Enportal/5.4/admin/user administration/enPortal provisioning: Difference between revisions
imported>Jonathan.Ho No edit summary |
imported>Jason.nicholls |
||
(22 intermediate revisions by 5 users not shown) | |||
Line 3: | Line 3: | ||
This topic details how the enPortal administrator can configure each element of User management. First, we present the concepts of establishing the basic User organization. Then we detail usage of the specific administration tools and interfaces. The primary elements of the User management are Domains, Users, and Roles. | This topic details how the enPortal administrator can configure each element of User management. First, we present the concepts of establishing the basic User organization. Then we detail usage of the specific administration tools and interfaces. The primary elements of the User management are Domains, Users, and Roles. | ||
== Basic Provisioning Concepts == | == Basic Provisioning Concepts - Understanding the User Organization == | ||
Provisioning is how you create Users and Roles in enPortal, and then provide the appropriate targeted information to them. This section provides guidelines on what to consider when planning the organization of the AppBoard/enPortal system. | |||
=== Domains === | |||
When users are created they must be grouped into one or more Domains. The primary purpose of a Domain is to provide an independent namespace of users. An unlimited set of Domains can be defined in a single system. | |||
A special Domain called <b>System</b> is reserved. This Domain is locked and can not be modified. It contains a single User named <b>administrator</b>. This User is always granted permission for all components in the system. You cannot add or remove Users from the System Domain. | |||
Within a Domain, the user IDs must be unique. However, identical User IDs can exist in different domains. | |||
The following diagram illustrates an example of domains and users: | |||
[[Image:Domain_Illustration.png|thumb|center|300px|Domains and Users Example]] | |||
As a first step in determining your User organization, determine if separate Domains need to be created so that users from one Domain would access the system independently from users in the other Domain. For example, a managed service provider may want to group customers into separate Domains if they will be completely independent from one another in how they use the system. | |||
After creating each Domain, you will then assign one or more Roles to each Domain. These Roles will dictate the system content that is available to Users in that Domain. When a Role is assigned to a Domain, then all Users belonging to that Domain inherit the Role. New Users added later to the Domain would then automatically inherit these assignments. | |||
=== Roles === | |||
Roles are a hierarchical mechanism used to organize Domains and Users. Roles are the primary basis by which | |||
capabilities are managed, preferences are stored, and content is secured. The following is an example of a Role hierarchy. Notice that the <b>NOC</b> role contains two subroles: <b>Managers</b> and <b>Operators</b>. | |||
[[Image:RoleHierarchy.png|thumb|center|300px|Role Hierarchy Example]] | |||
Individual Users or entire Domains can be assigned to a single Role or to many Roles. | |||
Allowing Users or Domains to be assigned to multiple Roles provides each User the ability to switch his | |||
or her interaction with the system. For example, Bob may need to access the system using the Role of | |||
<b>NOC Manager</b> in order to access the necessary tools to isolate and replicate a problem. After | |||
identifying the problem, he could switch to a Role of <b>Administrator</b> in order to access the rights | |||
necessary to correct the problem. | |||
When a Domain is assigned to a Role, all Users within the Domain are automatically assigned to the Role | |||
as well. This allows administrators to add new Users to a Domain and have Roles automatically | |||
assigned without having to take the time to assign individual security to the new User. | |||
When configuring the Roles to create in the system, first consider the Roles of an organization and decide which User(s) will be assigned to each Role. Each Role will control which tabs are displayed after a User successfully logs in. This is accomplished by the system administrator assigning content in the system to one or more Roles. | |||
