Using item type roles within a library

You define the role of a user or group for each item type used within a library. The roles determine the default library access of a user or group, as well as defining different access to individual tasks and views within the authoring portlet.

Roles

You assign users and groups to the following roles:

Roles Rendering and authoring portlet access rights
  • User
Users and groups assigned to this role can:
  • view items in a Web site or rendering portlet that they have been assigned user access to.
Tip: The simplest way to assign users to this role is to select any of the default user groups such as "All Authenticated Portal Users" or "Anonymous Portal User". Users will still require "user" access to an item before it will be rendered in a Web site or rendering portlet.
Note: A User cannot access the authoring portlet. They can only view rendered content.
  • Contributor
Users and groups assigned to this role can:
  • view items in a Web site or rendering portlet that they have been assigned user access to.
  • view the item type section within the authoring portlet.
  • view the "All Items" section of the authoring portlet.
Note: This role is the minimum access required to access the authoring portlet.
  • Editor
Users and groups assigned to this role can:
  • view items in a Web site or rendering portlet that they have been assigned user access to.
  • view the item type section within the authoring portlet.
  • view the "All Items" section of the authoring portlet.
  • create a new item.
  • Manager
Users and groups assigned to these roles can:
  • view items in a Web site or rendering portlet that they have been assigned user access to.
  • view the item type section within the authoring portlet.
  • view the "All Items" section of the authoring portlet.
  • create a new item.
  • purge items.
  • Administrator
Users and groups assigned to these roles can:
  • view items in a Web site or rendering portlet.
  • view an item type section within the authoring portlet.
  • view the "All Items" section of the authoring portlet.
  • create a new item.
  • purge items.
  • view, edit, delete or approve any item.
  • Security Administrator
  • Delegator
  • Privileged User
These roles have no access to Web Content Management items.
Note: The difference between Manager and Administrator roles

Although Manager and Administrator roles have the similar permissions per item type, if you assign an Administrator role to an entire library, you cannot then remove this role from any item type views. This is not true for a Manager role.

Note: IBM® WebSphere® Portal Administrators

WebSphere Portal Administrators automatically have Administrator access to all item-types.

Assigning roles to anonymous or authenticated users

When accessing a Web Content Management Web Site or Rendering Portlet, users login as either anonymous users, or authenticated portal users.

The following pre-defined groups can be assigned roles in a library.

Anonymous portal user Select this user to assign a role to anonymous users.
All Authenticated Portal Users Select this group to assign a role to users that require to log on to your server.
Users and User Groups Select this group to assign a role to all users and groups.
All Portal User Groups Select this group to assign a role to all groups.

Additive and subtractive methodology

You can assign roles to both a whole library, and the item types within a library using either an additive or subtractive methodology.

For example, with an additive methodology, you apply the "All Authenticated Portal Users" to the "User" role to the entire library. This will give "All Authenticated Portal Users" access to the library and any authoring portlets configured to use the library. You then apply Contributor, Editor, Manager or Administrator roles to specific resource types to grant additional access to specified users or groups.

With a subtractive methodology, you apply the Manager or Administrator role to a user or group to the entire library. You then apply Editor, Contributor or User roles to specific item types and deselect the inheritance check-box. This reduces the access to different item types for specified users or groups.

We recommend that propagation from the Web content library is not disabled.

Item-level security inheritance

By default, each role's access is automatically inherited down to each item in a library. To prevent a user or group from automatically having inherited access to an item, you will need to turn off inheritance on that item.

The permissions set for item types in a library do not automatically give you access to individual items. They only give you access to specific tasks and views within the authoring portlet.

To disable automatic inheritance you edit the WCMConfigService.properties file located in the was_profile_root/PortalServer/wcm/config/ directory. To disable automatic inheritance, set this value to "false":
default.inherit.permissions.enabled=false

You will need to restart WebSphere Portal to enable any configuration changes made to this file.