cancel
Showing results for 
Search instead for 
Did you mean: 

Deleting Public/ Personal folders

0 Kudos

Hi,

I have the following query:

I would like to delete Public and Personal folders in KMC

i.e.

Home > Documents > 'Personal Documents' folder and

/documents/Public Documents folder.

Should I be able to delete these folders?

What specific roles should an user have to be able to perform these operations?

Could you please help?

Thanks and regards,

MB

Accepted Solutions (1)

Accepted Solutions (1)

paul_goetz
Explorer
0 Kudos

Hi Moitreyee,

sorry, but there seems to be one basic misunderstanding here: all permissions are somehow cumulative.

In other words: if the user is granted the permission by some ACL or system principal permission, it won't be revoked by another rule.

So: If a user is allowed to do something by ACL, then the system principal permission will <b>not</b> overwrite that permission.

So,

ad 1) <i>If user/role has a permission which is defined in System Principals but which is not present in the resource ACL, then the System Principal permission overrides the ACL.</i>

-> Yes, if that resource ACL contains an entry, with a specific ACE. A resource ACL without ACL entry defaults to "Everybody Full Control".

ad 2) <i>Similarly, if user/role has a permission defined in resouce ACL which is not present in the System Principals, then the ACL permission overrides the System Principal.</i>

-> No, its no "overwrite", its just that the regular ACL already granted that right and the system principals will not be checked.

and about the example <i>(Eg: I tried deleting the Public Documents folders as System Admin with default ACL (Everyone: Full control),

but without the Delete permission in System principals.

I was able to delete the folder).</i>

--> That's ok, since "Everyone: Full control" already grants permission to delete, so the system principal's permission is not checked.

<i>So System Principals do not always override the ACL permission.</i>

-> See above: it's no "overwrite", its just a logical union - if the permission is granted by resource ACL or by system principal permission, access is granted.

Best regards,

Paul

0 Kudos

Hi Paul,

Thank you very much for your replies.

Best regards,

Moitreyee

Answers (2)

Answers (2)

Former Member
0 Kudos

Hi

super admin role takes into account all the roles available for portal i.e content admin,user admin as well system admin.Permissions to the folder is the key for deleting or creating by a user .And super admin of a portal has all the permissions.

hopes this helps u

don,t forget to give points

With regards

subrato kundu

0 Kudos

Hi Subrato,

Thank you for your reply.

a) I do understand that a Super Admin has all the lesser

roles, namely - Content Admin, User Admin, System Admin etc.

However would only a Content Admin or only an User Admin or only a System Admin be able to delete Public and Personal folders?

b) You also mentioned that Permissions to the folder is the key for deletion or creation by a user.

Which specific Permission should the user have ?

Does this mean that any user having that Permission for the folder(s) has rights to delete the folder(s) irrespective of the role he has?

Thanks and regards

Moitreyee

P.S. I have awarded you points.

Former Member
0 Kudos

HI

Content admin ,user admin and system admin are the pieces of delegated administration please go through this link don,t get fabble by the content just search for terms as user administration,content administration and system administration.

http://help.sap.com/saphelp_ep60sp2/helpdata/en/38/76bd3b6e74d708e10000000a11402f/plain.htm

there are two levels of permissions one is resource level permission and other is service level permission .this actaully enforce the security on the portal .Role is the entry point to the portal to a role a user is assigned and corresponding permissions to the user.

created a newsystem and set the permissions in

system administration > permissions>systemlandscape>newsystem

hope this helps u

With regards

subrato kundu

pls don,t forget to give points

Former Member
0 Kudos

Hi Moitreyee,

why don't you go to the mentioned folders on "Details" -> "Settings" -> "Permissions"?!? There you'll see the ACL (access control list) for this folders. An ACL specifies which users, groups, or roles have which access permissions for this items. You'll have to check who is having "Delete" or "Full Access" Permission, because this would be the permission needed in order to be able to delete the folder. If you'll see lets say "super_admin"-role has "Full Control", than all users with the "super_admin"-role (and only those) can delete the folder.

Please check this link (and the links mentioned there) for more information concerning KM Permissions:

http://help.sap.com/saphelp_nw04/helpdata/en/1b/12c49eb27011d5993800508b6b8b11/frameset.htm

Hope this clarify things,

Robert

PS: Actualy, permissions on this folders should be set as suggested by SAP in note 599425. And I would not recommend to delete those folders. Any special reason???

0 Kudos

Hi Robert,

Thank you very much for your reply.

I am knowledgeable to some extent regarding ACLs.

I am a little unclear about the following -

i) It seems to me that the Role of a user is not really important for deleting the folders.

ii) What is important is whether the user has been granted "Full Control" or "Delete" Permissions in the Folder > Details > Permission iview.

So does this mean that even the Super Admin/ Content Admin/ Content Manager/ System Admin or User Admin <b>would not</b> be able to delete the folders unless they have been explicitly assigned the Permissions to do so ?

iii) I am testing this scenario and hence I need to check these functions.

Thank you once again for your reply.

Regards,

Moitreyee

P.S. I do not always get the options here for awarding points. Do you have any idea how I may go about this?

Message was edited by: Moitreyee Banerjee

Former Member
0 Kudos

Hi Moitreyee,

it looks like you understood right. The roles like Super Admin/Content Admin/System Admin/etc. are only important for KM Permissions if this roles are part of the ACLs of the specific folders.

You can try to remove all roles, groups and users from the ACL list (-> Details -> Permissions) of a specific folder. As a result no user with super_admin role or other role can delete this folder. The system will add the user who removed all entries from the ACL list to the permission owner, so that there is always someone who can give permissions.