The hierarchical nature of Roles allows for subroles to be nested under Roles. If a subrole is assigned to a Domain or User, then the Domain or User inherits the assignments and permissions of the parent Role. However, the User(s) is only permitted to log in to the system in the subrole but not in the parent Role. | |||
=== Putting It All Together === | |||
As you prepare to design your organizational structure, you should consider: | |||
* How content should be organized | |||
* Who should have access to different content | |||
Once you understand the content that will be available, you can set up the User organization to properly deliver that content to the appropriate Users. Complete the following steps to configure the system: | |||
# Create Domains and Users | |||
# Create Roles | |||
# Create Content | |||
# Assign Roles to Domains and Users | |||
# Assign Content to Roles | |||
# Create Look and Feel | |||
# Assign Look and Feel | |||
# Configure Login Page | |||
The following steps provide a guideline in setting up a User organization: | |||
* Use a company organization chart to help determine the users, domains, and roles | |||
* Develop a series of questions to gather pertinent information | |||
* Develop a matrix, form, or table that would help capture information you have gathered | |||
With the aid of a company organization chart, the following questions will assist in ensuring a smooth and sensible implementation for your organization: | |||
# What web-based information and resources are you delivering and to whom? | |||
# Are you delivering to an internal or external location? | |||
# How do you want this information displayed? | |||
# Who can access what information? | |||
# How will the information be used? | |||
== Provisioning in the enPortal Administration User Interface == | == Provisioning in the enPortal Administration User Interface == | ||
Line 52: | Line 137: | ||
### <b>Dedicated to other Domains</b> - The number of sessions currently dedicated to all other Domains. This number cannot be modified. | ### <b>Dedicated to other Domains</b> - The number of sessions currently dedicated to all other Domains. This number cannot be modified. | ||
### <b>Licensed</b> - The total number of sessions that can be allocated, as permitted by the system license file. A value of -1 indicates unlimited licenses. The number of sessions you allocate for this Domain plus the number already allocated to other Domains should not exceed the number in the Licensed field. | ### <b>Licensed</b> - The total number of sessions that can be allocated, as permitted by the system license file. A value of -1 indicates unlimited licenses. The number of sessions you allocate for this Domain plus the number already allocated to other Domains should not exceed the number in the Licensed field. | ||
# Click the <b>Roles</b> sub-tab to assign or unassign Roles to the Domain. | # Click the <b>Roles</b> sub-tab to assign or unassign Roles to the Domain. For any role listed in the <b>Roles</b> sub-tab, the role can be edited either by double-clicking the role or by selecting the role in the list and clicking the '''Edit''' button. | ||
# Click the <b>LAF</b> sub-tab to assign or un-assign a Look and Feel to the Domain. | # Click the <b>LAF</b> sub-tab to assign or un-assign a Look and Feel to the Domain. To edit an LAF, either double-click the LAF or select the LAF in the list, click the small arrow next to '''Action''', and choose ''Edit'' (the other option in the '''Action''' menu is ''Preview''). | ||
Line 82: | Line 167: | ||
# Confirm that the correct policy is applied by changing a test user's password. | # Confirm that the correct policy is applied by changing a test user's password. | ||
{{Note|In order to change password for users that are managed by ldap, you must specified a [[ | {{Note|In order to change password for users that are managed by ldap, you must specified a [[enportal/5.4/admin/user_administration/enPortal_LDAP_configuration#Configuring_LDAP_Managed_Domains|Pluggable Authenticator]] in the domains managed by this ldap and with [[enportal/5.4/admin/user_administration/enPortal_LDAP_configuration#Configuring_LDAP_Repositories|Repository URL]] starts with <tt>ldaps://</tt> and <tt>secured port #</tt> (default 636).<br/><br/>Additionally some ldaps like MS Active Directory and OpenLDAP requires ldap server's SSL certificate to be imported into java cert library running portal. Please read this [[enportal/5.4/admin/user_administration/enPortal_LDAP_configuration#LDAP_With_SSL|LDAP with SSL]] section of the [[enportal/5.4/admin/user_administration/enPortal_LDAP_configuration|LDAP Configuration]] page on how to set it up. Additional example for importing MS Active Directory SSL certificate into java cert lib can be found [https://confluence.atlassian.com/display/CROWD/Configuring+an+SSL+Certificate+for+Microsoft+Active+Directory here].<br/><br/>Currently portal is delivered with two authenticators that allowed for ldap user password changes: '''Microsoft Active Directory''' and '''OpenDS'''.}} | ||
