Creating Content and Assigning Permissions (SAP Library

Creating Content and Assigning Permissions

This topic provides useful information you need to consider and be aware of when creating and managing content for tenants in a multitenant portal environment. Issues related to permissions are also discussed.

Organizing Content

When you create a tenant, the portal automatically generates several Portal Catalog folders for the tenant:

· Portal Content/Tenants/<Tenant Name>/Content: This folder is intended for iViews, pages, and worksets relevant to the tenant.

Note that you can create roles in this folder; however, for better organization of content we suggest using the new Role subfolder created for the tenant.

· Portal Content/Tenants/<Tenant Name>/Role: This folder is intended for any roles relevant to the tenant.

· Portal Content/Tenants/<Tenant Name>/Desktop: This folder is intended for objects related to the tenant's portal desktop, such as framework pages and portal desktop objects.

For more information, see "Folders" in Initial Folders, Content, and Permissions for Tenants.

We strongly recommend you create tenant-specific content in these folders to reduce maintenance of permission assignments and to ensure that the tenant's content is secure.

Creating Content

Global content administrators are responsible for creating overall content and initial content for each tenant. Tools for creating content range from those available in the portal (for example, using iView templates) to external development kits; see Structure link Running an Enterprise Portal (in the SAP NetWeaver Developer's Guide).

Caution

Tenant administrators should not be permitted to deploy custom developed applications to the portal. This is the task of a super administrator or global system administrator.

Once content is available to tenant content administrators, they can then tailor it to fit their requirements. Tenant content administrators can create and manage tenant-specific content using tools available in the portal; for example:

· Using portal content wizards and editors.

· Using the Portal Catalog copy action to generate copies or delta links from existing content to which they have at least administrator read permission.

Tenant content administrators can share cross-tenant content with content administrators from other tenants by copying content to a shared Portal Catalog folder. A global administration must create this folder and assign the required portal permissions to the relevant tenant administrators.

For information on working with tenant-specific framework pages, themes, and portal desktops to customize the look and feel of a tenant's portal, see Configuring Customized Portal Desktops for Tenants.

Assigning Permissions

Pay attention to the following permission-related issues when working with content in a multitenant portal:

· Whereas a tenant administrator automatically has access only to the users, groups, and roles of the portal tenant he or she is logged on to (according to their tenant name in the role ID prefix), access to portal content by browsing and searching the Portal Catalog must be restricted through explicitly assigned portal permissions. Merely being logged on to a specific portal tenant does not automatically limit a tenant user to the tenant's content.

· All tenant content administrators must have permission to access to view the root Portal Content folder; otherwise access to tenant-specific subfolders is not possible. A global administrator must be responsible for the overall assignment of Portal Catalog permissions to tenant administrators.

· When a new folder is created in the Portal Catalog outside the Portal Content/Tenantsfolder area, the new folder inherits the permissions of its parent folder. Before content is created in this folder, you need to make sure that the new folder does not inherit permissions which may expose non-authorized content to the tenants.

For example, the root Portal Content folder is assigned to all tenant content administrators; a new folder created under Portal Content would immediately be available to all tenant content administrators.

· If you want business end users to be able to personalize their pages with content, they must be assigned end user permission to the relevant folders in which the content is located.

For example, you may want to assign end user permission for the relevant business end users to the tenant's Content folder.

· Direct access to portal components in a multitenant portal environment is controlled by security zone permissions; there is no difference to a standard portal environment. You must assign specific users, groups, and roles to the security zone permissions in the Permission Editor. For more information, see Security Zones.