Table of contents | Next | Previous

Site Management - Access control

After a new WCM library has been created you need to set the user and group access levels to control the following –
a) Access to the WCM library
b) Access to the WCM authoring portlet tasks and views

Please note that you need to have administrator rights to set the access levels.

WCM v6.1 identifies a set of roles and each role is has certain capabilities. The table below describes these roles along with their capabilities from within the WCM authoring portlet.

Roles	Rendering and authoring portlet access rights
User	Users and groups assigned to this role can:  view items in a Web site or rendering portlet that they have been assigned user access to.
Contributor	Users and groups assigned to this role can: view items in a rendering portlet or servlet-rendered web site that they have been assigned user access to.  view libraries that they have been assigned contributor access to in an authoring portlet. access the "My Items" and "All Items" views in an authoring portlet for libraries that they have been assigned contributor access to. access the item type view within the authoring portlet for item types that they been assigned user access to.
Editor	Users and groups assigned to this role can: view items in a rendering portlet or servlet-rendered web site that they have been assigned user access to. view libraries that they have been assigned contributor access to in an authoring portlet. access the "My Items" and "All Items" views in an authoring portlet for libraries that they have been assigned contributor access to. for library item types that user and groups have been assigned editor access to, editors can access the following actions in the authoring portlet: - access the item type view - create a new item - add/remove links - apply authoring template - copy - delete - edit - link to   - move
Manager	Users and groups assigned to these roles can: view items in a rendering portlet or servlet-rendered web site that they have been assigned user access to. view libraries that they have been assigned contributor access to in an authoring portlet. access the "My Items" and "All Items" views in an authoring portlet for libraries that they have been assigned contributor access to.  for library item types that they have been assigned manager access to, managers can access the all of the actions available to editors and also the following actions in the authoring portlet:       -   edit access settings         - next stage         -  purge         -  unlock         - edit user profile
Administrator	Users and groups assigned to these roles can:  view items in a rendering portlet or servlet-rendered web site that they have been assigned user access to. view libraries that they have been assigned contributor access to in an authoring portlet. access the "My Items" and "All Items" views in an authoring portlet for libraries that they have been assigned contributor access to. all actions in the authoring portlet for library item types that they have been assigned administrator access to.
o Security Administrator o Delegator o Privileged User	These roles have no access to Web Content Management items.

Table: WCM Roles and Responsibilities

Note: The ability to create new items is set at the library level, not item level. You must have at least Contributor access to a library and Editor access to an item-type to create a new item.

The following two methods are available to grant users and groups access to the WCM library and to the WCM items within the library - the Additive Method and the Subtractive Method

Additive method

With this method you begin with assigning a user or a group with the lowest possible privileges at the WCM library level and then increase their access rights by assigning them with the higher privileges for specific WCM items.

Example – (Please note that this is a partial example used to explain the Additive method of applying access rights to the WCM library and WCM objects within the library.)
Let's say our objective is to provide the members of the “WCM Content Authors” group access to the WCM library with the ability to work with content items from the WCM authoring portlet.

To meet this objective using the additive method, follow these steps –

1. Begin by assigning the “WCM Content Authors” group with the Contributor role at the WCM library level using the Set permissions  action. This will allow the members of this group to see this library in the WCM authoring portlet. For this example we will also disable the Allow Propagation check box for the Contributor entry. As a result, the members of the “WCM Content Authors” group will only see the content authoring related views and tasks.
2. Then use the Library resources  action to assign the “WCM Content Authors” group the Editor role at the Content level. This will allow the “WCM Content Authors” group members to use the WCM authoring portlet to create and edit WCM content.
   The screenshot below illustrates what the members of “WCM Content Authors” group would see in the WCM authoring portlet following the steps in the example above. They can see the views to access the WCM content and also have access to the action to create new content.
   
   
   Figure: Example using Additive method

 

Subtractive method

With this method you begin with assigning a user or a group with higher privileges at the WCM library level and then reducing their access rights at specific WCM object level and deselecting the inheritance option.

Example – (Please note that this is a partial example used to explain the Subtractive method of applying access rights to the WCM library and WCM objects within the library.)
In this example, we would like to provide the members of the “WCM Site Designers” group access to the WCM library with the ability to work with Components and Presentation Templates. To meet this objective using the subtractive method, follow these steps –

1. We begin by assigning the “WCM Site Designers” group with the Manager role at the WCM library level using the Set permissions  action. This will allow them to create all the WCM item types but for this example we would like to restrict this to so that they only have access to the Components and Presentation Templates.
2. Then use the Library resources  action to disable the Allow Inheritance option for the Manager entry for all the item types.
3. Then use the Library resources  action and add the “WCM Site Designers” group as an Editor for the Components and Presentation Templates item types. This will allow the “WCM Site Designers” group members to use the WCM authoring portlet to work with Components and Presentation Templates.
   

