Topic
  • 9 replies
  • Latest Post - ‏2013-10-15T19:35:54Z by mikepren
akash_smart
akash_smart
2 Posts

Pinned topic handling users with multiple roles.

‏2009-04-16T17:15:18Z |
Hi. We are building a portal in which LDAP is being used as the user registry. Microsoft AD is being used. The scenario is such that an user in the LDAP can have multiple roles. Example - An user can be a Area Executive and also an Area Manager. These are two separate roles in the organisation . Area Executve report to Area Member.
The requirement is that once the user logs in to the portal , he can be presented with an option as to choose which role he wants to login with into the portal. Can anybody suggest how to handle this in WebSphere Portal Server 6.0 ?
  • Spykar
    Spykar
    4 Posts

    Re: handling users with multiple roles.

    ‏2013-10-08T22:34:51Z  

    Hi All,

    I know it's been a while (4 years :S) since the original post. I have a similar problem and am yet to find a solution to this. Has anyone else come up with anything or know if as a user, choosing a portal role on login and being restricted to that role is even possible in Websphere Server 7?

    Thanks

  • ExtremePortal
    ExtremePortal
    5 Posts

    Re: handling users with multiple roles.

    ‏2013-10-09T07:30:59Z  
    • Spykar
    • ‏2013-10-08T22:34:51Z

    Hi All,

    I know it's been a while (4 years :S) since the original post. I have a similar problem and am yet to find a solution to this. Has anyone else come up with anything or know if as a user, choosing a portal role on login and being restricted to that role is even possible in Websphere Server 7?

    Thanks

    One solution, I can think of is a combination of  custom login portlet & authentication filter

    Here is how this could work,

    User login using your custom login portlet with his userid & password.

    once user submit,  control goes to authentication filter and there you connect to your user repository to fetch user roles and preset a screen ( next screen of login portlet ) to select his roles.

    When user selects his roles and click Login,  control again goes to authentication filter and there you authentication user and redirect user to portal landing page.

    I hope that helps, Let me know for any queries.

     

    <Neeraj Sidhaye/>

    http://ExtremePortal.blogspot.com

     

  • Spykar
    Spykar
    4 Posts

    Re: handling users with multiple roles.

    ‏2013-10-10T00:06:15Z  

    One solution, I can think of is a combination of  custom login portlet & authentication filter

    Here is how this could work,

    User login using your custom login portlet with his userid & password.

    once user submit,  control goes to authentication filter and there you connect to your user repository to fetch user roles and preset a screen ( next screen of login portlet ) to select his roles.

    When user selects his roles and click Login,  control again goes to authentication filter and there you authentication user and redirect user to portal landing page.

    I hope that helps, Let me know for any queries.

     

    <Neeraj Sidhaye/>

    http://ExtremePortal.blogspot.com

     

    Hi Neeraj,
     
    Thanks for your reply. Your solution is what I've been thinking of as well, however I believe it only solves part of the problem. The hard part of the problem is restricting a user who has multiple roles to fewer or just a single role after they have been authenticated. The only way to do this that I can think of at the moment is to create a temporary user and grant them access to the selected role(s). From there that user should be able to traverse portlets in the manner which we require. I don't really like this solution but I can't think of anything else.
     
    Does anyone agree with this or have any other ideas or see problems with what I've proposed?
     
    Thanks
  • ExtremePortal
    ExtremePortal
    5 Posts

    Re: handling users with multiple roles.

    ‏2013-10-10T04:50:32Z  
    • Spykar
    • ‏2013-10-10T00:06:15Z
    Hi Neeraj,
     
    Thanks for your reply. Your solution is what I've been thinking of as well, however I believe it only solves part of the problem. The hard part of the problem is restricting a user who has multiple roles to fewer or just a single role after they have been authenticated. The only way to do this that I can think of at the moment is to create a temporary user and grant them access to the selected role(s). From there that user should be able to traverse portlets in the manner which we require. I don't really like this solution but I can't think of anything else.
     
    Does anyone agree with this or have any other ideas or see problems with what I've proposed?
     
    Thanks

    Sorry but i didn't understand what hard part you had explained. Could not understand red in below.

     a user who has multiple roles to fewer or just a single role after they have been authenticated.

    Could you please elaborate this use case and more of what you are looking for while authentication and post authentication.

    We can then evolve this solution to meet your requirement.

    Cheers!

     

    <Neeraj Sidhaye/>

    http://ExtremePortal.blogspot.com

  • Spykar
    Spykar
    4 Posts

    Re: handling users with multiple roles.

    ‏2013-10-11T04:25:17Z  

    Sorry but i didn't understand what hard part you had explained. Could not understand red in below.

     a user who has multiple roles to fewer or just a single role after they have been authenticated.

    Could you please elaborate this use case and more of what you are looking for while authentication and post authentication.

    We can then evolve this solution to meet your requirement.

    Cheers!

     

    <Neeraj Sidhaye/>

    http://ExtremePortal.blogspot.com

    Ok. I'll explain this using an example. Suppose in a school's Active Directory setup there are security groups for students and teachers named "sec_students" and "sec_teachers" respectively.

    In the school's portal, the admin has mapped the "sec_students" and "sec_teachers" security groups to roles "students" and "teachers" respectively via the administration console. 

    The school has a school portlet containing the following web.xml code

    ...
    <security-role>
      <role-name>students</role-name>
    </security-role>
    <security-role>
      <role-name>teachers</role-name>
    </security-role>
    ...

