Show TOC

Exporting PermissionsLocate this document in the navigation structure

Prerequisites

  • At least administrator read permission for each object in the Portal Catalog you want to export.

  • End user permission to the security zone of the following portal component:

    sap.com/NetWeaver.Portal/medium_safety/com.sap.portal.admin.acleditor/components/initialPermissionsCreator

Context

This topic describes how to export the permission structure of your portal content and security zones.

When you export the permission structure from your source system, an XML file is generated. Using the XML file, you can later import the permission to another portal (the target system) to recreate the same permission structure. You can use the exported XML file for any number of target systems.

Note

The output of the permission structure is filtered according to the permission settings of the user requesting the permission structure page.

Therefore, to view the entire permission structure in your portal, the user requesting the permission structure page must be a super administrator or an administrator who has permission to view the entire Portal Catalog.

Procedure


  1. Log on to the portal.

  2. In the same browser session, open a new browser window.

  3. Enter the following URL:

    http://<host>:<port>/irj/servlet/prt/portal/prtroot/com.sap.portal.admin.acleditor.initialPermissionsCreator

    Note

    Depending on the amount of data to be processed, it may take several minutes for the XML file to be created.

Results

When the permissions have been exported, an XML file, with the name initialPermissions.xml , is created on the source portal in the following folder:

  • Windows:

    <installation drive>:\usr\sap\<Java EE instance name>\JC<InstanceNumber>\j2ee\cluster\apps\sap.com\com.sap.portal.admin.acleditor\servlet_jsp\com.sap.portal.admin.acleditor\root

  • UNIX:

    /usr/sap/<Java EE instance name>/JC<InstanceNumber>/j2ee/cluster/apps/sap.com/com.sap.portal.admin.acleditor/servlet_jsp/com.sap.portal.admin.acleditor/root

For information on importing the XML file to a target system, see Importing Permissions .

The XML file contains all ACL objects existing in the source system. Each ACL tag element is represented in the following format:

<ACL objectID="ObjectID" handlerId="ACL">
  <ACEs>
    <ACE type="[role, user, group]"
      principalID="PrincipalID"
      permission="[owner, Pcd.FullControl, Pcd.ReadWrite, Pcd.Read, NONE]"
      endUserRead="[true,false]"
      roleAssign="[true, false]"
    />
  </ACEs>
</ACL>

Where:

  • <ACL> tag (Access Control List): Refers to a single object, and contains a single <ACEs> tag.

    • objectID attribute: Specifies the ID of the PCD object.

      For GPAL repositories: the objectID attribute varies according to the repository: gpar :, gwd :, gvc :, or portlet , respectively for Portal Application Repository, Web Dynpro Repository, VC Generated Content Repository, Portlet Application Repository.

    • handlerId attribute: Specifies the XML Content and Actions handler that processes the data in the XML; do not change this value.

      For GPAL repositories: the handlerId attribute is PCMACL .

  • <ACEs> tag: Groups a number of <ACE> tags that are nested in a single <ACL> tag.

  • <ACE> tag (Access Control Entry): Specifies which users, groups, or roles are assigned permissions to the object and also their respective permission levels. Each <ACE> tag refers to a single role, user, or group.

    • type attribute: Specifies if the user management entity being assigned permission to the object is a role, group or user.

    • principalID attribute: Specifies the ID of the role, group, or user being assigned permissions to the object.

    • permission attribute: Specifies the administrator permission setting. If this <ACE> attribute is not specified, its default value is NONE

    • endUserRead attribute: Specifies the end user permission setting. If this <ACE> attribute is not specified, its default value is false .

    • roleAssign attribute: Specifies the role assigner permission setting. If this <ACE> attribute is not specified, its default value is false .

Example

Sample XML output declaring content and their permissions look as follows.

For the PCD: 

<ACL objectID="pcd:portal_content"handlerId="ACL">
  <ACE type="role"
    principalID="pcd:portal_content/administrator/content_admin/content_admin_role"
    permission="Pcd.FullControl"
    endUserRead="true" />
  <ACE type="group"
    principalID="GROUP.SUPER_GROUPS_DATASOURCE.EVERYONE"
    permission="pcd.Read"
    endUserRead="true" 
    roleAssign="true" />
  <ACE type="role"                    principalID="pcd:portal_content/administrator/super_admin/super_admin_role"
    permission="owner"
    endUserRead="true"
    roleAssign="true" /> 
  <ACE type="role"
    principalID="pcd:portal_content/administrator/system_admin/system_admin_role"
    permission="owner"
    endUserRead="true" />
</ACL>

For the GPAL repositories: 

<ACL objectID="gpar:"handlerId="PCMACL">
  <ACE type="role"
    principalID="pcd:portal_content/administrator/content_admin/content_admin_role"
    permission="admin_read"
    endUserRead="true" /> 
  <ACE type="role"                   principalID="pcd:portal_content/administrator/super_admin/super_admin_role"
    permission="owner"
    endUserRead="true"
  <ACE type="group"
    principalID="GRUP.SUPER_GROUPS_DATASOURCE.EVERYONE"
    permission="Pcd.Read"
    endUserRead="true" />
</ACL>