Managing Portal Permission Trees in Metadata

Overview of Permission Tree Folders

All portal users must have appropriate permissions in order to view, create, or edit portal content. Permissions are granted to users for particular content and resources. For example, you must give a group content administrator permission to edit the content that is associated with the respective group. All portal users are automatically granted permissions to view and edit content that they create in their personal portal views.
The SAS Information Delivery Portal stores all permissions in SAS metadata and displays the permissions in Authorization Manager in the SAS Management Console. The resources for which a portal user or group has permissions are grouped under a folder that is designated for the user or group. These folders are called permission tree. Permission trees can be created only in the Foundation repository.
For example, suppose that you have created a Finance group in metadata. In the Authorization Manager, a folder named Finance Permission Tree appears in the Tree list. To view the Tree list on the SAS Management Console Plug-ins tab, navigate to Environment Managementthen selectAuthorization Managerthen selectResource Managementthen selectBy Typethen selectTree. If you inspect the properties for the Finance permissions tree folder, you will find the permissions that are defined for the contents of the folder. (If a folder does not appear in the list, then you can create the folder by using one of the options described in the section How Permission Tree Folders Are Created.)
When you add new users or groups to the metadata server, the portal must add permission trees to the metadata before you can administer those users or groups. For example, if you create a new group in metadata, then the portal must create a permission tree folder for that group before you can share content with the group or configure a content administrator for the group. User permission trees are never modified by the portal administrator.

How Permission Tree Folders Are Created

Every user and group that is defined in metadata has its own permission tree folder. The methods that the SAS Information Delivery Portal uses to create permission tree folders depend on whether the metadata identity is a user or a group:
  • User permission trees: The portal creates a permission tree for a user entity that is defined in metadata when you log on to the portal as that user.
  • Group permission trees: The portal creates a permission tree for one or more groups that are defined in metadata when you do any one of the following:
    • Restart the Web application server. The portal software creates permission tree folders for new groups each time the Web application server is started.
    • Log on to the portal as a portal administrator (for example, sastrust).
    • Create permission tree folders manually by running the initPortalData.bat utility on Windows or the initPortalData.sh utility on UNIX and z/OS. The initPortalData.bat and the initPortalData.sh utilities are located in the SAS-configuration-directory\Levn\Web\Applications\SASPortal4.2\InitializePortal directory. This option is recommended when you have a large number of new groups that require permission tree folders.

How Permission Tree Folders Are Removed

After you delete a user or group identity from SAS metadata, the SAS Information Delivery Portal removes the corresponding permission tree when you do any one of the following:
  • Restart the Web application server.
  • Log on to the portal as the SAS administrator (sasadm).
  • Run the initPortalData.bat utility on Windows or the initPortalData.sh utility on UNIX and z/OS.
Once you remove a permission tree from the metadata, that tree is permanently gone. The tree will not be restored if you later create a user or group with the same name.

Verify Permission Tree Folders and Permissions

You can verify that a permission tree folder has been created for a particular user or group. You can also verify the permissions that have been granted for the resources that are associated with the user or group.
To verify that a permission tree folder has been created for a group, follow these steps:
  1. Log on to SAS Management Console as the SAS Trusted User or as the SAS Administrator.
  2. Navigate to Authorization Managerthen selectResource Managementthen selectBy Typethen selectTree, select the group, and right-click and select Properties.
  3. In the Permissions Tree Properties dialog box, select the Authorization tab. The permissions for the group appear in the Permissions list box. These permissions apply to all the resource items that are listed under the permission tree folder. (You can manually override the permissions for any of these items.)
  4. Click OK to exit the dialog box for the Permission Tree Properties.