SAP Enterprise Portal 6.0:

SAP Enterprise Portal 6.0:

Decentralized Admin

Scott Jones and John Polus

Learning Objectives

As a result of this workshop, you will

be able to:

Describe delegated administration in SAP Enterprise

Portal 6.0

Develop a strategy for delegating administration, for

purposes of security, reusability, and efficient support

Implement delegated content administration in SAP

Enterprise Portal 6.0

Agenda

Concepts of Delegated Administration

Provided Administration Roles, Worksets, and iViews

Implementing Delegated Content Administration

Implementing Delegated User Administration

Example

Definition: Delegated Administration

Delegated administration is the process of

distributing the various administrative tasks and

content in the portal to one or more administrators or

group of administrators.

Delegated Administration describes...

...how to maintain portal content and components...

...through different administrators...

Concepts – Delegated Administration

Delegated Administration

How to define access to PCD objects?

Who is administrator? How to put PCD objects in the right order?

Create organizational tree for administrators

Define permissions on folders and objects

Define folder structure for Portal content catalog

Delegated Administration: Business Scenario

I. Create a system ABC

II. Create iView for system ABC

III. Assign iView to page/ role

IV. Assign Role to users

Delegation of Administration tasks

System Administrator Content Administrator Content Administrator User Administrator

Administration - ACLs - Portal Content Catalog

content & systems & users

systems

System admins:

access to selected folders defined in Portal

Content Catalog System principal:

by default access to any object in Portal Content Catalog or UM

User admins:

access to selected „companies“ System AdminSystem Admin User AdminUser Admin Content Admin Content Content admins: access to selected

objects in Portal Content Catalog Content

Admin Roles and Portal Content Catalog Objects

Content administrators are

responsible for content objects in the portal content catalog.

ACLs define the access and allowed action for content objects like

folders, roles, worksets, pages, iViews and templates.

System administrators are responsible for system

administration tasks and objects.

ACLs define the access allowed action for objects like transport packages or systems.

User administrators are responsible for users related tasks.

Different User Administrators manage users in different

Agenda

Concepts of Delegated Administration

Provided Administration Roles, Worksets, and iViews

Implementing Delegated Content Administration

Implementing Delegated User Administration

Example

Administration Tools in EP 6.0

Predefined Administration Functionality

Roles:

Super Administrator, Content Administrator, System Administrator,

User Administrator

Worksets:

System Administrator, User Administrator, Content Administrator

Par-Files:

Template for iViews, Pages and Layouts

Content Structuring in PCD

Folder Structure for Portal Content Catalog

Permissions

Administration Roles, Workset and iViews

Four different administration roles in

Portal Content Catalog

Content Administrator Super Administrator System Administrator User Administrator

Three administration worksets

System Administrator User Administrator

Reusable iView, Layout and Page

Templates delivered as par-files

Goal

Distribute and separate administration task

Content provided by SAP

„Content Provided By SAP“

includes template iViews, pages and layouts

Folder “Administrators” includes administration roles, worksets and iViews.

Folders “Content For Line Managers” and “Content for Specialists” are currently empty.

Folder “default_objects”

Folder “packages” contains two packages for the portal content (“rescue disk”).

Folder “Portal Users” include the original “every user” role, “welcome” and “personalization” workset.

Folder “Templates” includes

Design of Administration Roles

Roles originally delivered by SAP are

stored in Folder

„Portal Content“ >

„Content Provided By SAP“ > „Administrators“.

Do not change or overwrite these

original roles!

The original roles are available as delta

links within the folder

„Portal Content“ >

„Portal Administrators“

Only the delta links shall be used for

role-user assignment!

Customer specific administration

iViews, worksets and roles can be

stored under

„Portal Content“ >

Agenda

Concepts of Delegated Administration

Provided Administration Roles, Worksets, and iViews

Implementing Delegated Content Administration

Implementing Delegated User Administration

Example

Structuring Guidelines for Portal Content Catalog

Reuse Structure of Content Catalog

Create a new tree node for a company...

Create folders for different role types

Create organizational units for admin areas Create different folders

for PCD object types

Use default Content Catalog Structure to separate SAP EP and iView Studio

Content

Separate company specific content from Standard SAP Delivery

Distinguish between the different Administration Roles

Create a tree hierarchy for administrators reflecting organizational structure Organize PCD objects by different types Create folders for end

user and admin view

Guidelines for setting permissions

End user:

personalization options and the use of objects!