=== Users === | === Users === | ||
Line 111: | Line 196: | ||
## <b>Password</b> - As an administrator, you can reset a User's password. | ## <b>Password</b> - As an administrator, you can reset a User's password. | ||
## <b>Lock Account</b> - If you would like to lock the User’s account, select the <b>Lock Account</b> check box and, optionally, enter a reason in the <b>Lock Reason</b> field. | ## <b>Lock Account</b> - If you would like to lock the User’s account, select the <b>Lock Account</b> check box and, optionally, enter a reason in the <b>Lock Reason</b> field. | ||
# Click the <b>Roles</b> sub-tab to assign or unassign Roles to the User. Note: it is typically recommended that you assign Roles to Domains, and not to individual Users. | # Click the <b>Roles</b> sub-tab to assign or unassign Roles to the User. Note: it is typically recommended that you assign Roles to Domains, and not to individual Users. For any role listed in the '''Roles''' sub-tab, the role can be edited either by double-clicking the role or by selecting the role in the list and clicking the '''Edit''' button. | ||
# Click the <b>LAF</b> sub-tab to assign or un-assign a Look and Feel to the User. Note: it is typically recommended that you assign LAFs to Domains or Roles, and not to individual Users. | # Click the <b>LAF</b> sub-tab to assign or un-assign a Look and Feel to the User. Note: it is typically recommended that you assign LAFs to Domains or Roles, and not to individual Users. To edit an LAF, either double-click the LAF or select the LAF in the list, click the small arrow next to '''Action''', and choose ''Edit'' (the other option in the '''Action''' menu is ''Preview''). | ||
Line 155: | Line 240: | ||
Once you have created a Role, you must assign content to the Role. This will provide information to any User who logs in to enPortal under that Role. To create content please follow the instruction specified in this [[ | Once you have created a Role, you must assign content to the Role. This will provide information to any User who logs in to enPortal under that Role. To create content please follow the instruction specified in this [[enportal/5.4/admin/user_administration/content_creation|Content Creation]] page. | ||
Line 188: | Line 273: | ||
{{Tip|The above procedure selects a Role and assigns a User or Domain to that Role. You can also select a User or Domain by mousing over the '''Provisioning''' tab and selecting '''Domains & Users''', and assign the Role to that Domain or User. Either procedure creates the same result.}} | {{Tip|The above procedure selects a Role and assigns a User or Domain to that Role. You can also select a User or Domain by mousing over the '''Provisioning''' tab and selecting '''Domains & Users''', and assign the Role to that Domain or User. Either procedure creates the same result.}} | ||
{{Note|To edit a domain or user that is assigned to a role, either double-click the domain or user name for which you wish to make changes, or select the domain/user entry in the list, click the small arrow next to '''Edit''', and choose either ''Edit Domain'' or ''Edit User''. Similar steps can be taken on the '''LAF''' sub-tab to edit assigned Look-and-Feel settings.}} | |||
=== Direct vs. Inherited Role Assignments === | === Direct vs. Inherited Role Assignments === | ||
Line 208: | Line 295: | ||
== Tutorial == | == Tutorial == | ||
A tutorial walk-through of the the basic enPortal provisioning screens is available at [[ | A tutorial walk-through of the the basic enPortal provisioning screens is available at [[enportal/5.4/admin/user_administration/enPortal_provisioning_quick_start|Provisioning Quick Start]]. | ||
== LDAP Provisioning == | == LDAP Provisioning == | ||
The sections above detail how to use enPortal's provisioning tools to manage Domains, Users, and Roles inside of enPortal. Some organizations already have an LDAP server in place to manage Users and Roles. In this case, enPortal can map to the existing LDAP configuration and rely on LDAP for externally managing this information. For instructions on configuring LDAP with enPortal, see [[enportal/5.4/admin/user_administration/enPortal_LDAP_configuration|enPortal LDAP Configuration]]. | The sections above detail how to use enPortal's provisioning tools to manage Domains, Users, and Roles inside of enPortal. Some organizations already have an LDAP server in place to manage Users and Roles. In this case, enPortal can map to the existing LDAP configuration and rely on LDAP for externally managing this information. For instructions on configuring LDAP with enPortal, see [[enportal/5.4/admin/user_administration/enPortal_LDAP_configuration|enPortal LDAP Configuration]]. | ||
== Provisioning Web Service == | |||
enPortal provides a simple REST web service to facilitate the provisioning of existent content to existent roles. Three basic operations are supported: | |||
* '''add''': Assign content to a role. | |||
* '''delete''': Remove content from a role. | |||
* '''clear''': Remove all content from a role. | |||
To assign or remove multiple content paths to a role the service must be called multiple times. | |||
The general form of the Web Service URL is: | |||
<tt>[http://localhost:8080/enportal/servlet/pd/vdir/home/role/portalAdministration/Menu/Admin/Provisioning/Manage+Roles?requestType=update&operation=OP&role=ROLE&content=CONTENT /enportal/servlet/pd/vdir/home/role/portalAdministration/Menu/Admin/Provisioning/Manage+Roles?requestType=update&operation=OP&role=ROLE&content=CONTENT]</tt> | |||
Where: | |||
* <tt>OP</tt>: add | delete | clear (described above) | |||
* <tt>ROLE</tt>: the role path for this operation | |||
* <tt>CONTENT</tt>: content path to be added/removed, not needed for clear operations. | |||
Examples: | |||
# assign <tt>/Admin/Advanced</tt> (part of the standard enPortal content) to the <tt>dev</tt> role:<br><tt>[http://localhost:8080/enportal/servlet/pd/vdir/home/role/portalAdministration/Menu/Admin/Provisioning/Manage+Roles?requestType=update&operation=add&role=/dev&content=/Admin/Advanced /enportal/servlet/pd/vdir/home/role/portalAdministration/Menu/Admin/Provisioning/Manage+Roles?requestType=update&operation=add&role=/dev&content=/Admin/Advanced]</tt> | |||
# remove <tt>/Admin/Advanced</tt> from the <tt>dev</tt> role:<br><tt>[http://localhost:8080/enportal/servlet/pd/vdir/home/role/portalAdministration/Menu/Admin/Provisioning/Manage+Roles?requestType=update&operation=delete&role=/dev&content=/Admin/Advanced /enportal/servlet/pd/vdir/home/role/portalAdministration/Menu/Admin/Provisioning/Manage+Roles?requestType=update&operation=delete&role=/dev&content=/Admin/Advanced]</tt> | |||
# clear all content from the <tt>dev</tt> role:<br><tt>[http://localhost:8080/enportal/servlet/pd/vdir/home/role/portalAdministration/Menu/Admin/Provisioning/Manage+Roles?requestType=update&operation=clear&role=/dev /enportal/servlet/pd/vdir/home/role/portalAdministration/Menu/Admin/Provisioning/Manage+Roles?requestType=update&operation=clear&role=/dev]</tt> | |||
Exception cases: | |||
# The web service does not currently check for existence of either the role or the path. | |||
# If the add operation is attempted and the path to be added is either already provisioned or a sub-path of a path already provisioned, it will do nothing and report success. | |||
# If the add operation is attempted and the path to be added is an ancestor path of one or more paths already provisioned, the new, higher path will replace all existing sub-paths under that path. | |||
# If the delete operation is attempted on any path that is not already provisioned, even if a parent or child path is provisioned, it will fail with an error. | |||
{{Note|A valid enPortal session with a user that has the <tt>portalAdministration</tt> role is required to access the web service. Via script this can be accomplished by passing in access credentials, saving the <tt>enPortal_sessionid</tt> cookie, and passing this with the web service calls. Refer to [[enportal/5.4/admin/accessing_enportal|Accessing enPortal]] for more information on passing in access credentials.}} |
Latest revision as of 06:47, 17 July 2014
This topic details how the enPortal administrator can configure each element of User management. First, we present the concepts of establishing the basic User organization. Then we detail usage of the specific administration tools and interfaces. The primary elements of the User management are Domains, Users, and Roles.
Basic Provisioning Concepts - Understanding the User Organization
Provisioning is how you create Users and Roles in enPortal, and then provide the appropriate targeted information to them. This section provides guidelines on what to consider when planning the organization of the AppBoard/enPortal system.
Domains
When users are created they must be grouped into one or more Domains. The primary purpose of a Domain is to provide an independent namespace of users. An unlimited set of Domains can be defined in a single system.
A special Domain called System is reserved. This Domain is locked and can not be modified. It contains a single User named administrator. This User is always granted permission for all components in the system. You cannot add or remove Users from the System Domain.
Within a Domain, the user IDs must be unique. However, identical User IDs can exist in different domains.
The following diagram illustrates an example of domains and users:
As a first step in determining your User organization, determine if separate Domains need to be created so that users from one Domain would access the system independently from users in the other Domain. For example, a managed service provider may want to group customers into separate Domains if they will be completely independent from one another in how they use the system.
After creating each Domain, you will then assign one or more Roles to each Domain. These Roles will dictate the system content that is available to Users in that Domain. When a Role is assigned to a Domain, then all Users belonging to that Domain inherit the Role. New Users added later to the Domain would then automatically inherit these assignments.
Roles
Roles are a hierarchical mechanism used to organize Domains and Users. Roles are the primary basis by which capabilities are managed, preferences are stored, and content is secured. The following is an example of a Role hierarchy. Notice that the NOC role contains two subroles: Managers and Operators.
Individual Users or entire Domains can be assigned to a single Role or to many Roles.
Allowing Users or Domains to be assigned to multiple Roles provides each User the ability to switch his
or her interaction with the system. For example, Bob may need to access the system using the Role of
NOC Manager in order to access the necessary tools to isolate and replicate a problem. After
identifying the problem, he could switch to a Role of Administrator in order to access the rights
necessary to correct the problem.
When a Domain is assigned to a Role, all Users within the Domain are automatically assigned to the Role
as well. This allows administrators to add new Users to a Domain and have Roles automatically
assigned without having to take the time to assign individual security to the new User.
When configuring the Roles to create in the system, first consider the Roles of an organization and decide which User(s) will be assigned to each Role. Each Role will control which tabs are displayed after a User successfully logs in. This is accomplished by the system administrator assigning content in the system to one or more Roles.
The hierarchical nature of Roles allows for subroles to be nested under Roles. If a subrole is assigned to a Domain or User, then the Domain or User inherits the assignments and permissions of the parent Role. However, the User(s) is only permitted to log in to the system in the subrole but not in the parent Role.
Putting It All Together
As you prepare to design your organizational structure, you should consider:
- How content should be organized
- Who should have access to different content
Once you understand the content that will be available, you can set up the User organization to properly deliver that content to the appropriate Users. Complete the following steps to configure the system:
- Create Domains and Users
- Create Roles
- Create Content
- Assign Roles to Domains and Users
- Assign Content to Roles
- Create Look and Feel
- Assign Look and Feel
- Configure Login Page
The following steps provide a guideline in setting up a User organization:
- Use a company organization chart to help determine the users, domains, and roles
- Develop a series of questions to gather pertinent information
- Develop a matrix, form, or table that would help capture information you have gathered
With the aid of a company organization chart, the following questions will assist in ensuring a smooth and sensible implementation for your organization:
- What web-based information and resources are you delivering and to whom?
- Are you delivering to an internal or external location?
- How do you want this information displayed?
- Who can access what information?
- How will the information be used?
Provisioning in the enPortal Administration User Interface
User management is made up of three elements: Domains, Users, and Roles. Used together, these elements provide a flexible means of organizing Users and provisioning the appropriate content to those Users. This User organization is the foundation upon which content management and other system features are built. In enPortal, provisioning is achieved by assigning Roles to Users and/or Domains.
Provisioning in enPortal is accomplished by performing the following steps:
- Create a Domain
- Create a User in the Domain
- Create a Role
- Assign Content to the Role
- Assign the Role to the User
- Assign a Look and Feel (LAF)
Domains
A Domain is a grouping of Users.
Perform the following steps to create an enPortal Domain:
- Log in to enPortal as an administrator.
- Mouse over the Provisioning tab and click on Domains & Users. The Domain Explorer panel is displayed.
