Skip to Content
+The following is one in a series of weblogs on new features in SAP Enterprise Portal 6.0 SP9.+ —- h3. Security Zones To view existing security zones, open the Permissions Editor by selecting +System Administrator+ –> +Permissions+. The security zones are listed under the +Security Zones+ folder in the Portal Catalog. image The security zones are organized in a tree in the Portal Catalog. A folder is created for each vendor. In this folder, folders are created for each security area for this vendor. Finally, in each of these security area folders, folders are created for each safety level for that security area. Portal components are placed in the safety level folder to which they were assigned in the portalapp.xml file. The following displays the safety levels for the security area +NetWeaver.Portal+ for the +sap.com+ vendor. image You can assign permissions to each safety level just as you would to any PCD object. Each portal component inherits permissions from its folder. Administrators can, if necessary, assign permissions directly to a component. h4. Changes in SP9 Previously, a single property for each component was used to define the vendor, security area and safety level, with each property separated by a slash (/). But developers often mixed up the order of the properties, or failed to include one of them — causing a mess in the +Security Zones+ folder. In addition, the vendor and security area had to be written for each component, even though they were generally the same for all components in the PAR, raising the chances for coding mistakes.** Any component that does not have a proper vendor, security area or safety level property are listed under an +UndefinedVendor+, +UndefinedSecurityArea+ or +UndefinedSafetyLevel+ folder in the appropriate spot in the +Security Zones+ tree. This way, administrators can more easily locate components whose PAR was deployed without the proper security zone properties.0.1. 0.2. By default, the portal does not double-check permissions when a user accesses an iView. That is, the portal checks if the user has appropriate permissions to the iView, but does not check if the user has permission to the security zone that contains the iView’s portal component. You can activate this feature by setting the +Dcom.sap.nw.sz+ JVM parameter with the help of the J2EE Config Tool. In the tool, click on the instance node, and then add or modify the parameter in the +Servers General+ tab. For more information on security zones, see How to Use Security Zones in NW04 SPS09 (http://service.sap.com/~form/sapnet?_SHORTKEY=01100035870000578807&_OBJECT=011000358700000282182005E&) located at SAP Service Marketplace at http://service.sap.com/nw04 –> +SAP NetWeaver+ –> +SAP NetWeaver ’04 – Release-Specific Information+ –> +Documentation+ –> +How-to Guides+ –> +Portal+. h3. Initial Permissions The initial permissions for the objects in the Portal Content are now as minimal as possible. Essentially, the default super admin user is given complete control over the entire portal. Any user who is not a super admin cannot see any portal content. After installation, you must create users and then grant them the required permissions. Service Marketplace contains a good How-To guide that explains the ins and outs of setting permissions immediately after installing the portal. The guide is called (http://service.sap.com/~form/sapnet?_SHORTKEY=01100035870000578807&_OBJECT=011000358700000439092005E&) +How To Configure Permissions for Initial Content in SAP Enterprise Portal 6.0 SP9 and Higher+and is located at SAP Service Marketplace at http://service.sap.com/nw04 –> +SAP NetWeaver+ –> +SAP NetWeaver ’04 – Release-Specific Information+ –> +Documentation+ –> +How-to Guides+ –> +Portal+. Before SP9, the portal was delivered with open permissions and it was up to you to lock down the permissions as required. For pre-SP9 portal users, there is a good guide on how to lock down portal permissions. The guide is called (http://service.sap.com/~form/sapnet?_SHORTKEY=01200252310000061538&_SCENARIO=01100035870000000112&_OBJECT=011000358700005823922004E) +Securing Permissions for Initial Content in SAP EP 6.0 SP2+and is located at SAP Service Marketplace at http://service.sap.com/ep60 –> +SAP NetWeaver+ –> +SAP NetWeaver in Detail+ –> +People Integration+ –> +Portal+ –> +Media Library+ –> +Documentation & More+ –> +EP 6.0 (SP2 and before)+ –> +How-to Guides+.

h3. Role Assigner Administrators can now assign role-assigner permission to a role by assigning role-assigner permission on the folder that contains the role. The role inherits the permissions set for the folder (assuming the role’s permission inheritance hasn’t been broken). This feature is particularly helpful when you have several roles in a folder for which you want to set the same role-assigning permissions. Before, you had to open the Permission Editor for each role, assign permissions and then save the changes individually. In the example below, the folder +Roles+ contains three roles. You can set the role-assigning permission on all three roles by opening the Permissions Editor for the +Roles+ folder. image A quick review of permissions: The Permission Editor enables you to set three kinds of permissions for any user, group or role for an object in the Portal Catalog: 0.1. 0.2. End-User: Determines if the user has access to the object in runtime (for example, to view an iView), or whether the object is displayed to the user in the Portal Catalog (for example, in the page personalization iView). 0.3. 0.4. Adminstrator: Determines if the user has access to the object in design time, such as to modify or delete an existing object, or create an object in a specific folder. 0.5. 0.6. Role Assigner: Determines if the user can assign another user to the role. 0.7. The Permission Editor displays a column for role-assigning permissions only for role objects and, now in SP9, folder objects, as shown below. image

To report this post you need to login first.

