Exposing Roles on the Producer for 'Remote Role Assignment' Usage 

Applicable to: remote role assignment 

Use

Administrators must configure portal permissions on both the producer and consumer portals to support the design time workflow and runtime activities for remote role assignment on the consumer portal.

The portal permissions described here enable the following:

●      User administrators on a consumer portal to search for remote roles and assign users to them.

●      Business users on a portal consumer to run content embedded in a remote role.

This topic describes the permissions that are required on the producer portal.

Once a remote consumer has assigned users to your roles, make sure you adhere to the following instructions to ensure availability of the remote roles:

■       Do not change the ID of the role. You can however change the role name.

■       Do not move the role to a new PCD location.

More information: 'Remote Role Assignment' Mode 

Prerequisites

●      The same user base exists on both producer and consumer portals.

●      Roles have been created on the producer portal.

●      Owner permission in the objects to which you want to assign permissions.

●      Access to the Permission Editor in the portal.

●      You have the IDs of the consumer-side user administrators and business users to which you need to assign the permissions.

In most cases, the user administrator on the producer portal should be able to provide you with this information.

Procedure

Certain settings must be configured on the producer before a user administrator on the consumer can perform the remote role assignment, while other settings can be performed either before or after the remote role assignment has been performed by the user administrator the consumer.

Permissions to Assign on the Producer Portal Before Remote Role Assignment

In the Permission Editor on the producer portal, the system or content administrator must assign the following permissions:

Object (on Producer)	Target User (on Consumer)	Permission Level	Description
Role (any role that you are exposing for remote usage)	User Admin -or- Delegated User Admin	Role assigner: enabled	Allows the user administrator on the consumer portal to do the following in the Identity Management tool: ●      Search for and view the remote role. ●      Assign local users on the consumer to the remote role. This permission is still required if role assignments are being made through the use of an XML script (see Using XML to Automate Federated Portal Network Tasks).

Additional permissions are required on the consumer to enable the assignment of remote roles.

Permissions to Assign on the Producer Portal Before or After Remote Role Assignment

Using the Permission Editor, the system or content administrator on the producer portal must assign end user permission to portal components and any back-end systems for the remote business users logging on to the consumer portal.

If the system or content administrator on the producer already knows which business users or groups require the permissions, the permission assignments can be made before the user administrator on the consumer has performed the remote role assignments.

Object (on Producer)	Target User (on Consumer)	Permission Level	Description
Portal component*	Business user	End user: enabled	Allows users to execute the iViews, pages, and layouts at runtime, which are assigned to remotely assigned roles. In remote role assignment, all portal components are executed on the producer portal.
System	Business user	End user: enabled	If an iView on the producer uses a system object to enable access to a backend system, the system administrator on the producer must assign end-user permission to business users in these system objects.

^* The portal components correspond to the unit iViews, pages, and page layouts used by content that is embedded in the roles you are exposing. Portal components are located in the Security Zones folder in the Portal Catalog.

If you have applied SAP recommendations and guidelines with regard to initial permission settings in the portal, there should be no need to modify your existing security zone permissions.

The guidelines are such that most of your content is probably assigned to the Low safety level, to which the Authenticated Users group has end user authorization—all non-anonymous users logging on to the portal are automatically assigned to the Authenticated Users group.