This Space has blogs on various topics in the field of SAP. These blogs point out solutions to various technical and functional issues that consultants face during implementation or support of SAP Projects. Readers/followers are welcome to contribute to this space by emailing your content at bohra.mohammadi@gmail.com. You will be rewarded according to the topic/number of words/complexity of the topic/issue which are you addressing in your blog.
Tuesday, May 20
How to configure anonymous CM access
Symptom
A logon window appears when KM iViews are accessed by an anonymous
user.
CM is currently designed to support these basic anonymous scenarios:
Consider the following restrictions / recommendations:
1. Not supported for anonymous users due to technical reasons (e.g. all users share the same user ID) are:
- Editing (document, properties) -as locking is based on user ID.
- Action inbox
- Personal documents / favorites
- Rating
- Personal notes
- Customized presentation settings
- Subscription
- Review
- Feedback
- Send-to
- Presentation settings dialog
- Approval activation/deactivation
- Manual ordering activation/deactivation
- Time dependent publishing activation/deactivation
- Versioning activation/deactivation
- Permission dialog
- Service permission dialog
- Index information
When using the portal drive together with setting the KM docs iView to anonymous, the default guest user will be used for accessing documents and folders. The user and password that are set when mounting a KM folder as a portal drive is ignored in this case.
Workaround: The servlet path /irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs is not affected by the changes of this note. Knowing this servlet path as a way for accessing KM documents via WebDAV clients allows authentication via basic authentication. The complete URL for the WebDAV root folder would look as follows::/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs. Example:
http://localhost:50000/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/documents.
- Document links in e.g. notification mails will only work for documents that anonymous users are allowed to see. As an alternative action inbox channel / UWL could be used instead of mails.
- Remove all permissions for anonymous users for /userhome/ and
/entrypoints/recent
- Restrict access for UI commands that should not be visible for anonymous users (see restrictions and recommendations for anonymous users)
- UI commands such as the permissions dialog are displayed to anonymous users with read access. Also services that are not supported (subscription) for anonymous users might be displayed.
How to restrict UI commands to authenticated Users
a) Create a new role 'AuthenticatedUsersRole'
b) Assign this role the group 'AuthenticatedUsers'
c) Assign the role ID to all UI commands (and UI screenflows (User Interface > Mapping > Screenflow)) that should not be visible for anonymous users
CM is currently designed to support these basic anonymous scenarios:
- Browse
- Search
- Document download/viewing
Consider the following restrictions / recommendations:
1. Not supported for anonymous users due to technical reasons (e.g. all users share the same user ID) are:
- Editing (document, properties) -as locking is based on user ID.
- Action inbox
- Personal documents / favorites
- Rating
- Personal notes
- Customized presentation settings
- Subscription
- Review
- Feedback
- Send-to
- 2. Not recommended scenarios for anonymous users are:
- Presentation settings dialog
- Approval activation/deactivation
- Manual ordering activation/deactivation
- Time dependent publishing activation/deactivation
- Versioning activation/deactivation
- Permission dialog
- Service permission dialog
- Index information
- 3. Restrictions for all users if anonymous users are used:
When using the portal drive together with setting the KM docs iView to anonymous, the default guest user will be used for accessing documents and folders. The user and password that are set when mounting a KM folder as a portal drive is ignored in this case.
Workaround: The servlet path /irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs is not affected by the changes of this note. Knowing this servlet path as a way for accessing KM documents via WebDAV clients allows authentication via basic authentication. The complete URL for the WebDAV root folder would look as follows:
- Document links in e.g. notification mails will only work for documents that anonymous users are allowed to see. As an alternative action inbox channel / UWL could be used instead of mails.
- 4. Recommendations if anonymous users are used:
- Remove all permissions for anonymous users for /userhome/
- Restrict access for UI commands that should not be visible for anonymous users (see restrictions and recommendations for anonymous users)
- UI commands such as the permissions dialog are displayed to anonymous users with read access. Also services that are not supported (subscription) for anonymous users might be displayed.
How to restrict UI commands to authenticated Users
a) Create a new role 'AuthenticatedUsersRole'
b) Assign this role the group 'AuthenticatedUsers'
c) Assign the role ID to all UI commands (and UI screenflows (User Interface > Mapping > Screenflow)) that should not be visible for anonymous users
Reason and Prerequisites
- KM iViews are deployed at default with authentication schemes -> basic authentication and form based logon.
- Check wether the file web.xml in the irj web application
(/j2ee/cluster/server
/apps/sap.com/irj/servlet_jsp/irj/root
/WEB-INF) contains the following mapping:
Add the mapping if it is missing.
Solution
- 1. Go to CM Configuration as System Administrator: Choose System
Administration > System Configuration > KM Configuration > Content
Management Configuration > Global Services > URL Generator Service
(visible in advanced mode). Change URL generator settings as follows:
The value for the parameter "Image Path" must look as follows: /irj/go/km/docs/etc/public/mimes/images
The value for the parameter "Viewer" must look as follows: /irj/go/km/docs
The value for the parameter "XML Forms CSS URL" must look as follows: /irj/go/km/docs/etc/xmlforms
The value for the parameter "Content Access Path" must look as follows: /irj/go/km/docs
b) Replace
#/irj/servlet/prt/portal/prtroot/com.sap.km.cm. uidetails# inside the parameters "Resource Properties Page" and "New Resource Properties Page" with #/irj/go/km/details#
The value for the parameters "Resource Properties Page" and "New Resource Properties Page" must look as follows: /irj/go/km/details
c) Replace
#/irj/servlet/prt/portal/prtroot/com.sap.km.cm. navigation# inside the parameters "Explorer Servlet" and "Navigation Servlet" with #/irj/go/km/navigation#
d) Replace
#/irj/servlet/prt/portal/prtroot/com.sap.km.cm. highlightedcontent# inside the parameter "Highlighted Content" with #/irj/go/km/highlightedcontent#
e) Replace
#/irj/servlet/prt/portal/prtroot/com.sap.km.cm. basicsearch# inside the parameter "Basic Search Servlet" with #/irj/go/km/basicsearch#
f) Save the changes.
- 2. Open the PCD Editor as Content Administrator: Content Administration >
Portal Content > Portal Content > Portal Users > Standard Portal Users
> Standard User Role > Open > Object
b) Open all contained iViews (Basic Search, Details, Document, Highlighted Content) for editing
c) Select the property category "Advanced"
d) Change the property "Authentication Scheme" to "anonymous"
e) Save the changes.
Subscribe to:
Post Comments (Atom)
This comment has been removed by a blog administrator.
ReplyDelete