+The following is one in a series of weblogs on new features in SAP Enterprise Portal 6.0 SP9.+ ---- h3. Security Zones To view existing security zones, open the Permissions Editor by selecting +System Administrator+ --> +Permissions+. The security zones are listed under the +Security Zones+ folder in the Portal Catalog. 
The security zones are organized in a tree in the Portal Catalog. A folder is created for each vendor. In this folder, folders are created for each security area for this vendor. Finally, in each of these security area folders, folders are created for each safety level for that security area. Portal components are placed in the safety level folder to which they were assigned in the portalapp.xml file. The following displays the safety levels for the security area +NetWeaver.Portal+ for the +sap.com+ vendor. 
You can assign permissions to each safety level just as you would to any PCD object. Each portal component inherits permissions from its folder. Administrators can, if necessary, assign permissions directly to a component. h4. Changes in SP9 Previously, a single property for each component was used to define the vendor, security area and safety level, with each property separated by a slash (/). But developers often mixed up the order of the properties, or failed to include one of them -- causing a mess in the +Security Zones+ folder. In addition, the vendor and security area had to be written for each component, even though they were generally the same for all components in the PAR, raising the chances for coding mistakes.** Any component that does not have a proper vendor, security area or safety level property are listed under an +UndefinedVendor+, +UndefinedSecurityArea+ or +UndefinedSafetyLevel+ folder in the appropriate spot in the +Security Zones+ tree. This way, administrators can more easily locate components whose PAR was deployed without the proper security zone properties.0.1. 0.2. By default, the portal does not double-check permissions when a user accesses an iView. That is, the portal checks if the user has appropriate permissions to the iView, but does not check if the user has permission to the security zone that contains the iView's portal component. You can activate this feature by setting the +Dcom.sap.nw.sz+ JVM parameter with the help of the J2EE Config Tool. In the tool, click on the instance node, and then add or modify the parameter in the +Servers General+ tab. For more information on security zones, see How to Use Security Zones in NW04 SPS09 (http://service.sap.com/~form/sapnet?_SHORTKEY=01100035870000578807&_OBJECT=011000358700000282182005E...) located at SAP Service Marketplace at http://service.sap.com/nw04 --> +SAP NetWeaver+ --> +SAP NetWeaver '04 - Release-Specific Information+ --> +Documentation+ --> +How-to Guides+ --> +Portal+. h3. Initial Permissions The initial permissions for the objects in the Portal Content are now as minimal as possible. Essentially, the default super admin user is given complete control over the entire portal. Any user who is not a super admin cannot see any portal content. After installation, you must create users and then grant them the required permissions. Service Marketplace contains a good How-To guide that explains the ins and outs of setting permissions immediately after installing the portal. The guide is called (http://service.sap.com/~form/sapnet?_SHORTKEY=01100035870000578807&_OBJECT=011000358700000439092005E...) +How To Configure Permissions for Initial Content in SAP Enterprise Portal 6.0 SP9 and Higher+and is located at SAP Service Marketplace at http://service.sap.com/nw04 --> +SAP NetWeaver+ --> +SAP NetWeaver '04 - Release-Specific Information+ --> +Documentation+ --> +How-to Guides+ --> +Portal+. Before SP9, the portal was delivered with open permissions and it was up to you to lock down the permissions as required. For pre-SP9 portal users, there is a good guide on how to lock down portal permissions. The guide is called (http://service.sap.com/~form/sapnet?_SHORTKEY=01200252310000061538&_SCENARIO=01100035870000000112&_O...) +Securing Permissions for Initial Content in SAP EP 6.0 SP2+and is located at SAP Service Marketplace at http://service.sap.com/ep60 --> +SAP NetWeaver+ --> +SAP NetWeaver in Detail+ --> +People Integration+ --> +Portal+ --> +Media Library+ --> +Documentation & More+ --> +EP 6.0 (SP2 and before)+ --> +How-to Guides+.
h3. Role Assigner Administrators can now assign role-assigner permission to a role by assigning role-assigner permission on the folder that contains the role. The role inherits the permissions set for the folder (assuming the role's permission inheritance hasn't been broken). This feature is particularly helpful when you have several roles in a folder for which you want to set the same role-assigning permissions. Before, you had to open the Permission Editor for each role, assign permissions and then save the changes individually. In the example below, the folder +Roles+ contains three roles. You can set the role-assigning permission on all three roles by opening the Permissions Editor for the +Roles+ folder.
A quick review of permissions: The Permission Editor enables you to set three kinds of permissions for any user, group or role for an object in the Portal Catalog: 0.1. 0.2. End-User: Determines if the user has access to the object in runtime (for example, to view an iView), or whether the object is displayed to the user in the Portal Catalog (for example, in the page personalization iView). 0.3. 0.4. Adminstrator: Determines if the user has access to the object in design time, such as to modify or delete an existing object, or create an object in a specific folder. 0.5. 0.6. Role Assigner: Determines if the user can assign another user to the role. 0.7. The Permission Editor displays a column for role-assigning permissions only for role objects and, now in SP9, folder objects, as shown below. 
The security zones are organized in a tree in the Portal Catalog. A folder is created for each vendor. In this folder, folders are created for each security area for this vendor. Finally, in each of these security area folders, folders are created for each safety level for that security area. Portal components are placed in the safety level folder to which they were assigned in the portalapp.xml file. The following displays the safety levels for the security area +NetWeaver.Portal+ for the +sap.com+ vendor. You can assign permissions to each safety level just as you would to any PCD object. Each portal component inherits permissions from its folder. Administrators can, if necessary, assign permissions directly to a component. h4. Changes in SP9 Previously, a single property for each component was used to define the vendor, security area and safety level, with each property separated by a slash (/). But developers often mixed up the order of the properties, or failed to include one of them -- causing a mess in the +Security Zones+ folder. In addition, the vendor and security area had to be written for each component, even though they were generally the same for all components in the PAR, raising the chances for coding mistakes.** Any component that does not have a proper vendor, security area or safety level property are listed under an +UndefinedVendor+, +UndefinedSecurityArea+ or +UndefinedSafetyLevel+ folder in the appropriate spot in the +Security Zones+ tree. This way, administrators can more easily locate components whose PAR was deployed without the proper security zone properties.0.1. 0.2. By default, the portal does not double-check permissions when a user accesses an iView. That is, the portal checks if the user has appropriate permissions to the iView, but does not check if the user has permission to the security zone that contains the iView's portal component. You can activate this feature by setting the +Dcom.sap.nw.sz+ JVM parameter with the help of the J2EE Config Tool. In the tool, click on the instance node, and then add or modify the parameter in the +Servers General+ tab. For more information on security zones, see How to Use Security Zones in NW04 SPS09 (http://service.sap.com/~form/sapnet?_SHORTKEY=01100035870000578807&_OBJECT=011000358700000282182005E...) located at SAP Service Marketplace at http://service.sap.com/nw04 --> +SAP NetWeaver+ --> +SAP NetWeaver '04 - Release-Specific Information+ --> +Documentation+ --> +How-to Guides+ --> +Portal+. h3. Initial Permissions The initial permissions for the objects in the Portal Content are now as minimal as possible. Essentially, the default super admin user is given complete control over the entire portal. Any user who is not a super admin cannot see any portal content. After installation, you must create users and then grant them the required permissions. Service Marketplace contains a good How-To guide that explains the ins and outs of setting permissions immediately after installing the portal. The guide is called (http://service.sap.com/~form/sapnet?_SHORTKEY=01100035870000578807&_OBJECT=011000358700000439092005E...) +How To Configure Permissions for Initial Content in SAP Enterprise Portal 6.0 SP9 and Higher+and is located at SAP Service Marketplace at http://service.sap.com/nw04 --> +SAP NetWeaver+ --> +SAP NetWeaver '04 - Release-Specific Information+ --> +Documentation+ --> +How-to Guides+ --> +Portal+. Before SP9, the portal was delivered with open permissions and it was up to you to lock down the permissions as required. For pre-SP9 portal users, there is a good guide on how to lock down portal permissions. The guide is called (http://service.sap.com/~form/sapnet?_SHORTKEY=01200252310000061538&_SCENARIO=01100035870000000112&_O...) +Securing Permissions for Initial Content in SAP EP 6.0 SP2+and is located at SAP Service Marketplace at http://service.sap.com/ep60 --> +SAP NetWeaver+ --> +SAP NetWeaver in Detail+ --> +People Integration+ --> +Portal+ --> +Media Library+ --> +Documentation & More+ --> +EP 6.0 (SP2 and before)+ --> +How-to Guides+.h3. Role Assigner Administrators can now assign role-assigner permission to a role by assigning role-assigner permission on the folder that contains the role. The role inherits the permissions set for the folder (assuming the role's permission inheritance hasn't been broken). This feature is particularly helpful when you have several roles in a folder for which you want to set the same role-assigning permissions. Before, you had to open the Permission Editor for each role, assign permissions and then save the changes individually. In the example below, the folder +Roles+ contains three roles. You can set the role-assigning permission on all three roles by opening the Permissions Editor for the +Roles+ folder.
A quick review of permissions: The Permission Editor enables you to set three kinds of permissions for any user, group or role for an object in the Portal Catalog: 0.1. 0.2. End-User: Determines if the user has access to the object in runtime (for example, to view an iView), or whether the object is displayed to the user in the Portal Catalog (for example, in the page personalization iView). 0.3. 0.4. Adminstrator: Determines if the user has access to the object in design time, such as to modify or delete an existing object, or create an object in a specific folder. 0.5. 0.6. Role Assigner: Determines if the user can assign another user to the role. 0.7. The Permission Editor displays a column for role-assigning permissions only for role objects and, now in SP9, folder objects, as shown below.
9 Comments