- In the Domain Explorer panel, right-click on the Domains folder and select New Domain.
- Enter a name for the Domain and click Save.
- Confirm that the new Domain is displayed as a folder in the Domain Explorer panel.
Perform the following steps to modify an enPortal Domain:
- Log in to enPortal as an administrator.
- Mouse over the Provisioning tab and click on Domains & Users. The Domain Explorer panel is displayed.
- In the Domain Explorer panel, click on the Domain that you wish to modify.
- Click the General sub-tab to modify the general properties of the Domain.
- Default Login Page - You can assign a custom login page to a domain. To do so, perform the following:
- Create a custom login page JSP file and place it on the enPortal server in /server/webapps/enportal/login_pages/custom/customerName/loginPageName.jsp
- Enter the path and file name in the Default Login Page box. In the above example, you would enter "custom/customerName/loginPageName.jsp"
- Log in and log out of enPortal as a User in the Domain and confirm that the default login page for that Domain is displayed.
- Session Limit - You can specify a limit to how many licensed User sessions can be active simultaneously by the Users in a Domain. The following fields are displayed:
- Dedicated - The number of sessions currently dedicated to this domain. Modify the number of sessions, if desired. A value of -1 indicates that the selected domain can use unlimited sessions.
- Dedicated to other Domains - The number of sessions currently dedicated to all other Domains. This number cannot be modified.
- Licensed - The total number of sessions that can be allocated, as permitted by the system license file. A value of -1 indicates unlimited licenses. The number of sessions you allocate for this Domain plus the number already allocated to other Domains should not exceed the number in the Licensed field.
- Default Login Page - You can assign a custom login page to a domain. To do so, perform the following:
- Click the Roles sub-tab to assign or unassign Roles to the Domain. For any role listed in the Roles sub-tab, the role can be edited either by double-clicking the role or by selecting the role in the list and clicking the Edit button.
- Click the LAF sub-tab to assign or un-assign a Look and Feel to the Domain. To edit an LAF, either double-click the LAF or select the LAF in the list, click the small arrow next to Action, and choose Edit (the other option in the Action menu is Preview).
Perform the following steps to delete an enPortal Domain:
- Log in to enPortal as an administrator.
- Mouse over the Provisioning tab and click on Domains & Users. The Domain Explorer panel is displayed.
- In the Domain Explorer panel, right-click on the Domains folder and select Delete.
- Click Ok to confirm deletion.
- Confirm that the Domain is no longer displayed as a folder in the Domain Explorer panel.
Password Policy For A Domain
The password policy can be set for individual domain by specifying a custom password policy for the domain. The password policy specified for a domain takes precedence over the system policy.
The setting in the domain password policy will affect only the users in the domain. If domain's users are managed by external ldap and you allow for passwords to be changed (subject to limitation in the note below), it is strongly recommended that the domain policy matches that of LDAP because most of the LDAPs do not give good error messages when user's password failed its policy.
Assigning a Domain Password Policy
Perform the following steps to assign a domain password policy.
- Log in to enPortal as an administrator.
- Mouse over the Provisioning tab and click on Domains & Users. The Domain Explorer panel is displayed.
- In the Domain Explorer panel, right click on the Domain that you wish to set password policy on.
- Click the Password Policy context menu.
- Make the desired changes in the three sections: Password, Syntax, and Lockout
- Click the Save button.
- Confirm that the correct policy is applied by changing a test user's password.
Users
Once you have created a Domain, you must create a User in the Domain.
A User is a named member of a Domain who has unique credentials for logging in to enPortal.
Perform the following steps to create an enPortal User:
- Log in to enPortal as an administrator.
- Mouse over the Provisioning tab and click on Domains & Users. The Domain Explorer panel is displayed.
- In the Domain Explorer panel, right-click on the folder for the Domain into which you are adding the User and select New User.
- Enter a User name and password for the User and click Save.
- Confirm that the new User is displayed under the Domain folder in the Domain Explorer panel.
Perform the following steps to modify an enPortal User:
- Log in to enPortal as an administrator.
