filtering portal content based on user attributes portal content based on user attributes applies...
TRANSCRIPT
Filtering Portal Content Based on User Attributes
Applies To:
SAP Enterprise Portal EP6 SP2 SAP Enterprise Portal 6.0 SP9 and above
Article Summary
This technical paper will cover how to implement a filtering mechanism of portal content based on user attributes. It uses concepts and base code from the article, “Filtering Role and Workset Content” by Eckart Liemke and Meinolf Block, which is available at: https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/ep/code-samples/Filtering%20Role%20and%20Workset%20Content.htm Please refer to this article for detailed technical information on filter factories and how they operate. This paper will extend the functionality presented in the referenced SDN article to include portal content at all levels including pages and portal catalog folders. Please note that this article presents custom code and is NOT an officially SAP supported solution. The code should be implemented with extreme caution, as bad code could have serious side effects and implications. By: Marty McCormick – [email protected]: Technical Consultant – SAP America Date: 20 September 2005
Scenario Outline
In this scenario, we’ll assume that iViews on certain pages within the portal must only be displayed and/or be accessible via personalization when users are a member of a specific country. Typically, customers would create different roles, worksets and pages to a deliver content in a secure manner, however filter factories can eliminate the need for different content structures in the portal catalog and the requirement for multiple pages, worksets and iViews. In this example, the administrator and content teams wish to create one end user role with a page that hosts 4 iViews—a Germany only iView, a US only iView, an iView to be seen by all users and an iView to show only members of the super admin role. This means that if the user is from Germany they should see a specific set of iViews based on their country value in their user profile versus that of a user in the US. The code will also implement a mechanism to allow a super administrator to see all content at all times. As shown in the screen shots below, there is one role that contains a page with 4 iViews on it. Based on attributes placed on the iViews themselves, they should be displayed according to their user’s country. Here’s how the content was created and set up (before any filtering mechanism).
Figure 1: Content Catalog View of Sample Scenario
Figure 2: Default iViews on the Country Page
Filter Expressions
A filter expression is the string returned by the filter factory that is used by the portal to determine whether or not the child object should be displayed. These filter expressions can use standard AND/OR logic to accommodate complicated expressions. Filter expressions can also contain wildcards. For example, !(com.widgets.country=*) would allow everything that is not tagged to be rendered.
It is important to remember that pages contain items that may need to be seen by the whole user community, such as page layouts. If the filter factory is placed on a page, the page layout values are checked and if it does not pass the check, the whole page will not be displayed (since iViews require a layout). For this specific case (among others), it is
wise to implement an “ALL” value for your filtering attribute(s) that is returned in every filter expression. You can see this logic implemented in the filter factory below.
Creating the Filter Factory Component
There were some slight modifications to the code provided in the SDN article referenced above. In this scenario we are going to implement an “override” mechanism that allows users who are a member of the super admin role to override the filtering mechanism regardless of the admins country setting. The filter factory will check children for the attribute com.widgets.company in order to compare to the filter expression.
Code Implementation The following section provides the code necessary in order to implement the example.
Figure 3: Project Structure in NetWeaver Developer Studio
CountryFilterFactory.java
package com.widgets;
import javax.naming.spi.ObjectFactory; import java.util.Hashtable; import javax.naming.Context; import javax.naming.Name;
import com.sap.security.api.*; import com.sapportals.portal.pcd.gl.IPcdContext; import com.sap.portal.pcm.admin.PcmConstants; import com.sap.portal.directory.Constants; import com.sapportals.portal.prt.logger.ILogger; import com.sapportals.portal.prt.runtime.PortalRuntime;
/**************************************************************************** * * CountryFilterFactory * Filter factory that returns a filter string filtering for the * attribute "com.widgets.country" * * @author Marty McCormick * @company SAP * @date 9/15/2005 * @version 1.00 * *************************************************************************/
public class CountryFilterFactory implements ObjectFactory {
ILogger log = PortalRuntime.getLogger();
/** * @see javax.naming.spi.ObjectFactory#getObjectInstance(Object, Name, Context, Hashtable) */
public Object getObjectInstance(Object arg0, Name arg1, Context arg2, Hashtable env) throws Exception {
String countryAffiliation = ""; //do not filter by default String filterExpression = "";
env.put(Context.INITIAL_CONTEXT_FACTORY,IPcdContext.PCD_INITIAL_CONTEXT_FACTORY);
env.put(Constants.REQUESTED_ASPECT, PcmConstants.ASPECT_SEMANTICS);
IUser user = (IUser) env.get(IPcdContext.SECURITY_PRINCIPAL);
