A Secure Portal Using Websphere Portal V5 and Tivoli Access Manager V4.1

6.6 UC-ADM-02: Manage security profiles

In this use case, we describe a simple security management scenario. In 5.5.2, "Testing externalized authorization" on page 210, we externalized the YourCo financial pages to TAM. In this demonstration, we continue and show how to remove the permission to view the Customer Support page from anonymous portal users, in other words, users who have not logged in to the site. See Appendix A, "Access Control Model in WebSphere Portal V5" on page 249 for more information. The full use case details can be found in "Administration use case details" on page 19.

6.6.1 Use case demonstration

This may be the Portal Administrator, the Access manager Administrator, a dedicated User Accounts Administrator or any person to whom the duties have been delegated (and has the appropriate permissions in the system). To demonstrate this use case, we go to the Portal guest welcome page. Click the YourCo Financial link and verify that the page appears as in Figure 6-16 with a subpage called Customer Support.

Figure 6-16: YourCo Financial anonymous user page

The next step is to check the access settings for the Customer Support page in TAM. First, we find the TAM object for that page. We invoke pdadmin and run the following command; the list should appear as in Figure 6-17 on page 245.

Figure 6-17: TAM object space

object list /WPS

The object we require is called /WPS/User@CONTENT_NODE_yourCo.CustomerSupportPage_6_0_6E. The next step is to display the TAM details on this page, including the acl, by running the following command. The results should appear as in Figure 6-18 on page 246. They show which users and groups have access to this resource. We are interested in Unauthenticated and Any-other. Unauthenticated refers to the default WebSphere Portal Server group Anonymous portal users, who are users who have not logged in. Any-other refers to the WebSphere Portal Server group All Authenticated Users, which is the default for all logged-in users.

Figure 6-18: Displaying acl details

object show /WPS/User@CONTENT_NODE_yourCo.CustomerSupportPage_6_0_6E/WPS/WebSphere_Port al/<nodename>

The next step is to remove the Unauthenticated group from this resource in TAM. Run the following command and you should see a response as in Figure 6-19 on page 247. You will also see that Unauthenticated is removed from the acl for this page.

Figure 6-19: Removing Unauthenticated group from acl

acl modify WPS_User-CONTENT_NODE_yourCo-CustomerSupportPage_6_0_6E remove unauthenticated

Lastly, we have to wait approximately 30 seconds for the WebSphere Portal Server cache to time out; we then retrace our steps and view the guest YourCo financial page. The Customer Support page should not be visible anymore, as shown in Figure 6-20.

Figure 6-20: YourCo Financial page with updated acl