Portal Administration and Security

 

Managing WebLogic Portal effectively requires an understanding of J2EE security concepts as well as a grasp of security features unique to the WebLogic Portal platform. Portal administration requires the ability to manage access on a many-to-many basis. In other words, access to many different groupings of resources must be provided to many different groupings of users. For this reason, the WebLogic Portal platform goes beyond the J2EE security standard as currently written, and also encompasses existing WebLogic Server security schemes.

This topic provides additional detail about the three levels of administration that WebLogic Portal supports, and includes information about how the access granted to these administrator users is scoped. This topic also includes information about how administrative users are managed, and how administration tasks may be delegated. Finally, some information about visitor entitlements for WebLogic Portal is provided.

This topic includes the following sections:

• Three Levels of Administrator Permissions

  • SA- System Administrators

  • PA - Portal Administrators

  • GA - Group Administrators

  • Application Assembler/Deployer

  • Scoping Privileges

• Managing Administrator Users

  • User Groups

  • Delegated Administration

• Visitor Entitlements

  • Rule-Based Entitlements Versus Rule-Based Personalization

Note: For more information about how to manage the WebLogic Portal platform effectively by performing specific administration tasks, see Overview of Portal Administration in the Getting Started with Portals and Portlets documentation.

 

---

Three Levels of Administrator Permissions

The WebLogic Portal platform recognizes three basic subdivisions of Administrators: the System Administrator (Portal SA), Portal Administrator (Portal PA), and Group Administrator (Portal GA). Individual Portal PAs and Portal SAs can be assigned fine-grained privileges, enabling the creation of a very complex administrator hierarchy customized to fit very specific security models.

Note: A list of out-of-the-box users can be found in Overview of Portal Administration.

It is important to note the distinction between these Administrators and system, the default account used to control the WebLogic Server Administration Console. The Portal SAs, PAs and GAs use the browser-based WebLogic Portal Administration Tools, whereas system is the sole member of a special, unchangeable user group called Administrator used to start and stop WebLogic Server.

Note: For instructions on creating, editing, and deleting Portal SA, PA, and GA users, see Portal Administration Tools in the Getting Started with Portals and Portlets documentation.

SA- System Administrators

Out of the box, WebLogic Portal includes a Portal SA user called administrator, which has unlimited access to administrative tasks anywhere within the enterprise portal application.

When a Portal SA logs into portalTools Web application, (by navigating to http://<hostname>:<port>/portalTools/index.jsp), the WebLogic Portal Administration Tools page appears, as shown in Figure 6-1.

Figure 6-1 WebLogic Portal Administration Tools Home Page

 

Within the WebLogic Portal, the System Administrator (Portal SA) may perform any of the following administrative actions:

• Deploy portal applications using the E-Business Control Center

• Create a new user group

• Create and entitle Portal Administrators (PAs)

• Create/Edit a group portal

• Create and entitle Group Administrators (GAs)

• Delegate administrative tasks

Because the Portal SA has access to all possible administrative tasks available within the WebLogic Portal Administration Tools, it is recommended that you observe the following guidelines:

• Only use system to create new users, place new users in the SystemAdministrator user group (thereby making them Portal SAs), adding users to user groups such as AdminEligible, or to create a new user group. Limit the use of this powerful user, and remember to log off when necessary tasks have been completed. This will lessen the chance of its credential being compromised.

• Limit the number of users you place in the SystemAdministrator user group. Fewer Portal SA users on your instance of WebLogic Portal will reduce the effort required to keep the passwords fresh, and lessen the probability that one of these user accounts may be compromised.

PA - Portal Administrators

Out of the box, WebLogic Portal includes a pair of test users called demopa1 and demopa2. These users have access to administrative tasks on a portal-wide basis, and as such, they can be be granted administrative priveleges to any group portal within the portal Web application.

When a Portal PA logs into portalTools Web application, (by navigating to http://<hostname>:<port>/portalTools/index.jsp), the WebLogic Portal Management home page appears, as shown in Figure 6-2.

Figure 6-2 WebLogic Portal Management Home Page

 

Within one or more portal Web applications, the Portal Administrator (PA) may be granted the ability to perform any of the following administrative actions:

• Create and entitle Portal Administrators (PAs)

• Create/Edit a group portal

• Create and entitle Group Administrators (GAs)

• Delegate administrative tasks

GA - Group Administrators

Out of the box, WebLogic Portal includes a pair of test users called demoga1 and demoga2. These users have access to administrative tasks at the group portal level. These users can be granted administrative priveleges to any group portal within the portal Web application. Also, Portal GAs can be promoted by Portal SA or Portal PA users.

