When resources are created, their access control is administered internally by Lotus® Quickr™. Alternately, you can configure an external security manager to control access to resources. Currently, Lotus Quickr supports IBM® Tivoli® Access Manager for e-business and Computer Associates e
Trust SiteMinder as external security managers.
With Lotus Quickr Version 5.0 or later, access control is role-based, and the externalization process is changed. Lotus Quickr versions earlier than Version 5.0 worked with external security managers by externalizing resources and using Access Control Lists (ACLs) to control permissions. Lotus Quickr now externalizes roles and uses ACLs to control role membership. From the perspective of the external security manager, these externalized roles contain only one permission: membership in the role.
Lotus Quickr always determines the permissions that the associates with each role, whether the role is externalized or not. Roles are always associated with a specific resource. For more information about role-based access control, see Managing Access Control: qp85
Resources can be moved back and forth from internal to external control with the Resource Permissions portlet in Lotus Quickr. Explicit role assignments are preserved when moving in both directions. However, inherited role memberships are blocked for externalized resources. When you externalize access control for a resource, the resource is administered only through the external security manager interface. After externalization, role membership must be assigned and removed using the external security manager. The Resource Permissions portlet can no longer control user access to the resource; however, the Resource Permissions portlet can move the object back to internal control.
- Private pages cannot be externalized.
- When you use the Resource Permissions portlet to externalize or internalize access control for a resource, access control for all of its public child resources moves with it. When you use the XML configuration interface (xmlaccess) to externalize or internalize access control for a resource, access control for public child resources does not change.
- After you externalize access control for a resource, you must use the external security manager to assign users to roles on the resource.
- After access control for a resource is externalized, you can use either the Resource Permissions portlet or the XML configuration interface to create additional role types on the resource. For example, suppose you create only the Administrator and Manager role types on the Market News Page. Then you externalize access control for the Market News Page. At this point, you must use the external security manager to assign users to the Administrator@Market News Page or Manager@Market News Page roles. If you decide that you want to assign users to the Editor@Market News Page role, which has not yet been externalized, follow these steps:
Remember that Lotus Quickr will still determine the permissions that are associated with the externalized Editor role type.
Externalizing the access control for a resource severs any access control inheritance from internally controlled parent resources. The user who is performing the externalization automatically receives the Administrator role on the parent resource of the externalized resource tree (if using the Resource Permissions portlet) or the resource (if using the XML configuration interface).
- Use the Resource Permissions portlet to create the Editor role type for the Market News Page.
- Use the external security manager to assign users to the Editor@Market News Page role by editing the ACL.
The decision to use an external security manager must be made with the understanding that the external security manager software's ACL semantics override Lotus Quickr semantics. For example, if you use Tivoli Access Manager to grant anonymous membership on a role for an externally controlled portlet, you must set the ACL for that portlet to include the Tivoli Access Manager unauthenticated user group.
Parent topic: External security managers: qp85