    Now suppose this school portlet has a generic portlet file containing the following simple (pseudo) code

    ...
    public void processAction(ActionRequest request ...
    if (request.isUserInRole("Students")
       //show some student related info
    else if (request.isUserInRole("Teachers")
       //show some teacher related info
    ...

    If a user was a tutor they could be in both "sec_students" and "sec_teachers" Active Directory security groups and if they viewed the school portlet they would only see student related information due to the limitation of the code.

    I would like to know if it is possible to have this tutor user select the role they use (either student or teacher in this case) and portlets throughout the portal, using the isUserInRole() method only return true for the role chosen, false otherwise.

    Thanks

    Updated on 2013-10-11T04:28:00Z at 2013-10-11T04:28:00Z by Spykar
  • ExtremePortal
    ExtremePortal
    5 Posts

    Re: handling users with multiple roles.

    ‏2013-10-11T05:48:53Z  
    • Spykar
    • ‏2013-10-11T04:25:17Z

    Ok. I'll explain this using an example. Suppose in a school's Active Directory setup there are security groups for students and teachers named "sec_students" and "sec_teachers" respectively.

    In the school's portal, the admin has mapped the "sec_students" and "sec_teachers" security groups to roles "students" and "teachers" respectively via the administration console. 

    The school has a school portlet containing the following web.xml code

    ...
    <security-role>
      <role-name>students</role-name>
    </security-role>
    <security-role>
      <role-name>teachers</role-name>
    </security-role>
    ...

    Now suppose this school portlet has a generic portlet file containing the following simple (pseudo) code

    ...
    public void processAction(ActionRequest request ...
    if (request.isUserInRole("Students")
       //show some student related info
    else if (request.isUserInRole("Teachers")
       //show some teacher related info
    ...

    If a user was a tutor they could be in both "sec_students" and "sec_teachers" Active Directory security groups and if they viewed the school portlet they would only see student related information due to the limitation of the code.

    I would like to know if it is possible to have this tutor user select the role they use (either student or teacher in this case) and portlets throughout the portal, using the isUserInRole() method only return true for the role chosen, false otherwise.

    Thanks

    Ok. Got it, thanks.

    Make use of portlet modes. EDIT mode in this case.

    So here is the logic

    First, identify , by default what information you want a tutor to see (Student or Teacher related information ) , accordingly change you if conditions or even you can make this configurable.

    Second, you can allow tutor to select the role he wish to see student or teacher information by make use of portlet preferences.

    In portlet Edit mode, give a option to select role ( student or teacher ) and this option should only be visible to tutor ( when a tutor  belongs to two roles ). When this saved in edit mode/preferences, this change would be applied to that tutor and for that portlet instance only.

    this way, tutor can change the roles from edit mode and can see student or teacher related information.

    I hope that helps.

    Shout back for any queries.

    Cheers!

     

    <Neeraj Sidhaye/>

    http://ExtremePortal.blogspot.com

  • Spykar
    Spykar
    4 Posts

    Re: handling users with multiple roles.

    ‏2013-10-14T22:54:15Z  

    Ok. Got it, thanks.

    Make use of portlet modes. EDIT mode in this case.

    So here is the logic

    First, identify , by default what information you want a tutor to see (Student or Teacher related information ) , accordingly change you if conditions or even you can make this configurable.

    Second, you can allow tutor to select the role he wish to see student or teacher information by make use of portlet preferences.

    In portlet Edit mode, give a option to select role ( student or teacher ) and this option should only be visible to tutor ( when a tutor  belongs to two roles ). When this saved in edit mode/preferences, this change would be applied to that tutor and for that portlet instance only.

    this way, tutor can change the roles from edit mode and can see student or teacher related information.

    I hope that helps.

    Shout back for any queries.

    Cheers!

     

    <Neeraj Sidhaye/>

    http://ExtremePortal.blogspot.com

    Hi Neeraj,

    Thanks for your suggestion. I was looking for a solution that was portal wide instead of per portlet.

    Thanks for your help anyway :)

  • ExtremePortal
    ExtremePortal
    5 Posts

    Re: handling users with multiple roles.

    ‏2013-10-15T09:35:53Z  
    • Spykar
    • ‏2013-10-14T22:54:15Z

    Hi Neeraj,

    Thanks for your suggestion. I was looking for a solution that was portal wide instead of per portlet.

    Thanks for your help anyway :)

    I don't think that the solution is for per portlet instance, it is just that since it is EDIT mode so preference will be saved for that user and for that instance.

    you could even use more wider scope, either CONFIG or EDIT_DEFAULTS, which will make this portal wide ( for all users and for all instances of that portlet)

    <Neeraj Sidhaye/>

     

    http://ExtremePortal.blogspot.com

  • mikepren
    mikepren
    11 Posts

    Re: handling users with multiple roles.

    ‏2013-10-15T19:35:54Z  

    I don't think that the solution is for per portlet instance, it is just that since it is EDIT mode so preference will be saved for that user and for that instance.

    you could even use more wider scope, either CONFIG or EDIT_DEFAULTS, which will make this portal wide ( for all users and for all instances of that portlet)

    <Neeraj Sidhaye/>

     

    http://ExtremePortal.blogspot.com

    an alternative approach is to do this before you hit portal in the  sso tai/ eai layer.

    Pass the results as cookies, perhaps in the iv-creds and then use that to look at the capabilities you want.