Where do I have to assign ACL? _{What do I have to assign?}

1. Preferred: Assign Roles! 2. Assign Groups*

3. Only Assign Single Users in rare cases!

1. Preferred: Assign ACL on Top Folders!

2. Use Inheritance

3. Enable end user „use“ on top level folder!

4. Limit access on top folders – Resetting permissions on top folder would reset the whole ACL structure of content tree

Admins:

Permission Lifecycle

I. Create a system ABC

II. Create iView for system ABC

III. Assign iView to page/ role

IV. Assign Role to users

Delegation of Administration tasks

System „ABC“ iView „ABCiview“ page/role assignment user-role assignment

No USE

No USE

Inheritance

of Page ACL

Inheritance

of Role ACL

Delegated Administration: Business Scenario

I. Create a system ABC

II. Create iView for system ABC

III. Assign the iView to page/ role

IV. Assign Role to users

Delegation of Administration tasks

System Administrator Content Administrator Content Administrator User Administrator

Delegation Administration Scenario

Checks if USE permissions have been granted to assigned users! Object Role “R3_role”:

CA2 = Full Control group “R3_users” = USE Object „ABCiview“: SA = READ CA = Full Control CA2 = READ No USE permission Object system „ABC“: SA = Full Control CA = READ No USE permission Necessary Object Permission Folder „R3“: SA = Full Control CA = WRITE CA2 = READ No USE permission Folder „R3“: SA = Full Control CA = WRITE CA2 = READ No USE permission Folder „R3“: SA = Full Control CA = WRITE CA2 = READ No USE permission Necessary Folder Permission Assign role „R3_role“ to group „R3_group“ Access Folder „R3“ Assign „ABCiview“ to page

Agenda

Concepts of Delegated Administration

Provided Administration Roles, Worksets, and iViews

Implementing Delegated Content Administration

Implementing Delegated User Administration

Example

Delegated User Administration - Concept

Delegated User Administration becomes possible in EP 6.0 SP1.

Currently the delegated user administration is based on the

concept of COMPANY.

Companies are not related to groups.

It is not possible to use GROUPS as a means of delegated user

administration yet.

The Concept of Companies

A company is an attribute in a user’s profile.

Every user belongs to one company only.

Companies are not related to user groups.

Usage of Companies

The following scenarios would be possible:

1. No Companies:

Closed environment, internal use only.

2. One Company and Guest Users:

internal use + self registration and approval process.

3. Two Companies and Guest Users:

internal use + self reg. + limitted acces to externals (e. g. suppliers).

4. Delegated Administration using the company concept:

internal use; companies are treated as administration groups

5. Fully Company Aware:

Role Assignment

If the company concept is enabled, the list of users for role

assignment is limited

Role assignment can only be done for roles where the admin has

write access (ACL check)

Use case: Restrict useradmin's rights, so that he can't assign the

superadmin role

By default disabled - no ACL check (user admin can assign all

roles)

Enabling ACL check:

2

Delegated User Administration: ACLs on Roles

ACLs on Roles - II

A combination of the permissions of Full User Administration and Full ACL

Administration.

By default, this action is assigned to the Super Administration role only.

Full User

Administration,

Full ACL

Any role to which this action is assigned has Owner permissions on all objects in the Portal Content Catalog.

It is not possible to remove this permission in the permission editor. This action is designed for super administrators that are not responsible for overall user administration.

Full ACL

Administration

Contains permission required by an delegated user administrator: Administration of users belonging to the same company as the administrator

Role assignment: Permissions to assign roles to users belonging to the same company as the administrator. No permissions to assign roles to groups.

Delegated User

Administration

Contains permissions by an overall user admin:

Administration of users belonging to any company and possibility of assigning users to companies

Group management Role assignment User mapping

Import and export of user data Manual replication of user data

Full user

Delegated User Administration - Configuration

Enable ACL checking for user<->role assignment:

Set CheckACL=On in the iView "com.sap.portal.roleAssignment"

Define the required companies.

Done by means of properties in sapum.properties

Create roles for delegated user administrators

Define one or more delegated user administrators for each

company. These must be assigned to the company whose

users they are going to administer.

Assign users to companies

Overall user administrator uses user administration UI

Users request to belong to a company; Delegated user

administrators approve the requests.

