Configuring Security Access Manager for authorization
You can configure IBM® Security Access Manager for both authentication and authorization for IBM WebSphere® Portal Express®. If you configure these functions at different times as independent tasks, configure Security Access Manager for authentication first. Using Security Access Manager only for authorization is not supported.
Before you begin
About this task
You can configure WebSphere Portal to delegate the decisions about what users or groups are granted access to Portal resources, to IBM Security Access Manager. This action is also called externalizing the access control for Portal resources. Normally these decisions are made by consulting the principal-to-role mappings that are stored in the Portal database. The following task configures the Portal code that is used to obtain access control decisions for Portal resources from Security Access Manager instead of from the Portal database. It includes configuration of properties that determine how the Portal resources are represented in the Security Access Manager protected object namespace. It also configures how permissions are represented in the Security Access Manager access control lists. After this task is run, you can use the Resource Permissions portlet or XMLAccess to place portal resources such as pages and portlets under Security Access Manager control.
When Portal resources are moved to Security Access Manager access control, WebSphere Portal creates entries corresponding to individual roles on the externalized resources in the Security Access Manager protected object space. The roles in this case are the Portal roles on Portal resources; for example, in simplified form, User@Welcome page or Administrator@Some Portlet.
Access Control Lists (ACLs) are attached to these Security Access Manager objects. The ACLs use the PDAction and PDActionGroup property values to determine what users are granted the various roles. WebSphere Portal security code queries Security Access Manager for the users that have the <PDAction> within <PDActionGroup> permission on entries in the Security Access Manager object space, and interprets that as granting the user the corresponding Portal role on the resource.
Any subset of Portal resources can be placed under external access control. WebSphere Portal can maintain internal control of other resources.
There are multiple entries in the Security Access Manager object space for every externalized resource, one entry per existing Portal role on that resource. Recall that in WebSphere Portal there are multiple different role types; for example, User, Privileged User, Editor, Manager, Administrator. Not every Portal role might be instantiated for every resource instance, and entries in Security Access Manager exist only if the corresponding actual role on that Portal resource exists.
Format of the entries in Security Access Manager
<PDRoot_Value>/<Portal Rolename-on-resource>[/<EACappname_value>/<EACserverName_value>/<EACcellName_value>]
By
default, the Portal Rolename-on-resource is in the form of <Portal_RoleType>@<Portal_Resource_Identifier>. For example: Administrator@VIRTUAL_EXTERNAL_ACCESS_CONTROL. - If the reorderRoles property is set to true, the Portal Rolename-on-resource displays as Portal_Resource_Identifier@Portal_Roletype. For example, VIRTUAL_EXTERNAL_ACCESS_CONTROL@Administrator.
- Set all three of the EACserverName, EACcellName, and EACappname properties; otherwise, they are not included in the object space entries.
Procedure
Results
After you complete the authorization procedure, you can then use the WebSphere Portal administration tools (the Resource Permission portlet or XMLAccess scripting) to externalize the access control decisions for Portal resources. For any resources placed under IBM Security Manager access control, the Security Access Manager protected object space contains entries for roles in the following format
PortalServer_root/role_name/application_name/server_name/cell_name
For example: If the wp.ac.impl.PDRoot value was Portal_Instance_1 and wp.ac.impl.EACcellName was Cell_A, Wp.ac.impl.EACserverName was Server_B, and wp.ac.impl.EACappName was Application_C, then an object space entry corresponding to a Portal role name approximately looks like
Portal_Instance_1/Administrator@VIRTUAL_EXTERNAL_ACCESS_CONTROL/Application_C/Server_B/Cell_A.