The Publishing Server Access Control widget

Use this widget to manage the access rights that groups and users have.

The Publishing Server Access Control widget

The Publishing Server Access Control widget is a stand-alone widget used in within the Publishing Server Access Control page. In a typical usage scenario you, as administrator, would select a group or user in the Users/Groups view, and configure the necessary permissions for that entity in the Projects view.

The Publishing Server Access Control widget includes the following sections:
  1. The Users/Groups view
    The Users/Groups view displays the users and groups defined in WebSphere® Application Server if it is using the default security or the users and groups in the LDAP server if WebSphere Application Server is using LDAP for its user registry and security. The Users/Groups view displays the user's or group's short name if it is available and the user's and group's distinguished name (DN) if it is not. The DN is the unique identifier for the user or group in the default security or on the LDAP server.
    Expand the nodes to see the users and groups available. To refine the lists, click Filter.
  2. The Projects view
    The Projects view uses a tree with expandable nodes to display the access rights of the user or group that is currently selected in the Users/Groups view. Preceding each element or folder name is a set of three interactive icons that are used to set permissions.
    For example, a node on the tree might show the following set of icons:
    Screen capture of an element in the tree
    In order, the three icons behind the plus sign indicate the following: Delete | View | Comment.
    Click on any of these icons to cycle through the various options, and click Submit to set the access rights accordingly.
    Here is what each of the icons mean:
    Delete icons View icons Comment icons Description
    Delete
        Deletes any explicit access rights for the node. If the element does not have explicitly set access rights, this Delete icon will not appear.
    Initial
        This default setting indicates that access has not yet been configured, and no permissions have been granted.
     
    Explicit viewing permit
      Explicitly permits viewing the element and its children.
       
    Explicit commenting permit
    Explicitly permits commenting on the element and its children.
     
    Child has explicit view access
      Indicates that one or more (but not all) children nodes have explicit permission to view the element.
       
    Child has explicit comment access
    Indicates that one or more (but not all) children nodes have explicit permission to comment on the element.
     
    Inherited view access
      Implicit permit access right is inherited from a parent, so permits viewing the element.
       
    Inherited comment access
    Implicit permit access right is inherited from a parent, so permits commenting on the element.
     
    Explicit view denial
      Explicitly denies access right, so denies viewing the element or its children.
       
    Explicit comment denial
    Explicitly denies access right, so denies commenting on the element or its children.
     
    Inherited view denial
      Implicitly denies access right, so denies viewing the element or its children.
       
    Inherited comment denial
    Implicitly denies access right, so denies commenting on the element or its children.
    Note: In the Projects tree, the access rights for viewing an element are automatically set to permit when you permit commenting on an element. Similarly, when you deny viewing an element, the access rights for commenting on the element are automatically set to deny.

How access rights work

Hierarchy
There is a hierarchy of access:
  • A denial of access right takes precedence over all permit access rights.

    When a user selects to expand a node in the Publisher Navigator view, the publishing server checks whether the user or any of the groups to which the user belongs has a deny access right set for any of the children nodes. If the user or any group has a deny access right for a node, the user will not be able to see (or comment if the access right is for commenting) the node even if the user and other groups have access.

  • An access right takes precedence over all initial access rights.

    When there are no access rights denied, a user can see a node whether the user or a group that the user belongs to is permitted access rights for that node.

Implicit or explicit access rights
There are two ways that a publishing server administrator can set access rights for viewing an element:
  1. The administrator can set them explicitly by selecting the viewing icon and selecting to permit or deny access.
  2. The administrator can set them implicitly by setting the access rights in a parent element and make use of inheritance.
Inheritance
The child element automatically inherits the access rights of the parent element. For example, if you set the access rights for the ABC Sample project element, all of the elements in the project will have the same access rights, inheriting the value you set at the project level. To indicate that an element has inherited (implicit) access rights, the viewing icon shows a parent and child relationship in addition to the check mark or No symbol.
Note: You can override an inherited permission, but you cannot override an inherited lack of access with a permission. For example, if a folder has its access right set to permit, you can explicitly deny access to an element within that folder. However, if the folder has the deny access right, you cannot explicitly permit access to an element in the folder. You must first either explicitly set permit access to the folder (or one of its parent nodes) or remove the explicit deny permission from the folder (or one of its parents if the denial is set at that level) before you can permit access to its contents.

When you set access rights for a user or a group, if a node has one or more children that were denied access, the user or group member will see a node called "Additional nodes (access controlled)."