Delegated User Administration

Delegated User Administration based on company concept:

A company is used as a set of users

User administration can be done per company, by a company

administrator for all the users within that company

End-User self registration - Prerequisites

The company concept allows for self-registration with an approval

workflow

When registering users can specify which company they belong to

Approval or rejection is done by the company administrator

Prerequisites:

Following properties have to be set (in sapum.properties)

ume.admin.selfreg_company=true (Enable Company self-registration)

Companies have been defined

Agenda

Concepts of Delegated Administration

Provided Administration Roles, Worksets, and iViews

Implementing Delegated Content Administration

Example: – Content Administration areas

Super Administrator = Company1 IT User Administration = Company1 IT Content Manager Company1 Aerospace Content Manager Company1Aerospace Production

Content Manager Company1Aerospace Sales Content Manager Company1Energy

Company1

Company1 Aerospace

Company1 Energy

Production Sales Gas Inc.

Corporate Group

Line of Business

Sub companies

Company1 IT

Central IT will have access to all areas

Aerospace / Energy Information managers will have access to own areas only!!

Permission tree - Example

Company1 Content Catalog:

Super Admin = FULL CONTROL Group Ocean11_IT = READ

End User = USE

Company1 Aerospace:

CA Company1 Aerospace = WRITE SA Company1 Aerospace = WRITE Admin Company1 Aerospace = READ End User = USE

Company1 Energy:

CA Company1 Energy = WRITE SA Company1 Energy = WRITE Admin Company1 Energy = READ End User = USE

Company1 Aerospace Production:

CA Company1 Aerospace Production = WRITE SA Company1 Aerospace Production = WRITE Admin Company1 Aerospace = READ

End User = USE

Company1 Aerospace Sales

Company1 Gas:

Agenda

Concepts of Delegated Administration

Provided Administration Roles, Worksets, and iViews

Implementing Delegated Content Administration

Implementing Delegated User Administration

Example

Delegated Administration

Delegated Admininstration

Delegated

Content

Administration

Delegated

User

Administration

User Self-Registration

Summary

As a result of this workshop, you are now

able to:

Describe delegated administration in SAP Enterprise

Portal 6.0

Develop a strategy for delegating administration, for

purposes of security, reusability, and efficient support

Implement delegated content administration in SAP

Enterprise Portal 6.0

Further Information

Public Web:

www.sap.com

solutions

mySAP Enterprise Portal

SAP Customer Services Network:

www.sap.com/services/

SAP Service Marketplace: service.sap.com/ep

Related Workshops/Lectures at SAP TechEd 2003

PRTL203: SAP Enterprise Portal 6.0: Security and User Management

,

PRTL255: Setting Up Portal Roles in the SAP Enterprise Portal 6.0, Tue, 1:45

PM, 107; Thu, 8:00 AM, GB122, Hands-on

Related SAP Education Training Opportunities

http://www.sap.com/usa/education/

EP100, Managing Enterprise Portal Content (EP 5.0 SP5)

Consulting Contact

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft®_{, WINDOWS}®_{, NT}®_{, EXCEL}®_{, Word}®_{, PowerPoint}®_{and SQL Server}®_{are registered trademarks of}

Microsoft Corporation.

IBM®_{, DB2}®_{, DB2 Universal Database, OS/2}®_{, Parallel Sysplex}®_{, MVS/ESA, AIX}®_{, S/390}®_{, AS/400}®_{, OS/390}®_,

OS/400®_{, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere}®_{, Netfinity}®_{, Tivoli}®_{, Informix}

and Informix®_{Dynamic Server}TM _{are trademarks of IBM Corporation in USA and/or other countries.}

ORACLE®_{is a registered trademark of ORACLE Corporation.}

UNIX®_{, X/Open}®_{, OSF/1}®_{, and Motif}®_{are registered trademarks of the Open Group.}

Citrix®_{, the Citrix logo, ICA}®_{, Program Neighborhood}®_{, MetaFrame}®_{, WinFrame}®_{, VideoFrame}®_{, MultiWin}®_and

other Citrix product names referenced herein are trademarks of Citrix Systems, Inc.

HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C®_{, World Wide Web Consortium,}

Massachusetts Institute of Technology.

JAVA®_{is a registered trademark of Sun Microsystems, Inc.}

JAVASCRIPT®_{is a registered trademark of Sun Microsystems, Inc., used under license for technology invented}

and implemented by Netscape.

MarketSet and Enterprise Buyer are jointly owned trademarks of SAP AG and Commerce One.

SAP, R/3, mySAP, mySAP.com, xApps, xApp and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other

countries all over the world. All other product and service names mentioned are the trademarks of their respective