9 Comments

You must be Logged on to comment or reply to a post.

  1. Jurijs Lugbans
    Hi.

    I have one question:
    If I can’t see some components in security zone, does it mean that I have to edit portalapp.xml file?

    I have a super_admin_role, but I can’t find in security zone component called:
    com.sap.portal.system/security/sap.com/NetWeaver.Portal/high_safety/com.sap.portal.util.serverfilebrowser/components/download

    I will be glad if somebody comment my message.

    Best regards
    Jury

    (0) 
    1. Daniel Wroblewski Post author
      I am able to find the com.sap.portal.util.serverfilebrowser application in the security zones under sap.com –> NetWeaver.Portal –> high_safety.

      If I misunderstood the question, feel free to email me directly.

      Daniel

      (0) 
      1. Jurijs Lugbans
        Hi Daniel.

        You correctly understand the question.

        But if I’m not able to see this component, what may be the reason for it? Is it connected to settings in portalapp.xml file?

        Jury

        (0) 
          1. Daniel Gallardo
            Hello Daniel

            Did you find this entry in NW2004s sp11??

            com.sap.portal.system/security/sap.com/NetWeaver.Portal/high_safety/com.sap.portal.util.serverfilebrowser/components/download

            (0) 
            1. Daniel Wroblewski Post author
              Hi Daniel,

              Thanks for your note. I am no longer in the portal group and I am not up to date on this issue. But I have asked someone in development to answer, and hoepfully they will get back to you this week.

              Daniel

              (0) 
            2. Shani Limor
              Hi Daniel,

              If there are missiong objects in the System Administration -> Permissions folders, it can be coused because of the following:
              In the portal catalog studio, you can limit the number of items displayed per folder (The default is set to 150). If a folder contains more entries than the maximum number allowed per group, Previous and Next buttons are placed at the top and bottom of the displayed group in the selected folder, respectively. (See more: http://help.sap.com/saphelp_nw70/helpdata/en/c5/8efa419d5b6324e10000000a1550b0/frameset.htm).
              In the portal catalog studio of the permissions, these Previous and Next buttons are invisible.

              In order to see all objects in the permissions folder, go to: Portal Content -> Content Provided by SAP -> Admin Interfaces -> Admin iView Templates -> Portal Catalog – Portal Content Studio. Change the property “Maximum Number of Objects Displayed Per Folder” from 150 to a higher number.

              You can also see note 1075951.
              Since the component you’ve mentioned is an SAP component, you cannot change it’s portalapp.xml, thus it is not related.

              hope this helps you.
              Shani

              (0) 
              1. Daniel Gallardo
                Hello Shani,

                I am a little confused, Here is the case:

                I create a portal role (copy of system admin role) and edit it to only display the Transport-> Export Menu, this is because is for a software factory and I do not want to let them upload any, if need ask for help.

                So it is working fine, they are able to create the export package but, when they try to download the generated file the portal shows this error:

                Access denied (Object(s):
                com.sap.portal.system/security/sap.com/NetWeaver.Portal/high_safety/com.sap.portal.util.serverfilebrowser/components/download).
                Exception id:04:40_14/02/08_0007_42654750
                See the details for the exception IN in the log file

                So I open the Permission editor and look for this entry: com.sap.portal.system/security/sap.com/NetWeaver.Portal/high_safety/com.sap.portal.util.serverfilebrowser/components/download

                But I do not find it, besides this, I find that the ID’s in the PDC of everything down Security Zones/sap.com/NetWeaver.Portal starts with this prefix “ara:/security/sap.com/NetWeaver.Portal/”

                I search for the ID *serverfilebrowser* but I only find a folder under “Resource Bundles” folder whit this ID “pcd:com.sap.portal.system/resource_bundles/com.sap.portal.util.serverfilebrowser”

                I do not see the previous and next buttons, the last item I see under sap.com/Netweaver.Portal/high_safety is com.sap.portal.systems.EP5.

                I have nw2004s (7.0) SP11

                This is a bug of this patch? Do I need to modify the properties of the iView to display more than 150 entries?

                (0) 

Leave a Reply