|
|
Implementation & Administration Guide 1.1 |
|
Definitions for users of the SAS Information Delivery Portal are stored in the enterprise directory. In order to run, the SAS Information Delivery Portal requires definitions for two specific users at a minimum: portaluser and portalguest. These users definitions are created automatically during the installation process. Three additional default users are also created: portaldemo, portaladmin, and dwadmin.
In addition to these users, individual person entries should be created for each portal user. Once the user's person entry has been created, the following capabilities become available:
The user can add and organize portal content to meet his or her unique needs. For details, see Personalizing Your Portal in the User's Guide.
The user can be added to a group, giving the user access to role-based content and other content that is restricted to particular groups. For details, see Defining Portal Groups.
The user's person DN can be used to give the user access to portal content other than that which is available publicly or to groups. For example, the person DN can be added to a SAS Login definition so that the user will have access to data sets and processes on a SAS server. For details, see Controlling Access to Portal Content.
The SAS Information Delivery Portal provides two methods for adding individual users: registration through the log-in screen, and registration by an administrator. If you do not have advance information about your users, registration through the log-in screen may be the best way to add users to the portal. If your potential users have differing information needs and differing rights to view content, then you should consider having an administrator register users. This section provides detailed information about both registration methods.
Definitions for users of the SAS Information Delivery Portal are stored in the enterprise directory in the ou=People organizational unit. When a user attempts to log on, the portal looks in that organizational unit to find the user's definition. It uses the definition information, along with associated group information and access information, to determine which portal content the user is allowed to see.
The LDAP directory contains three entries for each portal user:
Person. The person entry in ou=People holds information about the individual, including the user name and password which are used to authenticate the user.
Sassubscriber. The sassubscriber entry resides under cn=sassubscribers, sascomponent=sasPublishSubscribe, cn=SAS. This entry is used to store information about the user's subscriptions to SAS publication channels.
Sasportalprofile. The sasportalprofile entry resides under cn=sasPortalUsers, sascomponent=sasPortal, cn=SAS. This entry is used to store the user's portal application information, including information about the user's personal links, lists, and windows.
In order to run, the SAS Information Delivery Portal requires definitions for two specific users at a minimum: portaluser and portalguest. Three other generic users are also defined during the installation process: portaldemo, portaladmin, and dwadmin. Each of these users is described below:
portaluser. The user id portaluser is the portal's privileged identity. This identity allows the portal application to perform specific tasks on behalf of users who are logged on. These tasks include creating new profiles, subscribing and unsubscribing to publication and content channels, and accessing credentials for SAS servers. To perform these tasks, the portaluser must have the following permissions:
All access to the SAS application hierarchy (from cn=SAS, $SAS_CONTEXT).
All access to the areas where person entries and group entries are stored.
For SecureWay servers, the portaluser should also be defined as the entryOwner for entries under sascomponent=sasPortal. This will allow the portaluser to set access controls for new profiles and other content.
portalguest. The user id portalguest is the portal's guest account. It is used to display public content to users who have not logged on.
portaldemo. The user id portaldemo is provided for demonstration purposes. It allows you to test your portal implementation and learn about the portal's features. For a step-by-step guide to the demo, see Stepping Through the Demo Portal.
portaladmin. The user id portaladmin has the authority to administer the portal's public content. Public content is available to all users, whether or not they have logged on to the portal. The portaladmin user should not have any special permissions in the directory.
dwadmin. The user id dwadmin has the authority to administer data warehouse content in the portal.
For proper operation of the portal, appropriate access controls must be set for the portaluser, portalguest, portaldemo, portaladmin, and dwadmin user identities. Refer to Setting Proper Access Controls for User Identities for detailed information about the settings that are required.
In addition to the five initial users, individual person entries should be created for each portal user. The SAS Information Delivery Portal provides two methods for adding individual users: registration through the log-in screen, and registration by an administrator.
If you do not have advance information about your users, registration through the log-in screen may be the best way to add users to the portal. In this scenario, new visitors to the portal use the registration feature on the portal log-in screen to create a user name and password. The portal uses the entered information to create a person entry, a sassubscriber entry, and a sasportalprofile entry in the enterprise directory. These entries give the user access to a default set of content that is available publicly.
If the user needs access to role-based content or to content that is restricted to only certain users, the administrator will need to grant the necessary access after the user has registered. This could involve adding the user's identity to a SAS Login definition; or it could involve adding the user to the appropriate group or groups, as described in Defining Portal Groups.
Group assignment is not necessary for users who only need to view publicly available content. For example, you may decide to make a set of standard, non-restricted portal content available to anyone who visits your organization's internet site.
Alternatively, a user with administrative permissions can manually create person entries on the enterprise directory. The administrator only needs to create a person entry for the user. The first time the user logs into the portal, the portal automatically creates a sassubscriber entry and a sasportalprofile entry.
If your potential users have differing information needs and differing rights to view content, then you should consider using this registration method. This method allows you to plan user groups and security structures before users are added to the portal. For example, if you are implementing the portal on an organization's intranet or internal network, you may find it beneficial to analyze potential users, create groups based on users' roles and needs, and set up security controls before users begin logging on to the portal.
If you have a user base that includes specific groups of users as well as general users, you may decide to use a combination of user registration and administrator registration.
Each directory entry in the ou=People organizational unit should look like the following. The bold items are those that are different for each user.
dn: cn=username,$PERSON_CONTEXT$ cn: username description: user description mail: user email address objectclass: inetorgperson objectclass: person sn: short name of the user uid: user's portal login ID userpassword: login password
Creating an entry in the directory manually for each portal user can be time consuming. Creating and importing an LDIF file simplifies the process and also provides a backup file of portal users.
|
|
Implementation & Administration Guide 1.1 |
|