- Mouse over the Provisioning tab and click on Domains & Users. The Domain Explorer panel is displayed.
- In the Domain Explorer panel, expand the folder for the Domain of the User.
- Click on the User that you wish to modify.
- Click the General sub-tab to modify the general properties of the User.
- Password - As an administrator, you can reset a User's password.
- Lock Account - If you would like to lock the User’s account, select the Lock Account check box and, optionally, enter a reason in the Lock Reason field.
- Click the Roles sub-tab to assign or unassign Roles to the User. Note: it is typically recommended that you assign Roles to Domains, and not to individual Users. For any role listed in the Roles sub-tab, the role can be edited either by double-clicking the role or by selecting the role in the list and clicking the Edit button.
- Click the LAF sub-tab to assign or un-assign a Look and Feel to the User. Note: it is typically recommended that you assign LAFs to Domains or Roles, and not to individual Users. To edit an LAF, either double-click the LAF or select the LAF in the list, click the small arrow next to Action, and choose Edit (the other option in the Action menu is Preview).
Perform the following steps to delete an enPortal User:
- Log in to enPortal as an administrator.
- Mouse over the Provisioning tab and click on Domains & Users. The Domain Explorer panel is displayed.
- In the Domain Explorer panel, expand the folder for the Domain of the User.
- Right-click on the User and select Delete.
Roles
Roles are the mechanism through which content in enPortal is assigned to Users.
Perform the following steps to create an enPortal Role:
- Log in to enPortal as an administrator.
- Mouse over the Provisioning tab and click on Roles & Content Assignment. The Role Provisioning panel is displayed.
- In the Role Provisioning panel, right-click on the top-level Roles folder and select New Role.
- Enter a name for the Role and click Save.
- Confirm that the new Role is displayed under the Roles folder in the Role Provisioning panel.
Sub-roles
Roles are hierarchical in enPortal. In addition to creating Roles, you can also create sub-roles. The terms parent and child are used when referring to the relationship between roles. All Roles with sub-roles are parent Roles. Sub-roles are considered child Roles of their parent Role(s). If a sub-role is assigned to a Domain or User, the Domain or User will inherit the assignments and security of the parent Roles. However, the User(s) is only permitted to log in to the system in his/her sub-role -- a User is not permitted to log in to the system in the parent Role(s).
The portalAdministration Role
The portalAdministration Role is the only Role in enPortal that provides full administrative privileges. When you install enPortal, a User called administrator in domain System is the only User assigned to this Role. This Role can be assigned to one or more additional Users by any member of the portalAdministration Role. All members of the portalAdministration Role are granted full permissions for all components and actions in enPortal. Any Users who are assigned sub-roles under the portalAdministration Role also have full administrative privileges.
Content
Once you have created a Role, you must assign content to the Role. This will provide information to any User who logs in to enPortal under that Role. To create content please follow the instruction specified in this Content Creation page.
Folders present tabs of information to Users when they log in to enPortal. The enPortal administrator provides Folders to Users by provisioning them to Roles. Perform the following steps to assign one or more Folders to a Role:
- Log in to enPortal as an administrator.
- Mouse over the Provisioning tab and click on Roles & Content Assignment. The Role Provisioning panel is displayed.
- In the Role Provisioning panel, click on the Role name to which you would like to assign content. The Content label is selected in the panel on the right. A directory tree of all content in the system is displayed, with a check box next to each item.
- Check the box next to each item to be assigned to the selected Role. If you select a folder, all current and future items in that folder will be visible to that Role, and any changes to the content in that folder will also be seen by that Role. If you select an individual item, and not the entire folder, new content added to that folder will not be seen by the Role.
- Click Save.
- Log in to enPortal as a User with the selected Role. Confirm that the assigned content is presented to the User.
Assigning Roles to Users
Once you have created a User and a Role, and assigned content to the Role, the final step is to assign the Role to the User. The User will then be presented the appropriate folders when logging in to the system under that Role. You can assign Roles to either Users or Domains, using the same process. The only difference is that assigning the Role to the Domain will assign it to all current and future Users in the Domain.
