Exposing Roles on the Producer for 'Remote Role Assignment' Usage

Use

Content usage mode: remote role assignment

Applies to: producers

To support the design time workflow and runtime activities for remote role assignment on the consumer portal, portal administrators must assign portal permissions and UME actions on both the producer and consumer portals.

This topic describes the portal permissions and UME actions that must be set on the producer portal to allow:

  • User administrators on a consumer portal to search for remote roles and assign local users and groups to them.

  • Business users on a consumer portal to run content embedded in a remote role.

.

Prerequisites

  • The same user base exists on both producer and consumer portals.

  • Roles have been created on the producer portal.

  • You are assigned Owner permission in the objects to which you want to assign additional permissions.

  • Access to the Permissions editor in the portal.

  • You have access to the Identity Management tool on the consumer portal. It is available by default in the standard User Admin or Delegated User Admin roles in the portal.

  • You have the IDs of the consumer-side user administrators and business users to which you need to assign the permissions.

    In most cases, the user administrator on the producer portal should be able to provide you with this information.

Procedure

Certain portal permissions and UME actions must be assigned on the producer portal before a user administrator on the consumer can perform a remote role assignment, while other permission settings must be assigned either before or after a remote role assignment has been performed by the user administrator of the consumer portal.

Assigning Permissions and UME Actions on the Producer Portal: Before Remote Role Assignment is Performed

  1. In the Permissions editor on the producer portal, the system or content administrator must assign the following permissions:

    Object (on Producer)

    Target User on Consumer (Assignee)

    Permission Level

    Description

    Role (any role that you are exposing for remote usage)

    User Admin

    -or-

    Delegated User Admin

    Role assigner: enabled

    This permission setting allows the user administrator on the consumer portal to do the following in the Identity Management tool:

    • Search for and view the remote role.

    • Assign local users on the consumer to the remote role.

  2. In the Identity Management tool on the producer portal, the user administrator must assign the following UME actions to any role to which the pcd_service user is already assigned. If such a role does not exist, you need to create one and then assign the pcd_service user to it.

    Target User (Assignee)

    UME Actions

    Description

    pcd_service (1)

    Remote_Producer_Read_Access (2)

    Remote_Producer_Write_Access (2)

    These UME actions enable the following:

    • The Remote_Producer_Read_Access action is needed for portal business users to use remote role assignment content at runtime.

    • (Optional) When a role is deleted on a producer portal, the administrator performing this task must be assigned the Remote_Producer_Write_Access action (through the pcd_service user) so that all remote role assignments to that role on the respective consumer portal are automatically removed. Without this assigned action, the role assignments remain on the consumer after the source has been deleted on the consumer.

    • Both UME actions are required so that a user administrator on the consumer can perform remote role assignments.

    (1) The pcd_service user is an internal service user that is automatically generated when the portal starts up. For more information, see User Management .

    (2) For more information about UME actions, see Standard UME Actions .

Assigning Permissions and UME Actions on the Producer Portal: Either Before or After Remote Role Assignment is Performed

Using the Permissions editor, the system or content administrator of the producer portal must enable and assign end user permission to portal components and any back-end systems for remote business users logging on to the consumer portal.

If the system or content administrator on the producer already knows which business users or groups require the permissions, the permission assignments can be made before the user administrator on the consumer has performed the remote role assignments.

Object (on Producer)

Target User on Consumer (Assignee)

Permission Level

Description

Portal component (1)

Business user

End user: enabled

Allows users to execute at runtime the iViews, pages, and layouts that are assigned to remotely assigned roles.

System

Business user

End user: enabled

If an iView on the producer uses a system object to enable access to a back-end system, the system administrator on the producer must assign end user permission to the remote business users in these system objects.

(1) The portal components correspond to the unit iViews, pages, and page layouts used by content that is embedded in the roles you are exposing. Portal components are located in the Security Zones folder in the Portal Catalog.

More Information

'Remote Role Assignment' Mode