Understanding Portal Authorization :: SAS(R) 9.3 Intelligence Platform: Web Application Administration Guide, Third Edition

Overview of Authorization

The SAS Information Delivery Portal uses the authorization (access control) metadata on the SAS Metadata Server to determine who can view content in the portal.

All users who log on to the portal must have ReadMetadata and WriteMetadata permissions on the Default ACT of the Foundation repository. Each portal user has access to their own personal portal content, and to the group content of any group to which they belong as a member. As part of your security implementation, you set up authorization for particular portal content in order to allow or restrict user access to that content. For example, if the portal displays SAS reports that contain employee salary information, you should ensure that only managers can see those reports.

The methods for implementing authorization for content vary depending on the type of content. Before using any of these methods, it is generally helpful to first organize the potential users of the portal into groups. Each group should contain users who have similar job functions or similar information needs. A user can be assigned to more than one group.

Methods Used to Implement Authorization

You can implement authorization for the SAS Information Delivery Portal in the following basic ways:

Specify ownership (personal or shared) for content in the SAS Information Delivery Portal.

By default, content that any user creates in the portal is personal. Personal content is content that can be edited, viewed, and deleted only by the user who created it, or by a portal administrator. When you create content in the portal, the content is added to the appropriate permission tree in SAS metadata. For example, if you log on to the portal as the SAS Demo User and create a personal page, that page is added to the SAS Demo User's permission tree.

The portal enables you to share content with a group that is defined in SAS metadata. The group can be all portal users (PUBLIC or SASUSERS) or a group that you define, such as "Sales Managers." When you share portal content with a group, the content is moved to the group's permission tree in metadata. To share portal content with a group, you must be a group content administrator for the respective group. Although a portal administrator can share portal content with a group, this is not a recommended practice.
Specify authorization in SAS metadata.

When you create content apart from the portal, you can specify access control that explicitly allows or disallows specific types of access to individual users or groups of users. For example, if you create an information map, stored process, or publication package, then you define the authorization for the item that you created. Depending on the content type, there are several ways that you can set up this authorization:
- Use SAS Management Console to specify authorization for SAS content such as publication channels. This option provides flexibility in controlling access to portal content. For more information, see Authorization for SAS Publication Channels.
- Specify authorization for custom-developed portlets in the portlet's descriptor file. Portlets that allow users to create new instances (for example, userCanCreateMore=true), can also be shared by using the portal's share feature.
  
  For information about using a portlet deployment descriptor file to specify which users or groups are authorized to access the portlet, see Developing Portlets for the SAS Information Delivery Portal.
- Specify authorization for page templates, Web applications, and syndication channels when you run a.sas program that loads the respective metadata. (You can also share page templates, Web applications, and syndication channels from the portal.) For details, see the applicable topic for adding page templates, Web applications, or syndication channels in Adding Content to the Portal.
- Specify authorization for folders in the SAS Content Server by using the SAS Content Server Administration Console. For more information, see Using the SAS Content Server Administration Console in SAS Intelligence Platform: Middle-Tier Administration Guide.

Portal Items That Require Authorization, and Their Respective Authorization Methods

For a summary of the different types of content that should have authorization configured, and how authorization is configured for each type, see Content That Can Be Added to the Portal.