Skip to Content

In my Portal navigation explained I described how the portal is executing the navigation. As the roles are loaded from the PCD, the user needs to have end-user access to the PCD. With this access, he can read the content of the roles and create his navigation. To show you what this means for your PCD and security structure, consider this scenario:

 User A  User B
image image
The content is an KM document iView (image). There is no content under the B-Sub 1 navigation.

Applying our knowledge about portal navigation, we know that we can construct an URL and pass the parameter of the navigation target. Combined with the fact that the user needs end-user access to the PCD to read the content inside a role, user B can construct an URL that points to a navigation point outside of his own role.

User B can use the short URL for “A – Sub 1” (navurlurl://8397ca2e7d7ed7076dcb81c7632072bf): http://www.sdn.sap.com/irj/portal?navigationtarget=navurl://8397ca2e7d7ed7076dcb81c7632072bf

image

User B can access the navigation of user A (Role A Document) and see the iView assigned solely to Role A. Why is this possible? Take a look at the default permissions for the portal:

     SAP Help: Default Permissions: [link  
     pcd:portal_content/every_user  Everyone group: 
      

 – Administrator: read

      

 – End user: enabled

When applying a similar permission scheme to your PCD, the users can access the navigation and the iViews of a different navigation. The navigation uses a navigation target to resolve the PCD location of the navigation target. When the user has the permission “Administrator: read” the user can access the PCD:

http://server:port/irj/servlet/prt/portal/prtroot/pcd!3aportal_content!2fpath!2fcom.blog.roles.role_a!2frole_a_1st_level!2fa_sub_1!2fcom.iview.doc

image

There is an article on SDN on how to change the permissions:

     SDN Article: [link]

When you change the PCD permissions to be stricter, you can take away the Administrator permissions. Doing so, direct access to the PCD is no longer possible for the user.

image

Result for user B when accessing the iView via role or when accessed directly:

    

Portal runtime error.

An exception occurred while processing your request. Send the exception ID to your portal administrator. 

In the NWA log viewer this error resolves to:

    

[EXCEPTION]

 com.sapportals.portal.pcd.gl.PermissionControlException: Access denied (Object(s): portal_content/tobias/com.tobias.blog/com.tobias.doc)

at com.sapportals.portal.pcd.gl.PcdFilterContext.filterLookup(PcdFilterContext.java:422)

at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1248)

at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1254)

As you can see, assigning users to roles doesn`t mean that they are unable to access content from other roles. To make sure that users won`t be able to retrieve information, check the PCD permissions. Organize your PCD content in such a way that only the users of the role can access the content.

The PCD permissions and the related error messages are not only interesting for security issues. A common error is to redirect users to a PCD location where they don`t have access to. May it by a forwarded link or a Web Dynpro application using portal navigation. When a user gets this error message in the portal:

Page not found or not available error

The user hasn`t the permissions to access the content. Find out to what object (role, workset, page, iView) the user doesn`t have access and give him the permissions. To continue the above example:

 Short URL  navurl://8397ca2e7d7ed7076dcb81c7632072bf
 PCD  ROLES://portal_content/path/ com.tobias.roles.role_a/role_a_1st_level/a_sub_1

In the PCD:

image

The permissions for user B to access the iView:

   Administrator  End User
 Role  None  Yes
 iView  Read  No
To report this post you need to login first.

2 Comments

You must be Logged on to comment or reply to a post.

Leave a Reply