|
|
Implementation & Administration Guide 1.1 |
|
When setting up user entries for the SAS Information Delivery Portal, it is recommended that you organize the portal users into groups. You can then grant access to portal content to the appropriate groups based on the sensitivity of the data and the users' needs for information. The use of groups is particularly important if the users have differing information needs and differing rights to view content.
The use of groups simplifies the process of administering and maintaining portal security and reduces the chance for errors. For example:
As new users are added, you can assign them to the appropriate groups and they will automatically have access to the appropriate content. For details about adding users, see Defining Portal Users.
The first step in setting up groups is to analyze the content that is planned for the SAS Information Delivery Portal. For each category of content, determine whether access restrictions are needed. If restrictions are needed, identify the types of users that should and should not have access.
After analyzing the content, you can identify groups of users. These user groups may be based on your organization's structure; however, it is more important to group users that have similar data access needs. Start by identifying large groups of users. You can then subdivide those large groups into smaller groups if necessary. For example, you could create an Accounting user group that needs access to financial data through the portal. Within that group, you could identify a subgroup of users who need access to salary information that should not be accessed by the rest of the group.
You may find that the access needs of a group of users are not necessarily identical. In these cases, you can assign a user to more than one group to accommodate unique needs.
The goal is to organize the user base in a way that reduces the number of cases in which specific users must be granted access to specific data. By keeping exception situations to a minimum, you will simplify maintenance tasks and reduce the chance for errors.
When you set up a group, you should identify one user in each group as the group owner. The portal gives the group owner authorization to create role-based windows, lists, and links that can be accessed by all members of the group. In addition, the group owner can add role-based content including applications, widgets, content channels, and documents to the portal. This content can then be accessed by all members of the group.
Group entries are typically stored in the enterprise directory under the ou=Groups container. The format of a sample LDAP entry is as follows. The highlighted items are those that are different for each group.
dn: cn=group name, $GROUP_CONTEXT$ objectclass: groupofUniqueNames cn: group name owner: cn=group administrator, $PERSON_CONTEXT$ uniqueMember: username1, $PERSON_CONTEXT$ uniqueMember: username2, $PERSON_CONTEXT$ . . (add as many uniqueMember entries as needed)
Notes:
Depending on the size of your organization and the number of groups required, creating group definitions can be time consuming. In some cases, you may be able to reduce the time required for this task:
Another method is to use definitions in /etc/passwd and /etc/group to create an LDIF file. This file can then be imported into the directory using command-line tools, a directory console utility, or a custom application.
If these methods are not feasible, it will be necessary to create each group definition manually. However, the time you invest in creating the groups will be repaid in lower directory maintenance time.
Once your user groups have been defined, you can use various methods to give the groups access to portal content. For details, see Controlling Access to Portal Content.
|
|
Implementation & Administration Guide 1.1 |
|