Implementation & Administration Guide 1.1 |
When implementing or administering the SAS Information Delivery Portal, you can use several different methods to allow or restrict access to the portal content. The level of security you apply will depend on your user base and on the sensitivity of the content that you make available through the portal.
The methods for controlling access vary depending on the type of content. The following table summarizes the available methods and their applicability to each content type:
Content Category | Content Type | How to Control Access | ||
Specify User or Group DN in SAS Login Definition | Use Personalization to Create Personal, Role-based, or Public Content | Specify ACI Rule | ||
SAS | Publication Channel | x | ||
Package Published from Publication Channel | x | x | ||
Report (Stored Process) | x | x | ||
Warehouse View | x | |||
Table | x | x | ||
Table Column | x | x | ||
MDDB | x | x | ||
webEIS Document | x | x | x | |
Non-SAS | Link | x | x | |
Application | x | x | ||
Widget | x | x | ||
Content Channel | x | x | ||
Document | x | |||
Portal Component | Window | x | x | |
List | x | x |
Before using any of these methods, it is generally helpful to first organize the potential users of the portal into groups. Each group should contain users who have similar job functions and/or similar information needs. A user can be assigned to more than one group. For details on creating groups, see Defining Portal Groups (Roles).
For SAS data and processes, SAS Login definitions are the most efficient way to ensure that only authorized users obtain access through the portal. An added benefit of SAS Login definitions is that they also prevent unauthorized access from outside of the SAS Information Delivery Portal.
When a user attempts to view SAS content via the portal, the portal first attempts to create a workspace on the SAS server that contains the content. The workspace is created only if the SAS Login definition associated with the server contains the Distinguished Name (DN) of either the individual user or a group to which the user belongs. If the user's name or group is not specified in the SAS Login definition, an error message appears.
For information about creating a SAS Login, see Adding a SAS Login on the SAS Integration Technologies Web site.
For SAS webEIS documents and MDDBs, SAS login definitions can also be used to provide credentials to the EIS access control system. Alternatively, you can prompt the user to enter EIS credentials. For implementation details, refer to the access control instructions in the topic Adding SAS webEIS Documents to the Portal.
For Portal content other than SAS data and processes, the most efficient way to control access is to use the portal's Personalization feature to create personal, role-based, or public content.
Personal content is content that can be accessed only by the user who added it to the portal. Through the portal's Personalization feature, any user can add personal webEIS documents, links, applications, widgets, content channels, windows, and lists to the portal.
Role-based content is content that can be accessed only by users who belong to a specific group. Role-based content can be added only by the user who is authorized as the owner of the group. Through the portal's Personalization feature, the group owner can add role-based webEIS documents, links, applications, widgets, content channels, windows, and lists to the portal.
Public content is content that can be accessed by any user, even a user who has not registered. In the default installation of the portal, public content can be added only by the public content administrator. In the default portal installation, the Portal.properties file assigns the public content administrator the user ID "portaladmin." Through the portal's Personalization feature, the public content administrator can add public webEIS documents, links, applications, widgets, content channels, windows, and lists to the portal.
For details on creating personal and role-based content, see Personalizing Your Portal in the SAS Information Delivery Portal User's Guide.
The SAS Login and the portal's personalization feature will provide adequate security for many implementations of the SAS Information Delivery Portal. However, in some cases security may need to implemented at a greater level of detail. By entering Access Control Information (ACI) rules into the metadata on the portal's enterprise directory, you can control security at virtually any level of granularity.
ACI rules are statements that apply to specific objects on an LDAP server. Any number of rules can be entered for a given object. Each rule specifies:
If you are using the Sun ONE Directory Server or the Netscape Directory Server, you can refer to Netscape Directory Server Access Control Overview on the SAS Integration Technologies Web site for more information about ACI rules. If you are using the IBM SecureWay server, you can refer to SecureWay Directory Server Access Control Overview.
To enter ACI rules for SAS processes and data, you can use either the SAS Integration Technologies (IT) Administrator or the enterprise directory console. To enter ACI rules for other types of content, you must use the enterprise directory console.
To enter ACI rules in IT Administrator:
IT Administrator allows you to enter ACI rules for any of the following objects:
To enter ACI rules for other types of portal content, you must use the enterprise directory console.
Implementation & Administration Guide 1.1 |