
Choose the method of transfer: FTP or File path.

Note:

Use File path only if the server is accessible through a local drive or a mapped network drive.

In Transfer Path, type the path to the location that you have selected as the publishing target. Transfer Path accepts UNC (Uniform Naming Convention) paths.
If you chose FTP in step 4, select one of the following:

Use anonymous FTP: The target system has a guest account that requires no password.
Log in: The target system requires a password. You must enter a valid User Name and Password.

In Browser Path, type the URL (web path) to the location you have selected as the publishing target.
If you want the folder structure of the publishing location to match the Publisher folder structure for this folder and its subfolders, leave the Mirror Site Hierarchy checkbox selected. Clear the checkbox if you want all content items in this folder to reside in a flat structure within this folder, with no lower-level folder hierarchy. The system adds a unique ID to each published item in this case to avoid interference between any items in the folder that share the same name.

Note:

While most users do not choose to publish content items into a flat web server directory structure, it can be useful in some situations. For example, you may have several Publisher folder trees, each containing an image folder, and all of the images are published to the same folder on the web server. If you clear the Mirror Site Hierarchy checkbox, each item name in the folder and its subfolders will be given a unique ID, thus preventing any image files that share the same name from interfering with the others.

Click the Preview tab and follow steps 4 - 8 for the Preview Site.
If you want to test whether the transfer path and browser path point to the same location, click Test Publish Target. Any error messages appear at the bottom of the page.
Click Finish to save your changes and close the window.

Configuring the Publishing Target and Preview Site for All Other Folders

By default, all folders inherit publishing and preview locations from the folder above them in the Publisher folder hierarchy. Administrators, Folder Administrators, and Producers can override this inheritance and configure a new publishing target or preview site for a folder other than the root folder. When you configure a folder, all of its subfolders inherit the new configuration.

To modify the publishing and preview settings for any folder, right-click the folder and choose Publishing Target. Follow steps 3 - 11 under "Configuring the Publishing Target and Preview Site for the Root Folder," after first clearing the Inherit parent folder settings to enable the reconfiguration.

If you configure a folder and later want to reset it to inherit the parent’s settings, select the Inherit parent folder settings checkbox on the Publishing Targets page. This resets both the publishing targets and preview site to that of the parent folder.