Security Zones

Definition

The security zone specifies the vendor ID, the security area, and the safety level for each portal component and portal service, including Web services accessed through the SOAP protocol.

Access by authorized users to portal components and services is controlled by assigning portal user permissions to the hierarchical structure of the vendor ID, the security area, and progressive safety levels in the portal security zones.

Use

Content developers assign portal components and services to a security zone during development by defining its security zone in the descriptor XML file of the application or service. Typically, the content or system administrator is responsible for indicating the appropriate security zone to the content developer. When the developer deploys to the AS Java from the development environment, or other standalone tools, the applications and services become visible in the Portal Catalog from the Permission Editor, under one of the GPAL repositories.

Once a portal application has been deployed to the Java EE, an administrator with access to the central Permission Editor, and read or owner permission for GPAL repositories, must assign authorized users, groups, or roles to the security zone to which the portal component or service belongs. Security zones are displayed in the Portal Catalog in a hierarchical structure.

Note

Security zones are only applicable to portal applications and services in the GPAR repository. Though the other GPAL repositories (containing Web Dynpro applications, application pages generated from Visual Composer, and portlets) are visible in the Portal Catalog from the Permission Editor, they do not implement security zones.

A portal component or service can belong to only one security zone; however they can share the same safety level. This allows the administrator to assign permissions to a safety level, instead of assigning them directly to each portal component or service. This also takes advantage of the permission inheritance mechanism, which passes the permissions from the safety level to any portal component or service located in it (see Permission Examples ).

Controlling Portal Component Access through Direct URLs

Generally, portal components are accessed in the portal through an iView. However, special cases, such as the portal logon component, require direct URL access to portal applications without an iView. A user is allowed direct access by URL at runtime under the following conditions:

The portal component or service declares its security zone.
The user (or group or role) has been assigned end user permissions in the Permission Editor to the security zone defined by the portal component.

Controlling Portal Component Access through iViews

When an iView is launched by a user at runtime, the Portal Runtime (PRT) initially determines if the user is assigned end user permission to the role object containing the iView. If authorized, the user can view the iView content.

Security zones offer an extra, though optional, layer of code-level security to iViews accessed by means of the standard role-based assignment. When this functionality is activated, the PRT also checks if the user has been assigned end user permission to the iView's portal component in its designated security zone. Note that this check is performed after the end user permission to the iView has been approved. The user must pass both checks to view the iView content.

This second level of security for iViews is activated or deactivated by setting a Java VM (virtual machine) parameter using the Java EE Config Tool (for both server and instance or server only). By default, this functionality is disabled.

Note

This parameter also prevents unauthorized users from accessing iViews through a direct URL used outside of the portal environment.

Using the Config Tool, add the parameter -Dcom.sap.nw.sz=true to the Java Settings. To deactivate it, set the Dcom.sap.nw.sz parameter to false .

For more information, see Configuring JVM Parameters .

Note

You can view Java VM settings with SAP NetWeaver Administrator. (You can open SAP NetWeaver Administrator by adding it as an alias at the end of the URL to where your portal is installed (< hostname >:< port >/ nwa ). For more information see Java System Properties .

Integration

1. Security Zone Configuration

The portal currently supports two methods for specifying security zones in the portal application descriptor file ( portalapp.xml ):

Computed (the preferred method)
Fully specified

The older fully specified method uses a single property for each component and service to define the vendor ID, security area, and safety level, with each property separated by a slash (/). This method is susceptible to errors, such as mixing the order of the properties or failing to include one of them, which can cause a messy structure in the Security Zones folder in the Portal Catalog. In addition, the vendor ID and security area must be written for each component, even though they are generally the same for all components in the portal application, also increasing the risk of coding errors.

Note

This method will be deprecated in a future release. It is currently supported to provide backward compatibility.

The newer computed method avoids the above-mentioned disadvantages and also provides support for additional capabilities, such as isolating in a separate folder those components whose security zones are not properly defined.

Method	Description
Computed	This is the preferred method that enforces a standard classification methodology for security zones. In this method, the security zone of a component is defined by creating the following properties in the `portalapp.xml` file, which is in the application archive: `Vendor` (vendor ID) and `SecurityArea` : These properties are defined in the `<application-config>` section, and apply to all the components and services in the portal application. `SafetyLevel` : This property is defined for each component and service. For more information on defining the security zone in a `portalapp.xml` , see Permission Model . When the portal application is deployed on the Java EE server, the full security zone is then automatically generated using the three properties and the names of the components and services: Components: `<vendor ID>/<security area>/<safety level>/<portal application name>/components/<component name>` Services: `<vendor ID>/<security area>/<safety level>/<portal application name>/services/<service name>` For example: `sap.com/NetWeaver.Portal/high_safety/com.sap.portal.prt.cache/components/DBTest` In the Permission Editor, the above computed security zone is visualized as follows in the Portal Catalog: `Security Zones` `sap.com` `NetWeaver.Portal` `high_safety` `com.sap.portal.prt.cache` `components` `DBTest`
Fully specified	In this method, the security zone is defined in the portal application descriptor by a single property: `SecurityZone` The syntax of this property can be any slash-separated (/) string to define the security zone hierarchy; however, either of the following formats is recommended: `<vendor ID>/<security area>/<safety level>/<portal application name>/components/<component name>` `<vendor ID>/<security area>/<safety level>/<portal application name>/services/<component name>` For example: `sap.com/NetWeaver.Portal/high_safety/com.sap.portal.prt.cache/components/DBTest`

Method

Description

Computed

This is the preferred method that enforces a standard classification methodology for security zones.

