Tuesday, May 20

How to configure anonymous CM access

Symptom
A logon window appears when KM iViews are accessed by an anonymous user.
CM is currently designed to support these basic anonymous scenarios:
  • Browse
  • Search
  • Document download/viewing

Consider the following restrictions / recommendations:
1. Not supported for anonymous users due to technical reasons (e.g. all users share the same user ID) are:
- Editing (document, properties) -as locking is based on user ID.
- Action inbox
- Personal documents / favorites
- Rating
- Personal notes
- Customized presentation settings
- Subscription
- Review
- Feedback
- Send-to
    2. Not recommended scenarios for anonymous users are:
- Creation/Upload of documents. As anonymous users have low trust level there is a risk of cross site scripting.
- Presentation settings dialog
- Approval activation/deactivation
- Manual ordering activation/deactivation
- Time dependent publishing activation/deactivation
- Versioning activation/deactivation
- Permission dialog
- Service permission dialog
- Index information
    3. Restrictions for all users if anonymous users are used:
- WebDAV Clients (e.g. MS Web Folders) will only display anonymous content. It is no more possible to authenticate and see more documents.
When using the portal drive together with setting the KM docs iView to anonymous, the default guest user will be used for accessing documents and folders. The user and password that are set when mounting a KM folder as a portal drive is ignored in this case.
Workaround: The servlet path /irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs is not affected by the changes of this note. Knowing this servlet path as a way for accessing KM documents via WebDAV clients allows authentication via basic authentication. The complete URL for the WebDAV root folder would look as follows: :/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs. Example: http://localhost:50000/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/documents.
- Document links in e.g. notification mails will only work for documents that anonymous users are allowed to see. As an alternative action inbox channel / UWL could be used instead of mails.
    4. Recommendations if anonymous users are used:
- Strict ACL settings; only group 'Authenticated users' hould have write permission to KM repositories
- Remove all permissions for anonymous users for /userhome/ and /entrypoints/recent
- Restrict access for UI commands that should not be visible for anonymous users (see restrictions and recommendations for anonymous users)
- UI commands such as the permissions dialog are displayed to anonymous users with read access. Also services that are not supported (subscription) for anonymous users might be displayed.

How to restrict UI commands to authenticated Users
a) Create a new role 'AuthenticatedUsersRole'
b) Assign this role the group 'AuthenticatedUsers'
c) Assign the role ID to all UI commands (and UI screenflows (User Interface > Mapping > Screenflow)) that should not be visible for anonymous users
Reason and Prerequisites
  • KM iViews are deployed at default with authentication schemes -> basic authentication and form based logon.
  • Check wether the file web.xml in the irj web application (/j2ee/cluster/server/apps/sap.com/irj/servlet_jsp/irj/root
    /WEB-INF) contains the following mapping:

prt
/go/*
Add the mapping if it is missing.
Solution
    1. Go to CM Configuration as System Administrator: Choose System Administration > System Configuration > KM Configuration > Content Management Configuration > Global Services > URL Generator Service (visible in advanced mode). Change URL generator settings as follows:
a) Replace prefix #/irj/servlet/prt/portal/prtroot/com.sap.km. cm.docs# inside the parameters "Image Path", "Viewer", "XML Forms CSS URL", "Content Access Path" with #/irj/go/km/docs#
The value for the parameter "Image Path" must look as follows: /irj/go/km/docs/etc/public/mimes/images
The value for the parameter "Viewer" must look as follows: /irj/go/km/docs
The value for the parameter "XML Forms CSS URL" must look as follows: /irj/go/km/docs/etc/xmlforms
The value for the parameter "Content Access Path" must look as follows: /irj/go/km/docs
b) Replace
#/irj/servlet/prt/portal/prtroot/com.sap.km.cm. uidetails# inside the parameters "Resource Properties Page" and "New Resource Properties Page" with #/irj/go/km/details#
The value for the parameters "Resource Properties Page" and "New Resource Properties Page" must look as follows: /irj/go/km/details
c) Replace
#/irj/servlet/prt/portal/prtroot/com.sap.km.cm. navigation# inside the parameters "Explorer Servlet" and "Navigation Servlet" with #/irj/go/km/navigation#
d) Replace
#/irj/servlet/prt/portal/prtroot/com.sap.km.cm. highlightedcontent# inside the parameter "Highlighted Content" with #/irj/go/km/highlightedcontent#
e) Replace
#/irj/servlet/prt/portal/prtroot/com.sap.km.cm. basicsearch# inside the parameter "Basic Search Servlet" with #/irj/go/km/basicsearch#
f) Save the changes.
    2. Open the PCD Editor as Content Administrator: Content Administration > Portal Content > Portal Content > Portal Users > Standard Portal Users > Standard User Role > Open > Object
a) Navigate to Home (note the tooltip "com.sap.km. home_ws") > Hidden > URL Access.
b) Open all contained iViews (Basic Search, Details, Document, Highlighted Content) for editing
c) Select the property category "Advanced"
d) Change the property "Authentication Scheme" to "anonymous"
e) Save the changes.

Posted by Mohammed Bohra at 12:25 AM

1 comment:

  1. narayanaJune 21, 2018 at 12:17 AM

    This comment has been removed by a blog administrator.

    ReplyDelete

You are welcome to express your views here...

Subscribe to: Post Comments (Atom)