Show TOC

Procedure documentationExporting Permissions Locate this document in the navigation structure

 

This topic describes how to export the permission structure of your portal content and security zones.

When you export the permission structure from your source system, an XML file is generated. Using the XML file, you can later import the permission to another portal (the target system) to recreate the same permission structure. You can use the exported XML file for any number of target systems.

Note Note

The output of the permission structure is filtered according to the permission settings of the user requesting the permission structure page.

Therefore, to view the entire permission structure in your portal, the user requesting the permission structure page must be a super administrator or an administrator that has permission to view the entire Portal Catalog.

End of the note.

Prerequisites

  • At least administrator read permission for each object in the Portal Catalog you want to export.

  • End user permission to the security zone of the following portal component:

    sap.com/NetWeaver.Portal/medium_safety/com.sap.portal.admin.acleditor/components/initialPermissionsCreator

Procedure

  1. Log on to the portal.

  2. In the same browser session, open a new browser window.

  3. Enter the following URL:

    http://<machine>:<port>/irj/servlet/prt/portal/prtroot/com.sap.portal.admin.acleditor.initialPermissionsCreator

    Note Note

    Depending on the amount of data to be processed, it may take several minutes for the XML file to be created.

    End of the note.

Result

When the permissions have been exported, an XML file, with the name initialPermissions.xml, is created on the source portal in the following folder:

  • Windows:

    <installation drive>:\usr\sap\<SAP J2EE instance name>\JC<instancenumber>\j2ee\cluster\server0\apps\sap.com\irj\servlet_jsp \irj\root \portalapps\com.sap.portal.admin.acleditor

  • UNIX:

    /usr/sap/<SAP J2EE instance name>/JC<instance number>/j2ee/cluster/server0/apps/sap.com/irj/servlet_jsp /irj/root /portalapps/com.sap.portal.admin.acleditor

For information on importing the XML file to a target system, see Importing Permissions.

The XML file contains all ACL objects existing in the source system. Each ACL tag element is represented in the following format:

Syntax Syntax

  1. <ACL objectID="ObjectID" handlerId="ACL">
  2.  <ACEs>
  3.   <ACE type="[role, user, group]"
  4.     principalID="PrincipalID"
  5.     permission="[owner, Pcd.FullControl, Pcd.ReadWrite, Pcd.Read, NONE]"
  6.     endUserRead="[true,false]"
  7.     roleAssign="[true, false]"
  8.   />
  9.  </ACEs>
  10. </ACL>
End of the code.

Where:

  • <ACL> tag (Access Control List): Refers to a single object, and nests a single <ACEs> tag.

    • objectID attribute: Specifies the ID of the PCD object.

    • handlerId attribute: Specifies the XML Content and Actions tool handler that processes the data in the XML; do not change this value.

  • <ACEs> tag: Groups a number of <ACE> tags that are nested in a single <ACL> tag.

  • <ACE> tag (Access Control Entry): Specifies which users, groups, or roles are assigned permissions to the object and also their respective permission levels. Each <ACE> tag refers to a single role, user, or group.

    • type attribute: Specifies if the user management entity being assigned permission to the object is a role, group or user.

    • principalID attribute: Specifies the ID of the role, group, or user being assigned permissions to the object.

    • permission attribute: Specifies the administrator permission setting.

    • endUserRead attribute: Specifies the end user permission setting. If this <ACE> attribute is not specified, its default value is false.

    • roleAssign attribute: Specifies the role assigner permission setting. If this <ACE> attribute is not specified, its default value is false.

Example

A sample XML output declaring content and their permissions looks as follows:

Syntax Syntax

  1. <ACL objectID="pcd:portal_content"handlerId="ACL">
  2.   <ACE type="role"
  3.     principalID="pcd:portal_content/administrator/content_admin/content_admin_role"
  4.     permission="Pcd.FullControl"
  5.     endUserRead="true" />
  6.   <ACE type="group"
  7.     principalID="GROUP.SUPER_GROUPS_DATASOURCE.EVERYONE"
  8.     permission="NONE"
  9.     endUserRead="true"
  10.     roleAssign="true" />
  11.   <ACE type="role"                    principalID="pcd:portal_content/administrator/super_admin/super_admin_role"
  12.     permission="owner"
  13.     endUserRead="true"
  14.     roleAssign="true" />
  15.   <ACE type="role"
  16.     principalID="pcd:portal_content/administrator/system_admin/system_admin_role"
  17.     permission="Pcd.ReadWrite"
  18.     endUserRead="true" />
  19. </ACL>
End of the code.