A User can have more than one Role assigned in enPortal. If a User has multiple Roles, the default Role will be assigned to the User after login. A Role chooser will be presented in the upper banner. The User can use the Role chooser to switch to a different Role. This effectively logs the User out of enPortal and logs the User back in under the new Role. A User can only have one Role selected at any current time, and will see only the content provisioned to that current Role.
Perform the following steps to assign Roles to a User or Domain:
- Log in to enPortal as an administrator.
- Mouse over the Provisioning tab and click on Roles & Content Assignment. The Role Provisioning panel is displayed.
- In the Role Provisioning panel, click on the Role name that you would like to assign.
- Select the Users label in the panel on the right. The list of Users and Domains assigned to the selected Role is displayed.
- Click Assign... in the sub-nav bar. A pop-up window is displayed.
- In the pop-up window, select the User or Domain to which you want to assign the selected Role.
- In the pop-up window, click Ok. Observe that the selected User or Domain is now listed in the right panel.
Direct vs. Inherited Role Assignments
When you assign a Role to a Domain, the Role is inherited by all Users in that Domain. When you assign a Role to a User, the Role is assigned directly to only that User.
Perform the following steps to see if a Role assignment is direct or inherited:
- Log in to enPortal as an administrator.
- Assign a Role to a Domain or User as outlined under "Assigning Roles to Users".
- Mouse over the Provisioning tab and click on Domains & Users. The Domain Explorer panel is displayed.
- In the Domain Explorer panel, expand the folder for the Domain of the User.
- Click on the User for which you wish to examine the Role assignment.
- Select the Roles label in the panel on the right. The list of Roles assigned to the selected User is displayed.
- Observe the Inherited column.
- Yes - This means that the Role is assigned to the User's Domain, and inherited by the User. Observe that you cannot click the Unassign button for this Role. It can only be unassigned by selecting the Domain.
- No - This means that the Role is assigned directly to the User. Observe that you can click the Unassign button for this Role and it will be removed from the list.
Tutorial
A tutorial walk-through of the the basic enPortal provisioning screens is available at Provisioning Quick Start.
LDAP Provisioning
The sections above detail how to use enPortal's provisioning tools to manage Domains, Users, and Roles inside of enPortal. Some organizations already have an LDAP server in place to manage Users and Roles. In this case, enPortal can map to the existing LDAP configuration and rely on LDAP for externally managing this information. For instructions on configuring LDAP with enPortal, see enPortal LDAP Configuration.
Provisioning Web Service
enPortal provides a simple REST web service to facilitate the provisioning of existent content to existent roles. Three basic operations are supported:
- add: Assign content to a role.
- delete: Remove content from a role.
- clear: Remove all content from a role.
To assign or remove multiple content paths to a role the service must be called multiple times.
The general form of the Web Service URL is:
Where:
- OP: add | delete | clear (described above)
- ROLE: the role path for this operation
- CONTENT: content path to be added/removed, not needed for clear operations.
Examples:
- assign /Admin/Advanced (part of the standard enPortal content) to the dev role:
/enportal/servlet/pd/vdir/home/role/portalAdministration/Menu/Admin/Provisioning/Manage+Roles?requestType=update&operation=add&role=/dev&content=/Admin/Advanced - remove /Admin/Advanced from the dev role:
/enportal/servlet/pd/vdir/home/role/portalAdministration/Menu/Admin/Provisioning/Manage+Roles?requestType=update&operation=delete&role=/dev&content=/Admin/Advanced - clear all content from the dev role:
/enportal/servlet/pd/vdir/home/role/portalAdministration/Menu/Admin/Provisioning/Manage+Roles?requestType=update&operation=clear&role=/dev
Exception cases:
- The web service does not currently check for existence of either the role or the path.
- If the add operation is attempted and the path to be added is either already provisioned or a sub-path of a path already provisioned, it will do nothing and report success.
- If the add operation is attempted and the path to be added is an ancestor path of one or more paths already provisioned, the new, higher path will replace all existing sub-paths under that path.
- If the delete operation is attempted on any path that is not already provisioned, even if a parent or child path is provisioned, it will fail with an error.