Managing Portal Permission Trees in Metadata
Overview of Permission Tree Folders
All portal users must have appropriate permissions in
order to view, create, or edit portal content. Permissions are granted
to users for particular content and resources. For example, you must
give a group content administrator permission to edit the content
that is associated with the respective group. All portal users are
automatically granted permissions to view and edit content that they
create in their personal portal views.
The SAS Information Delivery Portal stores
all permissions in SAS metadata and displays the permissions in Authorization
Manager in the SAS Management Console. The resources for which a portal
user or group has permissions are grouped under a folder that is designated
for the user or group. These folders are called permission tree. Permission
trees can be created only in the Foundation repository.
For example, suppose
that you have created a Finance group in metadata. In the Authorization
Manager, a folder named Finance Permission Tree appears
in the Tree list. To view the Tree list
on the SAS Management Console Plug-ins tab,
navigate to Environment Management
Authorization ManagerResource ManagementBy TypeTree. If you inspect the properties for the Finance permissions
tree folder, you will find the permissions that are defined for the
contents of the folder. (If a folder does not appear in the list,
then you can create the folder by using one of the options described
in the section How Permission Tree Folders Are Created.)
Authorization ManagerResource ManagementBy TypeTree. If you inspect the properties for the Finance permissions
tree folder, you will find the permissions that are defined for the
contents of the folder. (If a folder does not appear in the list,
then you can create the folder by using one of the options described
in the section How Permission Tree Folders Are Created.)
When you add new users
or groups to the metadata server, the portal must add permission trees
to the metadata before you can administer those users or groups. For
example, if you create a new group in metadata, then the portal must
create a permission tree folder for that group before you can share
content with the group or configure a content administrator for the
group. User permission trees are never modified by the portal administrator.
How Permission Tree Folders Are Created
Every
user and group that is defined in metadata has its own permission
tree folder. The methods that the SAS Information Delivery Portal
uses to create permission tree folders depend on whether the metadata
identity is a user or a group:
-
Group permission trees: The portal creates a permission tree for one or more groups that are defined in metadata when you do any one of the following:
-
Create permission tree folders manually by running the
initPortalData.batutility on Windows or theinitPortalData.shutility on UNIX and z/OS. TheinitPortalData.batand theinitPortalData.shutilities are located in the SAS-configuration-directory\Levn\Web\Applications\SASPortal4.2\InitializePortaldirectory. This option is recommended when you have a large number of new groups that require permission tree folders.
How Permission Tree Folders Are Removed
Verify Permission Tree Folders and Permissions
You can verify that a permission
tree folder has been created for a particular user or group. You can
also verify the permissions that have been granted for the resources
that are associated with the user or group.
-
In the Permissions Tree Properties dialog box, select the Authorization tab. The permissions for the group appear in the Permissions list box. These permissions apply to all the resource items that are listed under the permission tree folder. (You can manually override the permissions for any of these items.)