Default Permissions

Definition

The portal comes with a minimal set of permissions assigned to its initial content. These default permissions are designed to provide maximum security for a freshly installed portal.

The default permissions settings are sufficient to enable users assigned to the super administrator role to work and gain access to all initial content. They also enable the remaining standard administration roles (content, system, and user) to access tools specific to these roles, but not to initial content objects. For example, a content administrator has access to the Portal Content Studio, but is not able to gain access to any content objects, such as iViews, pages, and roles-the Portal Catalog in the Portal Content Studio is empty.

This topic describes the default permissions assigned to the initial content of the portal.

Caution

The initial permissions described in this topic are only valid for a fresh and full installation of the portal. When upgrading a portal, the initial permissions script in the portal is not executed. This prevents the permissions in an existing portal from being overwritten.

If you are upgrading your portal, you will, however, need to assign permission to the standard portal components and services shipped with the portal. These components and services reside in the Security Zones folder. It is recommended to use as a basis the initial permissions set for security zones in a fresh installation (as described in the Permissions in Security Zones section below).

Recommendation

For guidelines on reconfiguring the strict initial permissions to allow the pre-configured portal roles to access initial content objects relevant to their role, read How to Configure Permissions for Initial Content in SAP NetWeaver Portal available at Start of the navigation path sdn.sap.com/irj/sdn/howtoguides Next navigation step SAP NetWeaver 7. 3 How To Guides End of the navigation path .

1. Permissions for Super Administration Role

The standard super administer role (see Understanding Preconfigured Portal Roles ) is assigned maximum access to the entire set of portal initial content.

The user store and data source of the User Management Engine used in your organization determines which standard administrator users are members of the standard Administrators user group after the portal is installed. The Super Administrator role is assigned by default to the Administrators group. Therefore, initially all standard administrator users have super administrator permissions in the portal. For additional information, see Standard Users and Standard User Groups .

The following table specifies which default permissions settings of the super administrator role are assigned to the default root folders in the Portal Catalog:

Portal Catalog Folder (ID)	Permission Setting
Business Objects ( `pcd:Business_Objects` )	Administrator: owner End User*: enabled
Portal Content ( `pcd:portal_content` )	Administrator: owner End User: enabled Role Assigner: enabled
Security Zones ( `pcd:com.sap.portal.system/security` )	Administrator: owner End User*: enabled
Remote FPN Producers** ( `pcd:fpn_information/connections` )	Administrator: owner End User*: enabled
WSRP Content** ( `gwsrp:` )	Administrator: owner End User*: enabled
Portal Applications*** ( `gpar:` )	Administrator: owner End User*: enabled
Web Dynpro Java Applications*** ( `gwd:` )	Administrator: owner End User*: enabled
VC Generated Content Repository*** ( `gvc:` )	Administrator: owner End User*: enabled
Portlet Applications*** ( `portlet:` )	Administrator: owner End User*: enabled

* Role assigner and end user permission settings are only relevant to specific Portal Catalog folders and object types. For more information, see Permission Levels .

** Folders supporting a federated portal network. For more information, see Assigning Administrator Permissions to FPN Connections .

*** Read permission is necessary for the super administrator to view all portal components in the GPAL repositories. See Working with GPAL Repositories .

To prevent a complete lockout situation in the portal, the default permissions of the super administrator role cannot be deleted or modified. For information on assigning other super administrator-like roles with owner permissions to all portal objects, see UME Actions in the Portal .

2. Permissions in Security Zones

In addition to the super administrator permissions described above, the following permissions also exist for the standard safety levels in the Security Zone folder (for more information, see Security Zones ):

Safety Level	Portal Catalog Folder	Permission Setting
No safety	Security Zones sap.com NetWeaver.Portal no_safety Security Zones sap.com NetWeaver.UserManagement no_safety	Everyone group: Administrator: none End user: enabled For more information about this group, see Standard User Groups .
Low safety	Security Zones sap.com NetWeaver.Portal low_safety Security Zones sap.com NetWeaver.UserManagement low_safety	Authenticated Users group: Administrator: none End user: enabled For more information about this group, see Standard User Groups .
Medium and high safety	Security Zones sap.com NetWeaver.Portal medium_safety Security Zones sap.com NetWeaver.Portal high_safety	Content Admin and System Admin roles: Administrator: none End user: enabled For more information about these roles, see Understanding Preconfigured Portal Roles .
Security Zones sap.com NetWeaver.UserManagement medium_safety Security Zones sap.com NetWeaver.UserManagement high_safety	User Admin and Delegated User Admin roles: Administrator: none End user: enabled For more information about these roles, see Understanding Preconfigured Portal Roles .

