Roles and Role types

In WPS you can asssign a particular role to user for particular resource. What that means is your saying that user can perform set of operations on protected resource. There are two ways in which you can assign permissions to user, first is either you assign it to user directly(implict) or you assign those permissions to a group and user is part of that group(explicit). The set of permissions granted to specific user is defined by the union of all permissions contained in all explicitly and implicitly assigned roles of this user.

The WPS server defines following role types

  • User: Viewing portal content.

  • Privileged User: Viewing portal content, personalizing portlets and pages and creating new private pages

  • Contributor: Viewing portal content and creating new resources. The contributor role type does not include the permissions to edit resources. It only allows you to create new resource

  • Editor: Creating new shared resources and configuring existing resources that are used by multiple users.

  • Manager: Creating new shared resources as well as configuring and deleting existing resources that are used by multiple users

  • Security Administrator: Creating and deleting role assignments on resources. Being assigned Security Administrator role at some resource means that the user shall be allowed to act as a delegated administrator for that resource, in other words the Security Administrator on a resource is allowed to delegate a subset of their privileges on the resource to other people according to the Delegated Administration Policy. For example, a user who is assigned Security Administrator and Editor role on a resource can assign this Editor role to other people provided he has Delegator role on those people. Having the Security Administrator role on a resource alone does not give view or edit access to the resource.

  • Administrator: Unrestricted access on resources. This includes creating, configuring, and deleting resources. Administrators can also change the access control settings on resource; in other words grant other people access to those resources.

  • Delegator: Assigning the Delegator role to principals (users and groups) allows roles to be granted to them. Having the Delegator role on other resources, such as specific portlets, is not useful. The set of roles that can be granted to those principals is defined through the Security Administrator and Administrator role types. For example a user has a Delegator role on the SalesTeam user group but no Delegator role on the Managers user group, so this user can grant roles only to the SalesTeam or individual members of the SalesTeam user group but not to the Managers user group. Having the Delegator role on a resource does not give direct access to the resource. The purpose of the Delegator role type is to allow the granting of roles to users or groups, so assigning Delegator role on resources or resource types that are not users or user groups will not grant those users additional privileges.


The roles are arranged in hierarchy

Photobucket

Each role type extends the privileges contained in the role types directly beneth it in the hierarchy. Ex. Contributor can do everything that User can do and Editor can everything that both Contributor and User can do.

No comments: