Initial Folders, Content, and Permissions for
Tenants 
When you create a tenant in the Tenant Management screen (see Creating a Portal Tenant), the portal does the following:
· Creates a number of predefined folders for the tenant in the Portal Catalog under the default Portal Content/Tenants folder.
· Creates standard roles for the tenant.
· Creates a virtual group for the tenant.
· Assigns portal permissions to the new roles within various Portal Catalog folders and security zones.
We strongly recommend you use the default folders and roles that are assigned to a tenant. Avoid manually creating separate folders for an entire tenant in other areas of the Portal Catalog. If you must do so, pay attention to the initial permissions assigned to the new content and roles as documented in this topic; use them as a guideline for updating your new content.
Folders
The following folders are automatically created in the Portal Content/Tenants folder:
Folder Path (the new folder is bolded) |
Description |
Portal Content/Tenants/<Tenant name> |
Created in the standard Portal Content/Tenants folder. The folder receives the name of the tenant. In this folder, the portal creates the Content, Desktop, and Roles subfolders (see below). |
Portal Content/Tenants/<Tenant name>/Content |
This folder is intended for tenant-specific portal content objects you create, such as iViews, pages, and worksets. By default, the folder is empty when the tenant is created. Essentially, you can also create roles in this folder; however, for better organization of content we suggest using the new Role subfolder created for the tenant (see below). |
Portal Content/Tenants/<Tenant name>/Desktop |
This folder is intended for tenant-specific objects related to the structuring of the portal desktop, such as framework pages and portal desktop objects. Note that portal themes can only be stored in Portal Content/Themes or subfolders within it. By default, the folder is empty when the tenant is created. |
Portal Content/Tenants/<Tenant name>/Role |
This folder is intended for tenant-specific roles. The portal creates default roles for the tenant (see below) and places them in this folder. |
The following figure provides an example of a Portal Catalog hierarchy displaying two new tenants, TenantA and TenantB:
Content (Roles)
The following roles are automatically created and placed in the Portal Content/Tenants/<Tenant name>/Role folder of the tenant:
Role Name |
Role ID |
Description |
<Tenant name> Content Admin |
<tenant_name>.content_admin |
This new content administrator role is a delta link to the existing Content Admin role in the Content Provided by SAP/Admin Content/Content Administrators folder. By default, no users are assigned to this role. See "Permissions" below for the folders and security zones to which this role is assigned. |
<Tenant name> User Admin |
<tenant_name>.user_admin |
This new user administrator role is a delta link to the existing User Admin role in the Content Provided by SAP/Admin Content/User Administrators folder. By default, no users are assigned to this role. See "Permissions" below for the security zones to which this role is assigned. |
<Tenant name> Standard User Role |
<tenant_name>.eu_role |
This new end user role is a delta link to the existing Standard User Role role in the Content Provided by SAP/End User Content/Standard Portal Users folder. This role is automatically assigned to the tenant’s group (see below) when the tenant is created. |
The openness of the portal platform allows you to adapt and extend the portal roles defined for each tenant to suit the needs of your organization. For example, if you are implementing a multitenant portal to support internal departments within your organization only, you can distribute the system admin role to tenant administrators since the security requirements of this setup are less demanding.
Groups
The UME automatically generates a virtual group for each tenant. The virtual group has the following features:
· The name of the group is the tenant name. For example: TenantA
· The group is regenerated each time the portal starts.
· The group contains all users belonging to a tenant.
· As it is a dynamic group, it is not possible to manually assign users or groups to this group.
· The group is automatically assigned to the tenant's new Standard User Role (<tenant_name>.eu_role).
· The group is automatically deleted if its portal tenant system object is deleted and the portal has been restarted.
Administrators can use this group to assign permissions to all users in a tenant. This means that if a new user is created for a tenant, the user automatically has the permissions and roles assigned to the virtual tenant group, which makes overall administration easier.
Permissions
Default permissions are also assigned to the following Portal Catalog folders, content, and security zones to enable access and necessary portal functionality to the appropriate roles.
Whereas a tenant administrator has access only to the users, groups, and roles of the portal tenant he or she is logged on to (see Logging on as a Tenant User), access to portal content must be restricted through portal permissions. Merely being logged on to a portal tenant does not automatically limit a tenant user to the tenant's content.
Permissions to Content and Folders
Portal Catalog Path |
Role/Group Assignment |
Administrator Permission |
End User Permission |
Portal Content (pcd:portal_content) |
Role: <Tenant name> Content Admin |
Read |
Enabled*
|
Portal Content/Tenants (pcd:portal_content/Tenants) |
Role: <Tenant name> Content Admin |
Read |
Enabled*
|
Portal Content/Tenants/<Tenant name> (pcd:portal_content/Tenants/<tenant_name>) |
Role: <Tenant name> Content Admin |
Full Control*
|
Enabled*
|
|
Group: <tenant_name> |
None* |
Enabled* |
Portal Content/Content Provided by SAP/Admin Interfaces (pcd:portal_content/com.sap.pct/admin.templates) |
Role: <Tenant name> Content Admin |
Full Control |
Enabled |
Portal Content/Portal Users/Standard Portal Users (pcd:portal_content/every_user/general) |
Role: <Tenant name> Content Admin |
None |
Enabled |
Folder is not visible in the Portal Catalog (pcd:/com.sap.portal.system/applications) |
Role: <Tenant name> Content Admin |
Read |
Enabled |
Portal Content/Templates (pcd:portal_content/templates) |
Role: <Tenant name> Content Admin |
Read |
Enabled |
* The new Content, Desktop, and Roles tenant subfolders inherit the permissions of their parent folder: Portal Content/Tenants/<Tenant name>.
Permissions in Security Zones
Folder Path |
Role Assignment |
Administrator Permission |
End User Permission |
ara:/com.sap.portal.system/security/ |
<Tenant name> User Admin |
None |
Enabled |
ara:/com.sap.portal.system/security/ |
<Tenant name> Content Admin |
None |
Enabled |