Administering Portal Authorization |
Overview of Planning for Portal Users and Groups |
When you define users to access the SAS Information Delivery Portal, it is recommended that you organize the users into groups. You can then grant these groups access to content based on the sensitivity of the data and the group's need for information. The use of groups is particularly important if the users have different information needs and different rights to view content.
The use of groups simplifies the process of administering and maintaining portal security, and reduces the chance for errors. Here are some guidelines to follow when creating users and groups, and administering portal content.
Portal content includes users' personal content and group-based content. As new content is added to the portal, you can make it available to the appropriate groups based on the type of information and its level of sensitivity. This process is much simpler than giving access to a long list of individual users.
As new users are added, you can assign them to the appropriate groups and they will automatically have access to the appropriate content.
Users who are authorized as group content administrators can share their pages with members of the groups for which they are a group content administrator.
The Portal ACT is used to set permissions on the Permissions trees.
The SAS Trusted User, who is also the portal administrator, is responsible for administering the portal, and is a member of the Portal ACT. Additional portal administrators can be created by adding users to the Portal ACT and giving them ReadMetadata and WriteMetadata permissions.
The SAS Trusted User can share any user's content with any group. However, it is highly recommended that content administration for each group is performed by the group content administrator.
Group content administrators are responsible for administering content for specific groups. Although the SAS Trusted User, who is the portal administrator, can share any user's content with any group, this is strongly discouraged.
The following steps outline basic tasks for planning your user groups.
Step 1: Analyze and Upload Content |
The SAS Information Delivery Portal contains both group content that is displayed to group members, and personal content that belongs to users. Personal content is accessed individually by each user who is granted access to the portal. For each category of content, determine the authorization restrictions, if any, that apply to the content. If restrictions are needed to view the content, then identify the types of users and groups that should and should not be authorized to access the content.
Groups can be defined for a variety of portal content including pages and portlets, Web applications, links, portlets, and syndication channels. Some of the groups that were already created for SAS Reports, SAS Information Maps, or SAS Stored Processes can be used for the portal content. For general access to the portal, users belong to the PUBLIC group, the SASUSERS group, or both.
If you are storing file content on the SAS Content Server's WebDAV repository, then you must set up groups for access to the appropriate group folders.
If you are publishing packages to the SAS Content Server, then it is recommended that you set up a group that contains all of the users who need the ability to publish to the server.
In addition, you should plan for the personal and group folders in which you will publish and access the packages.
If you are publishing packages to a SAS publication channel on the SAS Content Server, then it is recommended that you set up a group that contains all the users who need the ability to publish to the server.
In addition, you should plan for the WebDAV personal and group folders in which you will publish and access the packages.
Groups can be defined based on users' need to access data on particular Integrated Object Model (IOM) servers. IOM servers include SAS Workspace Servers, SAS Stored Process Servers, and SAS OLAP Servers. In addition, if an IOM server's authentication domain is different from the authentication domain associated with the SAS Metadata server or the Web application server, then you should set up a group definition for users to access the IOM server.
Step 2: Analyze and Group Users |
After analyzing the content, you can identify groups of users. These user groups might be based on your organization's structure. However, it is more important to group users that have similar data access needs.
You might start by identifying large groups of users. You can then subdivide those large groups into smaller groups if necessary. For example, you might create an Accounting user group that needs access to financial files through the SAS Information Delivery Portal. Within that group, you can identify a subgroup of users who need access to salary information files that should not be accessed by the rest of the group. Make a list of the groups that you need to create, and identify the users to belong to the various groups.
The goal is to organize the user base in a way that reduces the number of cases in which specific users must be granted access to specific data. By keeping exception situations to a minimum, you simplify maintenance tasks and reduce the chance for errors.
Step 3: Assign Group Content Administrators |
It is strongly recommended that each group be assigned with a group content administrator who is responsible for managing the content for that group. Identify a user in each group that can function as the group content administrator. The SAS Trusted User, who functions as the portal administrator, can also perform content administration. Group content administrators can create personal pages and share their personal pages with all members of their respective group. For instructions about configuring a group content administrator, see Configure a Group Content Administrator.
Copyright © 2010 by SAS Institute Inc., Cary, NC, USA. All rights reserved.