When a Portal GA logs into portalTools Web application, (by navigating to http://<hostname>:<port>/portalTools/index.jsp), the WebLogic Group Portal Management home page appears, as shown in Figure 6-3.

Figure 6-3 WebLogic Group Portal Management Home Page

 

Note: Portal GA users may manage more than one group portal. In these cases, the page shown in Figure 6-3 would include the name of another group portal.

Within one or more group portals, the Portal Administrator (Portal PA) may be granted the ability to perform any of the following administrative actions:

• Create and entitle Group Administrators (GAs)

• Edit a group portal

• Delegate administrative tasks

Application Assembler/Deployer

Though not given a specific role within the administrative workflow of WebLogic Portal, the Application Assembler/Deployer is distinct in that it is most closely associated with the use of the Portal Module of the E-Business Control Center.

The Application Deployer/Assembler also performs the synchronize task using the E-Business Control Center, which requires Portal SA privileges. (In other words, the Application Deployer/Assembler must be a member of the SystemAdministrator user group.)

Scoping Privileges

J2EE application scoping is the basis for the three levels of administration in WebLogic Portal. The scope of each of these administrators can be explained in terms of the application scoping shown in Figure 6-4.

Figure 6-4 Scoping of Administrators

 
 

• A Portal SA created within the enterprise application called Portal could perform all administrative tasks within any of the applications shown in Figure 6-4.

• A Portal PA created within Portal Web Application #1 could be granted privileges within that application only. (Portal PAs can be granted different sets of privileges within more than one portal Web application.)

• A Portal GA created within Group Portal C could be granted privileges within that group portal only. (Portal GAs can be granted different sets of privileges within more than one group portal.)

 

---

Managing Administrator Users

The User Management home page allows Portal SA users to add or remove specific users from pre-defined user groups. After the user belongs to the appropriate user group, a mechanism called Delegated Administration is used to bestow specific privileges upon a single user. Therefore, this section includes information about:

• User Groups

• Delegated Administration

User Groups

The relationship between WebLogic Portal user groups and what membership in these user groups grants to the user is as follows.

• When any user is added to WebLogic Portal, the user is automatically a member of a user group called everyone.

• When a company creates user accounts for administrators, all these users should be added to the AdminEligible user group.

• Any user can be turned into an all-powerful system administrator— regardless of membership in other user groups: simply add the user to the SystemAdministrator user group from the User Management home page. Adding or removing a user from this group does not affect any other user group memberships.

• Importantly, promoting a user to GA or PA within the Portal Management or Group Portal Management home pages does eliminate other group memberships for that user. For example, if a GA user is promoted to PA, that user's membership as a GA is eliminated.

Delegated Administration

Delegated administration means assigning specific administrative privileges to individual administrators within a specified domain.

To manage the content of your portal applications at a centralized corporate office while delegating localization and design to regional offices, an elegant solution would be to create some administrative user accounts and then assign different sets of permissions to each user, based on the tasks you needed to hand out. WebLogic Portal now includes advanced delegated administration functionality to enable the creation of administrator roles with fine-grained administrative privileges.

 

---

Visitor Entitlements

Administrators are not the only kind of "user" that must be managed in a portal Web application; WebLogic Portal allows content to be customized for customers and business partners, called portal visitors. Visitor entitlements are associations between portal resources, such as portlets or pages, and specific authenticated visitors. This is a powerful mechanism for content personalization.

The entitlement segments are created in the E-Business Control Center, and are explained in detail in the Guide to Using the E-Business Control Center documentation. The process of associating entitlement segments with portal resources is explained in Portal Administration Tools in the Getting Started with Portals and Portlets documentation.

Rule-Based Entitlements Versus Rule-Based Personalization

WebLogic Portal enables rule-based personalization. Generally, with rule-based personalization, a rules engine is used to dynamically determine whether a user is part of a segment based on profile attributes, request or session attributes, or a time element. Based on this decision, specific content may be shown to the user. A developer uses JSP tags provided with WebLogic Portal, such as a placeholder or the content selector tag, to specify where on the site the personalized content should be displayed.

On the other hand, rule-based entitlements represent a specific usage of rule-based personalization at the system level. Entitlements are applied to specific portal resources: portlets and portal pages, rather than arbitrary content and areas on the site. The entitlements are controlled completely from administration tools, and no HTML/JSP developer involvement is required.

In addition, rule-based entitlements are typically used to control access to portal content, whereas rule-based personalization is used to serve targeted content. Inevitably, there will be scenarios where the line between rule-based entitlements and rule-based personalization will be blurred. For example, rule-based entitlements may be used to show a portal page with recommended content to a segment of users.

Both rule-based personalization and rule-based entitlements rely on the same set of infrastructure components—the BEA rules engine, the user profile, and property sets.