boolean superAdmin = false;
// Get the role associated with the role name super_admin_role
IRole role = null;
String roleName = "super_admin_role";
IRoleFactory rfact = UMFactory.getRoleFactory();
try {
role = rfact.getRoleByUniqueName(roleName);
}
catch (UMException e)
{
log.severe("COUNTRY FILTER SERVICE: Error = " + e.toString());
}
//check to see if the user is a member of the super admin role, if so, set superAdmin = true
if(user.isMemberOfRole(role.getUniqueID(),true))
{
superAdmin = true;
}
if (user != null) {
String country = user.getCountry();
if(country==null)
{
country="none";
}
//override to check if the user is a member of the super admin role
if (!superAdmin)
{
if ((country != null) && (!country.equals("")))
{
filterExpression = "(|(" + CountryFilterService.COUNTRY_KEY + "=" + country + ")(" + CountryFilterService.COUNTRY_KEY + "=ALL))"; }
}
}
return filterExpression;
}
}
CountryFilterService.java
package com.widgets;
import javax.naming.NamingException;
import com.sapportals.portal.pcd.gl.IPcdAttribute; import com.sapportals.portal.pcd.gl.IPcdAttributes; import com.sapportals.portal.pcd.gl.IPcdGlService; import com.sapportals.portal.pcd.gl.IPcdObjectFactory; import com.sapportals.portal.pcd.gl.PcdRuntimeException; import com.sapportals.portal.prt.service.IServiceConfiguration;
import com.sapportals.portal.prt.service.IServiceContext; import com.sapportals.portal.prt.service.IService; import com.sapportals.portal.prt.logger.ILogger; import com.sapportals.portal.prt.runtime.PortalRuntime;
import com.sapportals.portal.pcd.gl.IPcdUtils;
/********************************************************************************* * * CountryFilterService * Service that creates schema entries and initializes the Country Filter Factory * * * @author Marty McCormick * @company SAP * @date 9/15/2005 * @version 1.00 * *************************************************************************/
public class CountryFilterService implements IService {
private IServiceContext serviceContext;
public static final String COUNTRY_KEY = "com.widgets.country";
private static final String FILTER_FACTORY_CLASS_NAME =
CountryFilterFactory.class.getName();
public static final String SERVICE_KEY = "com.widgets.countryFilterService";
private static final String FILTER_CLASS = "com.widgets.CountryFilter";
/** * Generic init method of the service. Will be called by the portal runtime. * @param serviceContext */
public void init(IServiceContext serviceContext) {
this.serviceContext = serviceContext;
try {
this.setupSchema();
} catch (NamingException e) {
throw new PcdRuntimeException(e);
}
}
/** * This method is called after all services in the portal runtime * have already been initialized. */
public void afterInit() {
}
/** * configure the service * @param configuration * @deprecated */
public void configure(
com
.sapportals
.portal
.prt
.service
.IServiceConfiguration configuration) {
}
/** * This method is called by the portal runtime * when the service is destroyed. */
public void destroy() {
}
/** * This method is called by the portal runtime * when the service is released. * @deprecated */
public void release() {
}
/** * @return the context of the service, which was previously set * by the portal runtime */
public IServiceContext getContext() {
return serviceContext;
}
/** * This method should return a string that is unique to this service amongst all * other services deployed in the portal runtime. * @return a unique key of the service */
public String getKey() {
return SERVICE_KEY;
}
/** * Initialization of the schema entry for the filter factory */
private void setupSchema() throws NamingException {
//In NW04, the IPcdUtils interface can be used instead of the decprecated IPcdObjectFactory
IPcdObjectFactory pcdObjectFactory = ((IPcdGlService) PortalRuntime.getRuntimeResources().getService(IPcdGlService.KEY)).getPcdObjectFactory();
pcdObjectFactory.recreateSchemaEntry(FILTER_CLASS,
this.getFilterClassAttributes(pcdObjectFactory),
null);
}
/** * IPcdAttributes */
private IPcdAttributes getFilterClassAttributes(IPcdObjectFactory pcdObjectFactory) throws NamingException {
IPcdAttributes attributes = pcdObjectFactory.createPcdAttributes();
attributes.put(
IPcdAttribute.OBJECT_CLASS,
IPcdAttribute.OBJECT_CLASS_FILTERCLASS);
attributes.put(IPcdAttribute.APPLICATION, SERVICE_KEY);
attributes.put(IPcdAttribute.FILTER_FACTORY, FILTER_FACTORY_CLASS_NAME);
return attributes;
}
}
jndi.properties
# -------------------------------------------------- # Provider resource file for JNDI service providers. # -------------------------------------------------- # # Initial Context Factory # java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory # # # Object factories java.naming.factory.object=com.widgets.CountryFilterFactory
portalapp.xml <?xml version="1.0" encoding="utf-8"?> <application> <application-config> <property name="SharingReference" value="com.sap.portal.pcd.glservice,usermanagement"/>
<property name="startup" value="true"/> <property name="releasable" value="false"/> </application-config> <components/> <services> <service name="CountryFilterService"> <service-config> <property name="className" value="com.widgets.CountryFilterService"/> <property name="classNameFactory" value=""/> <property name="classNameManager" value=""/> <property name="startup" value="true"/> <property name="poolFactory" value="0"/> </service-config> </service> </services> </application> Once the component is created, simply deploy the portal service into your environment.
