|
|
Implementation & Administration Guide 1.1 |
|
Each implementation of the SAS Information Delivery Portal will have different security requirements. In determining how to implement portal security, you should consider your organization's internal security policies, the security mechanisms that are in place in your environment, the types of users who will need to access the portal, and the types of content that will be made available. You can then implement your security requirements using the following mechanisms:
User definitions. The SAS Information Delivery Portal provides two methods for adding individual users: registration through the portal log-in screen, and registration by an administrator. Definitions of registered users are stored in the portal's enterprise directory. A user who has been registered on the system can personalize the portal by adding or modifying his or her own windows, lists, and content items. In addition, registered users can be granted access to specific portal content. See Defining Portal Users for details on setting up users.
Group definitions. For efficient management of portal security, it is recommended that you organize registered users into groups on the enterprise directory. You can then grant access to portal content to the appropriate groups based on the sensitivity of the data and the users' needs for information. See Defining Portal Groups (Roles) for details on setting up groups.
User authentication. To authenticate users, the SAS Information Delivery Portal can either require users to log on using the portal's own log-on procedure, or it can perform authentication based on Web server log-on information.
Authentication using portal log-on. By default, the portal uses its own log-on procedure to authenticate users. When a user first brings up the SAS Information Delivery Portal, the public areas of the portal application become available for searching and viewing. To establish a specific user identity, the user chooses the Log On task from the toolbar. On the log-on page, the user enters a user name and password, which the portal uses to perform a bind operation to authenticate the user. During authentication, the portal searches the enterprise directory for a person entry whose "uid" and password attributes match the user name and password that were entered.
Authentication via Web server sign-on. Enhancements provided with Version 1.1.1 allow you to implement user authentication based on the user's identity as it was provided to the Web server. When the user brings up the SAS Information Delivery Portal, the portal uses the request.getRemoteUser() method to obtain the users's identity from the Web server. The portal then searches the enterprise directory for a person entry whose "uid" attribute matches the user id provided by the Web server.
To implement this method, enter the following setting in the Portal.properties file:
Servlet.Security.TrustWebServerLogin=true
Access control. You can use several different methods to allow or restrict access to portal content. The methods are as follows:
SAS Login definitions. SAS Login definitions on the enterprise directory ensure that only authorized portal users obtain access to SAS data and processes. Each SAS server that you define to the portal must have a login definition that specifies which users or groups of users can access the server.
Personal and role-based content.Through the portal's Personalization feature, you can create role-based or personal webEIS documents, links, applications, widgets, content channels, windows, and lists. Role-based content is available only to a particular group of users, and personal content is available only to user who adds it to the portal. The portal uses ACI rules (described in the next bullet) to impose these restrictions.
Access Control Information (ACI) rules. The portal also uses Access Control Information (ACI) rules in the enterprise directory to determine which portal components or content can be accessed by the user. For a given object or group of objects, an ACI rule can explicitly allow or disallow specific types of access to individual registered users or groups of users. An authorized administrator can manually update the enterprise directory with ACI rules to control access to any object on the directory. Use of these rules provides virtually unlimited flexibility in controlling access to portal content.
See Controlling Access to Portal Content for details on setting up access controls.
The installation process for the SAS Information Delivery Portal creates a default security structure in your enterprise directory that controls security on both the Web server (middle tier) and SAS server (back tier). The structure includes a default set of permissions that enable the portal to operate on a demonstration basis. For a description of this structure, see Security Concepts and Policies.
|
|
Implementation & Administration Guide 1.1 |
|