You might want to ask, if the users with super_admin role are not necessary able to control permissions on every KM folder, how can permissions be corrected if someone removes all ACL entries from a folder with "Everyone"="Full Control"??? For this there is the concept of "System Principal". You can activate users, groups and roles as system principal. Every system principal user and every user with a system principal role is "Permission Owner" on every KM Folder and can change permissions. Please take a look at the SAP Help information about System Principals:

http://help.sap.com/saphelp_nw04/helpdata/en/19/56f28fbd4e11d5993b00508b6b8b11/frameset.htm

Hope this clarify things,

Robert

PS: The rating stars should be on the left side of my post if you have marked this thread as question. If you still experience problems with rating, please write a short mail at SDN@sap.com with a link to this thread. Thanks a lot!

0 Kudos

Hi Robert,

Your answers & especially the link to the Help file helped me a lot.

All this while, I have been able to perform the Delete operations on various folders (along with the Public and Personal folders), although I wasn't assigned the 'Delete' or 'Full Control' permissions.

I have been quite confused regarding this, since the Help documentation on Permissions

(http://help.sap.com/saphelp_nw04/helpdata/en/1b/12c49eb27011d5993800508b6b8b11/frameset.htm)

doesn't mention anything regarding System Principals.

The link you sent me regarding System Principals has helped me greatly.

I now know that the resource permissions specified in System Principals overrides the KM Permissions

(KM Resource > Details > Permissions).

And therefore, Users / Roles/ Groups can perform all Read/ Write/ Delete operations on KM explorer resources even though they haven't been assigned permissions in the KM resources' Permission iview, so long as, the Users/ Roles/ Groups have these permissions specified in System Principals.

Thanks a lot,

Best wishes,

Moitreyee

P.S. I have awarded you points

Former Member
0 Kudos

Hi Moitreyee,

that's great to hear! I'm glad I could be of help.

Just on remark: Mark this thread as solved (for example by using a blue star) so that people notice from the thread list that your question is answered.

Thanks and best regards,

Robert

0 Kudos

Hi Robert,

1) I removed the 'Delete' permission from the Content Admin role in System Principals (& restarted the portal as suggested).

However, when I log in with that role, I am still able to delete folders in KM Explorer although I haven't been assigned at all in the folder > Permission iview.

2) The Content Admin role in Sys Principal is :

pcd:portal_content/administrator/content_admin/content_admin_role

whereas the Content Admin role assigned to me is :

pcd:portal_content/administrator/content_admin

Do you think these roles are the same?

When I searched in the PCD for role "content_admin", the search returned only the former role.

What should be the correct behaviour?

Is there anywhere else where I define system wide permissions for users?

Kindly help.

Thanks and regards

Moitreyee

Former Member
0 Kudos

Hi Moitreyee,

>The Content Admin role in Sys Principal is :

>pcd:portal_content/administrator/content_admin/content_admin_role

>

>whereas the Content Admin role assigned to me is :

>pcd:portal_content/administrator/content_admin

>

>Do you think these roles are the same?

YES! When are looking at your roles using the "Role Assignment" iView you'll the columns ID and Name. You have to combine this values to get the Role PCD ID (= Name + ID).

"pcd:portal_content/administrator/content_admin" + "content_admin_role") = your entry under System Principal Roles.

This should explain why you still have the "Delete" rights.

Hope this helps,

Robert

0 Kudos

Hi Robert,

Thank you for the clarification regarding the roles.

However, if both the roles are the same, taking the Delete permission off the role in System Principals, should henceforth disallow the role from performing deletion.

Thanks and regards,

Moitreyee

Former Member
0 Kudos

Hi Moitreyee,

yes, you are right.

1) Have you restarted the J2EE Engine after changing "System Principal" configuration???

2) Have you checked that you do not have another System Principal Role, System Principal User or are member of System Principal Group with delete permissions.

3) When you remove yourself the Content Admin Role, do you still have delete permission???

Hope this helps,

Robert

PS: Please be consequent in using the stars, and give on EVERY helpfull and very helpfull answer points.

THANKS!!!

0 Kudos

Hi Robert,

Answering your questions -

1) Yes I have restarted the J2EE engine.

2) There is a System Principal User 'cmadmin_service' who has Delete resource permissions.

As far as I know the Content Admin doesn't have this service.

But is there anywhere in the portal, where I can check for a mapping between a service and a role (or a user)?

3) I havent removed the Content Admin role from myself but I tested with another user who doesn't have this role. He has only Collaboration and CollaborationDemoRole.

Surprisingly, even when he has been assigned Read permission for a folder, he is unable to view any documents in the folder.

Thanks a lot for your help.

Regards,

Moitreyee

P.S - I have been giving stars but the option <i>Very helpful answer</i> was disabled this time. Only Helpful answer was enabled. I have therefore selected <i>Helpful answer </i> repetitively

0 Kudos

Hi Robert,

I understand that:

1) If user/role has a permission which is defined in System Principals but which is not present in the resource ACL, then the System Principal permission overrides the ACL.

2) Similarly, if user/role has a permission defined in resouce ACL which is not present in the System Principals, then the ACL permission overrides the System Principal.

(Eg: I tried deleting the Public Documents folders as System Admin with default ACL (Everyone: Full control),

but without the Delete permission in System principals.

I was able to delete the folder).

So System Principals do not always override the ACL permission.

Kindly let me know if this is correct

Thanks and best regards,

Moitreyee

Former Member
0 Kudos

Hi Moitreyee,

You should have super admin role added to the user to be able to delete those folders.

Regards

Prakash

0 Kudos

Hi Prakash,

Thank you for your prompt reply.

Would the user with Content Admin or Content Manager role be able to perform these operations?

Thanks and regards,

Moitreyee