In this method, the security zone of a component is defined by creating the following properties in the portalapp.xml file, which is in the application archive:

Vendor (vendor ID) and SecurityArea : These properties are defined in the <application-config> section, and apply to all the components and services in the portal application.
SafetyLevel : This property is defined for each component and service.

For more information on defining the security zone in a portalapp.xml , see Permission Model .

When the portal application is deployed on the Java EE server, the full security zone is then automatically generated using the three properties and the names of the components and services:

Components:

<vendor ID>/<security area>/<safety level>/<portal application name>/components/<component name>
Services:

<vendor ID>/<security area>/<safety level>/<portal application name>/services/<service name>

For example: sap.com/NetWeaver.Portal/high_safety/com.sap.portal.prt.cache/components/DBTest

In the Permission Editor, the above computed security zone is visualized as follows in the Portal Catalog:

Security Zones
  sap.com
    NetWeaver.Portal
      high_safety
        com.sap.portal.prt.cache
          components
            DBTest

Fully specified

In this method, the security zone is defined in the portal application descriptor by a single property: SecurityZone

The syntax of this property can be any slash-separated (/) string to define the security zone hierarchy; however, either of the following formats is recommended:

<vendor ID>/<security area>/<safety level>/<portal application name>/components/<component name>
<vendor ID>/<security area>/<safety level>/<portal application name>/services/<component name>

For example: sap.com/NetWeaver.Portal/high_safety/com.sap.portal.prt.cache/components/DBTest

When portal applications are deployed, the following rules apply for creating the respective security zones in the portal application repository:

If the portal application specifies a SecurityZone property (fully specified method), its value will take precedence if the portal application also specifies the Vendor and SafetyLevel properties (computed method).
Any component that does not have a proper Vendor, SecurityArea or SafetyLevel property are listed under an UndefinedVendor , UndefinedSecurityArea or UndefinedSafetyLevel folder in the appropriate location in the Security Zones folder in the Portal Catalog. This enables administrators to easily locate components of applications deployed without the proper security zone properties.

To modify the assigned security zone of a portal application, modify the portal application descriptor file and redeploy it.

2. Initial Safety Levels

The portal defines the following standard safety levels for initial portal content to which out-of-the-box groups and roles are assigned permissions (note that the description of each safety level is based on the end user permission setting only, regardless of the administrator permission setting):

Safety Level	Value	Description
No Safety	no_safety	Anonymous users are permitted to access portal components defined in the security zone.
Low Safety	low_safety	A user must be at least an authenticated portal user to access portal components defined in the security zone.
Medium Safety	medium_safety	A user must be assigned to a particular portal role that is authorized to access portal components defined in the security zone.
High Safety	high_safety	A user must be assigned to a portal role with higher administrative rights that is authorized to access portal components defined in the security zone.

For information on which initial groups and roles are assigned to the standard security zones shipped with the portal, see Default Permissions .

Customers are strongly recommended to use this convention and the standard safety levels when deploying custom-made applications.

3. Assigning Permissions to Security Zones

iViews automatically inherit their permissions from the role to which they are used; however portal components and services inherit their permissions from the security zone or safety level to which they are assigned.

Most generic portal applications intended for standard users in an organization should apply to either the no safety or low safety levels, and no additional role-specific permissions need to be assigned to their security zones. The reason for this is that the Everyone and Authenticated Users groups are by default assigned end user permission to the no safety and low safety levels, respectively, and thereby permit all anonymous and authorized user activity already.

The medium safety and high safety levels are typically reserved for sensitive applications, which require permission assignments that are targeted to specific users, groups, or roles.

You assign permissions to security zones in the same way you assign permissions to content and folders in the Portal Catalog. See Setting Permissions in the Permission Editor .

Caution

Important Notes

Security zone functionality is only operational when the PRT property portal.runtime.security.mode is set to production mode. For more information, see Configuring the Portal Runtime Properties .
To prevent a complete lockout situation that prevents access to the portal by all users, including super users, you must make sure that all portal groups representing anonymous users (for example, the Everyone group) have end user permission enabled for the safety level that permits anonymous access to portal components and services accessed by a URL (for example, the no safety level).

Typically, you should grant end user permission to the Everyone group in the following standard security zones that are shipped with the portal:
- ara:/security/sap.com/NetWeaver.Portal/no_safety
- ara:/security/sap.com/NetWeaver.UserManagement/no_safety