Default Permissions 

The portal comes with a minimal set of permissions assigned to its initial content. These default permissions are designed to provide maximum security for a freshly installed portal.

The default permissions settings are sufficient to enable users assigned to the super administrator role to work and gain access to all initial content. They also enable the remaining standard administration roles (content, system, and user) to access tools specific to these roles, but not to initial content objects. For example, a content administrator has access to the Portal Content Studio, but is not able to gain access to any content objects, such as iViews, pages, and roles—the Portal Catalog in the Portal Content Studio is empty.

This topic describes the default permissions assigned to the initial content of the portal.

The initial permissions described in this topic are only valid for a fresh and full installation of the portal. When upgrading a portal, the initial permissions script in the portal is not executed. This prevents the permissions in an existing portal from being overwritten.

If you are upgrading your portal, you will, however, need to assign permission to the standard portal components and services shipped with the portal. These components and services reside in the Security Zones folder. It is recommended to use as a basis the initial permissions set for security zones in a fresh installation (as described in the Permissions in Security Zones section below).

For guidelines on reconfiguring the strict initial permissions to allow the pre-configured portal roles to access initial content objects relevant to their role, read How to Configure Permissions for Initial Content in SAP NetWeaver Portal located at sdn.sap.com/irj/sdn/howtoguides → SAP NetWeaver 7.1 How-to Guides → SAP NetWeaver 7.1.

1. Permissions for Super Administration Role

The standard super administer role (see Pre-configured Roles) is assigned maximum access to the entire set of portal initial content.

The user store and data source of the User Management Engine used in your organization determines which standard administrator users are members of the standard Administrators user group after the portal is installed. The Super Administrator role is assigned by default to the Administrators group. Therefore, initially all standard administrator users have super administrator permissions in the portal. For additional information, see Standard Users and Standard User Groups.

The following table specifies which default permissions settings of the super administrator role are assigned to the default root folders in the Portal Catalog:

Portal Catalog Folder (ID)	Permission Setting
Business Objects (pcd:Business_Objects)	●              Administrator: owner  ●              End User1: enabled
Portal Content (pcd:portal_content)	●              Administrator: owner  ●              End User1: enabled  ●              Role Assigner1: enabled
Security Zones (pcd:com.sap.portal.system/security)	●              Administrator: owner  ●              End User1: enabled
NetWeaver Content Producers2 (pcd:NetWeaver_content_producers)	●              Administrator: owner  ●              End User1: enabled
WSRP Content Producers2 (pcd:wsrp_content_producers)	●              Administrator: owner  ●              End User1: enabled
Portal Application Repository3 (gpar:)	●              Administrator: owner ●              End User1: enabled
Web Dynpro Application Repository3 (gwd:)	●              Administrator: owner ●              End User1: enabled
VC Generated Content Repository3 (gvc:)	●              Administrator: owner ●              End User1: enabled
Porlet Application Repository3 (portlet:)	●              Administrator: owner ●              End User1: enabled

¹ Role assigner and end user permission settings are only relevant to specific Portal Catalog folders and object types. For more information, see Permission Levels.

² Folders supporting a federated portal network. For more information, see Adding Producers and Assigning Administrator Permissions to Producer Objects.

³ Read permission is necessary for the super administrator to view all portal components in the GPAL repositories. See Generic Portal Application Layer (GPAL) Repositories.

 

To prevent a complete lockout situation in the portal, the default permissions of the super administrator role cannot be deleted or modified. For information on assigning other super administrator-like roles with owner permissions to all portal objects, see UME Actions in the Portal.

2. Permissions in Security Zones

In addition to the super administrator permissions described above, the following permissions also exist for the standard safety levels in the Security Zone folder (for more information, see Security Zones):

Safety Level	Portal Catalog Folder	Permission Setting
No safety	Security Zones → sap.com → NetWeaver.Portal → no_safety          Security Zones → sap.com → NetWeaver.UserManagement → no_safety	Everyone group: ●      Administrator: none  ●      End user: enabled  For more information about this group, see Default Groups.
Low safety	Security Zones → sap.com → NetWeaver.Portal → low_safety          Security Zones → sap.com → NetWeaver.UserManagement → low_safety	Authenticated Users group: ●      Administrator: none  ●      End user: enabled  For more information about this group, see Default Groups.
Medium and high safety	Security Zones → sap.com → NetWeaver.Portal → medium_safety          Security Zones → sap.com → NetWeaver.Portal → high_safety	Content Admin and System Admin roles: ●      Administrator: none  ●      End user: enabled  For more information about these roles, see Pre-configured Roles.
	Security Zones → sap.com → NetWeaver.UserManagement → medium_safety          Security Zones → sap.com → NetWeaver.UserManagement → high_safety	User Admin and Delegated User Admin roles: ●      Administrator: none  ●      End user: enabled  For more information about these roles, see Pre-configured Roles.

 

Problems related to accessing the portal and its content are often attributed to insufficient permissions in security zones. When troubleshooting access-related issues in the portal, it is recommended to also check the security zone permissions.

3. Permissions in 'Portal Content' Subfolders

In addition to the super administrator permissions described above, the following permissions are also assigned to certain subfolders in the Portal Catalog:

Portal Catalog Folder (ID)	Permission Setting
Portal Content → Content Provided by SAP → Admin Content → Content Administrators (pcd:portal_content/com.sap.pct/ administrator/content_admin)	Content Admin role: ●      Administrator: none  ●      End user: enabled
Portal Content → Content Provided by SAP → Admin Content → System Administrators (pcd:portal_content/com.sap.pct/ administrator/system_admin)	System Admin role: ●      Administrator: none  ●      End user: enabled
Portal Content → Content Provided by SAP → Admin Interfaces → Admin iView Templates (pcd:portal_content/com.sap.pct/ admin.templates/iviews)	Content Admin and System Admin roles: ●      Administrator: none ●      End user: enabled
Portal Content → Portal Users (pcd:portal_content/every_user)	Everyone group: ●      Administrator: read   ●      End user: enabled