Administering Portal Authorization

Sharing Content in the Portal

After defining groups in SAS metadata and initializing their respective group permission trees, the portal administrator can log on to the SAS Information Delivery Portal and create group content administrators who can manage and share portal content with their groups.

In SAS 9.1.3, the portal created permission trees for identity groups that defined the roles. In SAS 9.2, the portal does not create the permission trees associated with the roles.

Group permission trees are created when the SAS administrator logs in to the portal, the Web application server is restarted, or by running the initPortalData.bat file. For details about permission trees, see Overview of Permission Tree Folders. The portal's share feature provides an easy and efficient way to control access to particular types of portal content.

The following content items can be shared from the portal:

pages
portlets
applications
links
syndication channels

When a content item is created, the group content administrator can share the item with a user group that is defined in SAS metadata. The group can be all portal users (PUBLIC) or a group that you define, such as "Sales Managers." When you share an item with a group, the item is owned by the group rather than by an individual. Portal users who belong to the group can access the shared item, but only a group content administrator should edit the content. Although, a portal administrator can also edit content, this practice is not recommended.

Note: The portal uses the authorization metadata of the SAS Metadata Server to determine who can view the content on a page and in a portlet. If a user is not authorized to view particular content on a page or portlet that has been shared with the user's group, then the content will not appear in that user's portal view. [cautionend]

A content item can be shared with only one group. If you want to share content with users who belong to multiple groups, there are ways to work around this limitation. See Suggestions for Sharing Content with Multiple Groups of Users.

The location of a content item indicates whether it has been shared. If a content item is not shared, then the content definition is located in the user's permission tree in SAS metadata. If a content item is shared, then the content definition is located in the group's permission tree.

You can specify the location when you create the content item. For example, the following display illustrates the creation of a new page in the portal. When you select a group in the Location (group) drop-down list, you share the page with that group:

[untitled graphic]

Note: The Location and Share type fields are displayed only if the user is a group content administrator. [cautionend]

Who Can Share Portal Content

You must log on to the portal with the appropriate permissions in order to share content. Here are the types of users that can share content:

Who Can Share Portal Content
User	Share Permissions
Portal Administrator	Can create and share portal content with any group that is defined in SAS metadata.
Group content administrator	Can create portal content and share it with the respective group. The SAS administrator must manually configure permissions for a group content administrator. A group content administrator can be configured for the PUBLIC group. See Configure a Group Content Administrator.

For more information about the permissions that are granted to these users in SAS metadata, see Who Can Administer the Portal.

Types of Changes That Can Be Made to Shared Content

After content has been shared with a group, group content administrators can do the following for their group:

Edit the shared content. When you edit shared content, the changes that you make appear in all of the users' portal views where that content is displayed.
Unshare the content, or change the group with which the content is shared. When content is unshared with a group (for example, a page that was shared with a group is now unshared), and it is shared with another group, only that particular content item is moved. The moved page is not removed from the page list of each user. The moved portlet is also not removed from the page with which it is associated. Because the moved content is not displayed to the users, it appears as if the content has been removed. If the same page is shared again with the original group, users will see that page again. An exception applies when a user unshares a page. When a user unshares a page, the portal prompts the user to respond and confirm if portlets, associated applications, links, and syndication channels should be moved. If the user selects to move all of this content, then the entire content is moved. However, the user's page is not removed from the page lists.
Remove the shared content from your portal view. When a shared item is displayed in your portal, you can remove it from your view without affecting the portal views of other users.

Note: All portal users can remove a shared page from their portal views under some conditions.
Permanently delete the shared content from all portal views. When you delete shared content, the content is removed from all of the portal views where that content is displayed. The content is also permanently deleted from the portal environment.
Change the scope (pages only). You can change the scope of a shared page (PERSISTENT, DEFAULT, AVAILABLE).

You can make these changes for all content that has been shared to the group for which you are an administrator, including content that others have created. In order to modify content that another user created, you might first need to search for the content.

About Shared Pages

After you share a page with a group, when users who belong to the group log on to the portal, the shared page is available to them. The share type (DEFAULT, AVAILABLE, or PERSISTENT) that you apply to the page determines how portal users access the page.

If you share a page that contains portlets, then you can specify whether you also want to share the portlets and their contents. For details, see Sharing Items That Contain Other Items.

When you log on to the portal as the portal administrator, a DEFAULT or PERSISTENT page is not added automatically to your page list. You can add the page manually. The reason is that a portal administrator has access to all user and group content. When users log on, the pages for every group that they have access to are initialized. This can have a large performance impact when a portal administrator logs on.

Sharing Items That Contain Other Items

When you share portal content, a list of contained content items is displayed. This list contains any created content that is owned by the same identity as the content being shared (page or collection portlet). In the displayed list, you can select the content that you want to share. For example, displaying only the content that is owned by the current identity helps prevent a shared PUBLIC item from being moved accidentally.

If you share a page that contains portlets, then you can specify whether you also want to share those portlets. The portal displays a list of all the portlets that are on the page and that you are authorized to share, and you choose whether to share them. Collection portlets, which display content created in the SAS Information Delivery Portal, are shared. Collection portlets can contain links, applications, or syndication channels. When you share a collection portlet, you can specify whether you also want to share the applications, links, and syndication channels that are contained in the portlet.

Note: When you share a page that contains a Bookmarks portlet, or a Publication Channel Subscriptions portlet, these portlets will not be shared. If you want to provide these portlets to users, consider creating a page template instead. [cautionend]

The following is a list of portlets that cannot be shared:

Bookmarks
Stored Process Alerts
Personal Repository Navigator
Results Navigator
Stored Process Navigator
Tree Navigator
Information Map Navigator
Report Navigator
Publication Channel Subscriptions

Within the shared pages and portlets, individual users will see only the content that they are authorized to view. Content that was created outside the portal environment, such as SAS Stored Processes, SAS Publication Channels, SAS Packages, SAS Information Maps, SAS Reports, and files that are on a SAS Content Server, all retain the permissions that have been assigned to them in SAS metadata. Only authorized users can view the content. For example, suppose a page that you share contains two portlets, one with salary information and one with company news items. If a user who is not authorized to view salary information accesses the page, only the news items will be visible to that user.

When Can You Share Content?

Group permission trees must exist in SAS metadata before you can share content with the groups. To verify that a permission tree folder exists, or to create one, see Managing Portal Permission Trees in Metadata.

In the SAS Information Delivery Portal, you can share content with a group in the following situations:

when you create a new page, portlet, application, link, or syndication channel
when you edit the properties of a page or a portlet
when you edit an application, link, or syndication channel

For complete instructions, see the online Help that is provided with the portal.

Suggestions for Sharing Content with Multiple Groups of Users

The SAS Information Delivery Portal enables you to share a content item with only one group at a time (though you can later switch to a different group). If you want to share content with multiple types of users simultaneously, then there are ways to work around this limitation and accomplish your goal.

Recall that the target group can be either all portal users (PUBLIC) or a group that you define in metadata, such as "Sales Managers." The group can be of any size, and it can contain other groups. If you want to share content with multiple groups, you might combine the groups into a new group that you define (for example, "All Sales"). You can then create a group content administrator for that new group to share content with the group.

Recall also that, within the shared portlets on a shared page, users are shown only the content that they are authorized to see. It is recommended that instead of providing individual access controls to portal content, you share portlets with different groups and not with specific users.

Top of Page