Tagging Portal Content
After the component has been deployed, the next step is to “tag” or label the content. All objects that should be filtered are children members, whereas pages and folders are parents that contain the filter factory listing. If you have not implemented an override mechanism, it is necessary to tag the children (iviews, layouts) first before placing the filter factory on the parent objects—otherwise you would not be able to tag the children (iviews & layouts) because the content wouldn’t pass the filter expression. It is important to remember that if you are trying to filter iViews on a page, you must tag the page layouts in addition to iViews or allow all not tagged content to render by default in your filter expression! The page used in this example contains layouts and iViews and looks like the following (notice the page layouts in addition to the iViews assigned to the page):
Figure 4: Page Components All page layouts are tagged with a “com.widgets.country” attribute and have a value of “ALL” like such:
Figure 5: Sample Page Layout Tagging
The iViews are tagged in the following manner: US iView = “US” Germany iView = “DE” All User = “ALL” No Country = not tagged with attribute As the referenced SDN article states, objects that contain children to be filtered require a filter factory to be placed on them. You can add these attributes programmatically using the PCD GL API’s. For filter factories, SAP requires the com.sap.portal.pcd.gl.FilterAssigment attribute along with the appropriate object factory class to be used. In this case, it would look like the following:
Figure 6: Filter Factory Attribute on Page In addition to placing the filter factory on the page, it should also be implemented at the folder level in the portal catalog for two reasons:
1) Security – the user should not see the iViews that don’t belong to their country (as they can add it to a page that doesn’t implement the filter factory and have it render)
2) Usability – the user would be confused if they saw the iView in the catalog, but if they added it to a page it would not render
As such, the same attribute and filter factory value that was placed on the page is placed on the “iViews” folder under Widgets Company. This ensures that all iViews underneath the folder are checked for proper permission before being listed.
Demo
When a user with the country attribute “US” logs into the portal, he/she would see the following:
Figure 7: US User Page View As expected, the Germany and “not tagged” iViews do not show up on the page-however the ones tagged “US” and “ALL” do render. In addition, when the US User tries to personalize any page and views the catalog, he/she would see the following:
Figure 8: US User Personalization View
In addition to personalization, if the US User was a member of the content administrator role (super admin overrides), he/she would see the view shown above and not Germany and Not tagged iViews. This is good for security, but poses potential issues if the US user is an administrator for Germany content. Here’s how the user with a country value of Germany (DE) would look:
Figure 9: Germany User Page View
Figure 10: Germany User Personalization View Similar to the US User, the Germany user is seeing only content that is tagged “ALL” or “DE”. If the user is a member of the super admin role, he/she would see the following for their page view:
Figure 11: Super Admin Page View
Figure 12: Super Admin Personalization View As you can see from the super admin screen shots, all content is being displayed because the filter factory is returning a blank filter expression—which evaluates all content to true, including “not tagged” iViews.
Conclusion
It’s useful to note that any user attribute (or other data pertaining to the user) may be used in the creation of the filter expression. For example, you could use a combination of many user attributes (i.e. country and employee type) –including custom attributes from Active Directory or other LDAP source -- in order to generate the filter expression.
As you can see from this document, filter factories provide a great mechanism to increase security while reducing duplicate content such as roles, worksets and pages. It also provides security at the portal catalog level, which can significantly reduce the amount of folders and complexity in permissions on the folders.
Disclaimer & Liability Notice
This document may discuss sample coding, which does not include official interfaces and therefore is not supported. Changes made based on this information are not supported and can be overwritten during an upgrade. SAP will not be held liable for any damages caused by using or misusing of the code and methods suggested here, and anyone using these methods, is doing it under his/her own responsibility. SAP offers no guarantees and assumes no responsibility or liability of any type with respect to the content of the technial article, including any liability resulting from incompatibility between the content of the technical article and the materials and services offered by SAP. You agree that you will not hold SAP responsible or liable with respect to the content of the Technical Article or seek to do so.
Copyright © 2005 SAP AG, Inc. All Rights Reserved. SAP, mySAP, mySAP.com, xApps, xApp, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product, service names, trademarks and registered trademarks mentioned are the trademarks of their respective owners.