Safety Level

Portal Catalog Folder

Permission Setting

No safety

Start of the navigation path Security Zones Next navigation step sap.com NetWeaver.Portal no_safety End of the navigation path

Start of the navigation path Security Zones Next navigation step sap.com NetWeaver.UserManagement no_safety End of the navigation path

Everyone group:

Administrator: none
End user: enabled

For more information about this group, see Standard User Groups .

Low safety

Start of the navigation path Security Zones Next navigation step sap.com NetWeaver.Portal low_safety End of the navigation path

Start of the navigation path Security Zones Next navigation step sap.com NetWeaver.UserManagement low_safety End of the navigation path

Authenticated Users group:

Administrator: none
End user: enabled

For more information about this group, see Standard User Groups .

Medium and high safety

Start of the navigation path Security Zones Next navigation step sap.com NetWeaver.Portal medium_safety End of the navigation path

Start of the navigation path Security Zones Next navigation step sap.com NetWeaver.Portal high_safety End of the navigation path

Content Admin and System Admin roles:

Administrator: none
End user: enabled

For more information about these roles, see Understanding Preconfigured Portal Roles .

Start of the navigation path Security Zones Next navigation step sap.com NetWeaver.UserManagement medium_safety End of the navigation path

Start of the navigation path Security Zones Next navigation step sap.com NetWeaver.UserManagement high_safety End of the navigation path

User Admin and Delegated User Admin roles:

Administrator: none
End user: enabled

For more information about these roles, see Understanding Preconfigured Portal Roles .

Recommendation

Problems related to accessing the portal and its content are often attributed to insufficient permissions in security zones. When troubleshooting access-related issues in the portal, it is recommended to also check the security zone permissions.

3. Permissions in 'Portal Content' Subfolders

In addition to the super administrator permissions described above, the following permissions are also assigned to certain subfolders in the Portal Catalog:

Portal Catalog Folder (ID)	Permission Setting
Portal Content Content Provided by SAP Admin Content Content Administrators `(pcd:portal_content/com.sap.pct/ administrator/content_admin)`	Content Admin role: Administrator: none End user: enabled
Portal Content Content Provided by SAP Admin Content System Administrators `(pcd:portal_content/com.sap.pct/ administrator/system_admin)`	System Admin role: Administrator: none End user: enabled
Portal Content Content Provided by SAP Admin Interfaces Admin iView Templates `(pcd:portal_content/com.sap.pct/ admin.templates/iviews)`	Content Admin and System Admin roles: Administrator: none End user: enabled
Portal Content Portal Users `(pcd:portal_content/every_user)`	Everyone group: Administrator: read End user: enabled

Portal Catalog Folder (ID)

Permission Setting

Start of the navigation path Portal Content Next navigation step Content Provided by SAP Admin Content Content Administrators End of the navigation path

(pcd:portal_content/com.sap.pct/ administrator/content_admin)

Content Admin role:

Administrator: none
End user: enabled

Start of the navigation path Portal Content Next navigation step Content Provided by SAP Admin Content System Administrators End of the navigation path

(pcd:portal_content/com.sap.pct/ administrator/system_admin)

System Admin role:

Administrator: none
End user: enabled

Start of the navigation path Portal Content Next navigation step Content Provided by SAP Admin Interfaces Admin iView Templates End of the navigation path

(pcd:portal_content/com.sap.pct/ admin.templates/iviews)

Content Admin and System Admin roles:

Administrator: none
End user: enabled

Start of the navigation path Portal Content Next navigation step Portal Users End of the navigation path

(pcd:portal_content/every_user)

Everyone group:

Administrator: read
End user: enabled