Previous versions of Lotus® Quickr™ worked with external security managers by externalizing resources and using ACLs to control permissions. Because Lotus Quickr Version 6.0 uses role-based access control, the externalization process has changed.
Lotus Quickr now externalizes roles and uses ACLs to control role membership. From the perspective of the external security manager, these externalized roles contain only one permission: membership in the role. Lotus Quickr always determines the permissions that Lotus Quickr associates with each role.
For example, if you externalize the Editor@Market News Page
role, you must use the external security manager to edit the ACL for that role. Lotus Quickr still determines the permissions that are associated with the Editor role type. Roles are always associated with a specific resource, so the role Editor@Market News Page
contains specific permissions on the Market News Page only. For more information about role-based access control, see Managing Access Control: qp85
Use the Resource Permissions portlet or the XML configuration interface to move resources back and forth from internal to external access control.
- Private pages cannot be externalized.
- When you use the Resource Permissions portlet to externalize or internalize access control for a resource, access control for all of its public child resources moves with it. When you use the XML configuration interface to externalize or internalize access control for a resource, access control for public child resources does not change.
- After you externalize access control for a resource, you must use the external security manager to assign users to roles on the resource.
- After access control for a resource is externalized, you can use either the Resource Permissions portlet or the XML configuration interface to create additional role types on the resource. For example, suppose you create only the Administrator and Manager role types on the Market News Page. Then you externalize access control for the Market News page. At this point, you must use the external security manager to assign users to the Administrator@Market News Page or Manager@Market News Page roles. If you decide that you want to assign users to the Editor@Market News Page role, follow these steps:
Externalizing the access control for a resource severs any access control inheritance from internally controlled parent resources. The user who is performing the externalization automatically receives the Administrator role on the parent resource of the externalized resource tree (if using the Resource Permissions portlet) or the resource (if using the XML configuration interface).
- Use the Resource Permissions portlet to create the Editor role type for the Market News Page.
- Use the external security manager to assign users to the Editor@Market News Page role.
Format for displaying externalized roles
By default, externalized roles appear in the external security manager as Role Type@Resource Type/Name/Object ID
. For example, Administrator@PORTLET_APPLICATION/Welcome/1_1_1G
You can change this format to Resource Type/Name/Object ID@Role type
. This format change groups the roles by resource name instead of by role type. For example, PORTLET_APPLICATION/Welcome/1_0_1G@Administrator.
This format change is visible only when the roles are externalized. This change does not affect the way roles are displayed in Lotus Quickr.
The Administrator@VIRTUAL/wps.EXTERNAL ACCESS CONTROL/1
role is never affected by this format change. This role always appears with the role type "Administrator" on the left.
Follow these steps to change the format for externalized roles:
- On the Lotus Quickr machine, find the wp_profile_root/PortalServer/config/AccessControlDataManagementService.properties file and make a backup copy.
- Open the file using a text editor and change the value of the accessControlDataManagement.reorderRoleNames property to true. (If this property does not exist in the file, add it.)
To change the display format for roles that were initially externalized in the default format, you must complete these steps:
- Internalize the roles.
- Set the reorderRoleNames property to true as previously explained.
- Externalize the roles.
Example of roles list with reorderRoleNames=false
Example of roles list with reorderRoleNames=true
Parent topic: External security managers: qp85