cancel
Showing results for 
Search instead for 
Did you mean: 

Permission problems in Federated Portal Setup

Former Member
0 Kudos
166

Hello SDNers,

I am trying to setup Federation between two portals. Both the portals are in the same domain and use the same LDAP user data source.

Both the portals are on NW 7.0 EHP1 SP 05.

I am following the online help and few other links. I have followed all the steps explained.

SSO and trust between portals is properly setup and is validated.

The point where I am stuck at is with the permissions on the producer portal for the "Guest" user.

If I assign Super Admin role to the Guest user in the producer portal, every thing works fine. I can see the roles in Consumer portal for Remote Role Assignment and also I am able to do Remote Delta Links.

However, this is not anticipated. (We cannot assign super admin to Guest user)

If I remove the Super Admin role to the Guest user in the producer portal, every thing breaks - I cannot see the remote roles from Consumer portal, I cannot see any content under Netweaver Content Producers for the given producer.

I have given "Everyone" group - read access to everything below "Portal Content" folder both on producer and consumer portals.

PCD_Service user is assigned the actions Remote_Producer_Write_Access and Remote_Producer_Read_Access in both portals.

Log says:

Call failed 
EXCEPTION
SOAP Fault Exception (Actor SAPEPP) com.sapportals.portal.prt.service.soap.exception.SoapFaultHandler] : The User Authentification is not correct to access to the Portal Service com.sap.portal.prt.soap.Bridge or the service was not found.

My Questions are:

1. What does Guest user have to do in the whole process - Where it is exactly used ?

2. How can I give Guest user the required permissions (especially to portal service com.sap.portal.prt.soap.Bridge) ?

Please suggest.

Thank You ,

Raj Kumar

Accepted Solutions (1)

Accepted Solutions (1)

dao_ha
Active Contributor
0 Kudos

Hi Raj,

Please refer to SAP Note 1295704 where it specifies that guest users cannot use the FPN services that are included in low security zone.

If you must use Guest user account in the consumer then you should try RDL (instead of RRA) to access the portal objects.

Hope it helps.

Regards,

Dao

Former Member
0 Kudos

Thank you for your answers.

Vaibhav -

I have checked the "End User" option for Everyone group in producer portal.

How do I assign security zones permission to Everyone group ?

Can you please throw some light in that area.

Dao -

I do not want to use the Guest user any where.

However, internally some how the "Guest" user is being used for communication between producer and consumer.

Also, the Guest user we are talking about is the one on the producer portal (not on consumer)

How can I make use of a different user for FPN purposes and make sure that it has access to all the FPN related services on the producer ?

Once again - to emphasize -

If I assign super admin role to Guest user on producer portal - every thing works fine (RRA and RDL)

If I remove the super admin role to Guest user on producer portal - neither RRA nor RDL will work.

Kindly suggest.

Thank You once again for your time.

-- Raj

dao_ha
Active Contributor
0 Kudos

Hi Raj,

>

> However, internally some how the "Guest" user is being used for communication between producer and consumer.

>

> Also, the Guest user we are talking about is the one on the producer portal (not on consumer)

>

Can you be more specific about this one: what kind of communication? Do you mean this account is only used for communication (in the background) between the producer and the backend? Can you replace the "Guest" with another dialog/service account or replace the "Guest"'s profile with another one?

Also, do you have a UME master system? Please refer to Note 1398273 to verify your method of authentication ticket, etc.

Regards,

Dao

Former Member
0 Kudos

Hello Dao,

Thank you for pointing me in the right direction.

The problem was indeed with the UME master system.

As per note 1398273 :

If there is a UME master system present, the authentication must be based on the Authentication Ticket Type of this system. The Authentication Ticket Type may be configured to #SAP Assertion Ticket#, then when a SOAP call is sent in FPN it is sent as a #SAP Assertion Ticket#.

If there is no EvaluateAssertionTicketLoginModule in the Logon Module Stack of the recipient of the SOAP call, then the SOAP call will reach the recipient as a guest user, thus causing it to fail due to lack of permissions.

Problem solved.

Thanks a lot !!

- Raj

dao_ha
Active Contributor
0 Kudos

Hi Raj,

No problem. Glad to hear that your issue was resolved.

Regards,

Dao

Former Member
0 Kudos

Hello Dao,

I have problem with RDL setup and I am getting the following error:

Could not create remote delta link to object 'page id'. Could not connect to the remote portal. The remote portal may be down, there may be a network problem, or your connection settings to the remote portal may be configured incorrectly.

Can you pls check my thread if you get a chance and let me know what do you think.

Thank you in advance .

- Raj

Answers (1)

Answers (1)

Former Member
0 Kudos

Hi Raj,

Check this thread, it might help you.

While assigning permissions to Everyone for portal content in producer portal, did you check "End user"? In our scenario, we usually select it.

Did you configure the security zones permission for everyone group?

Regards,

Vaibhav