The screenshot below illustrates what the members of “WCM Site Designers” group would see in the WCM authoring portlet following the steps in the example above. They can see the views to access the WCM Components and Presentation Templates and also have access to the actions to create them.


Figure: Example using Subtractive Method

Setting Access Permissions on the WCM Library

Setting access permissions on the WCM Library will allow you to control who has access to the WCM Library.
To apply access permissions to a WCM library, as an administrator use the Set Permissions  action available for the WCM library in the Web Content Libraries view.
The screen shot below illustrates the Resource Permissions window that loads up when the Set Permissions action is used.


Figure: Resource Permissions > Resources

The Resource Permissions page displays the list of Roles, Allow Propagation option, Allow Inheritance option and the action to Edit Roles.
Please note that making any changes to the Allow Propagation option and the Allow Inheritance option requires you to use Apply action to ensure your change is applied.

Note: The Display/Modify Owner link is not applicable in the WCM context.

To assign a user or a group with the appropriate Roles use the respective Edit Roles  action. The screen shot below illustrates an example of the page that loads up when the Edit Roles action is used to add new User's to the WCM library. In this example the All Authenticated Portal Users group (see table Pre-Defined Groups below) has already been allocated the User role. You can add additional users/groups by using the Add  action. You can also delete the users/groups by using the Delete  action. The Inherited column displays if the user/group has inherited the current role.


Figure: Resource Permissions > Add Users/Groups

The following table describes the pre-defined groups that can be assigned roles in a library.

Pre-Defined Group	Description
Anonymous portal user	Select this user to assign a role to anonymous users.
All Authenticated Portal Users	Select this group to assign a role to users that have logged on to your server.
Users and User Groups	Select this group to assign a role to all users and groups.
All Portal User Groups	Select this group to assign a role to all groups.

Table: Pre-Defined Groups

Setting Access Permissions on the WCM authoring portlet tasks and views

Setting access permissions on the WCM authoring portlet tasks and views will allow you to control who has access to the various tasks and views from within the WCM authoring portlet. Please note that the permissions set for item types in this manner do not automatically give you access to individual items.
To apply access permissions to a WCM item type, as an administrator use the Library resources  action available for the WCM library in the Web Content Libraries view.
The screen shot below illustrates the Library Resources window that loads up when the Library resources action is used.


Figure: Library Resources

You can control access to the following WCM item types –
1.        Authoring Template
2.        Components
3.        Content
4.        Presentation Template
5.        Site and Site Areas
6.        Taxonomy
7.        Workflow and workflow elements


To apply access permissions to a WCM item type, as an administrator use the Set Permissions  action available for the WCM library in the Library Resource view.
The screen shot below illustrates the Resource Permissions window that loads up when the Set Permissions action is used.


Figure: Resource Permissions > Resources

As you can see this is the same portlet that has been described in the section Setting Access Permissions on the WCM Library above. Follow the same instructions to add access permissions to the individual WCM item types.

Item-level security inheritance:

By default, each role's access is automatically inherited down to each item in a library. To prevent a user or group from automatically having inherited access to an item, you will need to turn off inheritance on that item.
Note: By default, inheritance is enabled for all roles and items.

To disable automatic inheritance, edit the WCMConfigService.properties file located in the /PortalServer/wcm/shared/app/config/wcmservices/ directory.
To disable automatic inheritance, set this value to "false":
default.inherit.permissions.enabled=false
You will need to restart WebSphere Portal to enable any configuration changes made to this file.

You can allow assigned roles to be inherited from parent items up to and including the library. The access roles are inherited in the following hierarchies:
Library -> Site -> Site area -> Content item

• Library -> Taxonomy -> Category
• Library -> Component
• Library -> Authoring Template
• Library -> Presentation Template
• Library -> Workflow
• Library -> Workflow Stage
• Library -> Workflow Action

You can stop inheritance at any point in an inheritance hierarchy. For example, you could allow inheritance down to a site area, but assign access roles manually for each content item under that site area. Inheritance from a library is based on the role assigned to the overall library, not on the role assigned to specific item types. For example, you may not have access to the presentation template view on a library, but if you inherit the role of editor to a presentation template, you will be able to view and edit that presentation template from the All Items view.

Note: Inheritance does not apply to draft items.