Using Liferay's Administrative Portlets
The Enterprise Admin portlet is used for most administrative tasks. You added this portlet to the top left of the Admin page you created in the administrator's private pages area. This portlet has an interface for the creation and maintenance of
Additionally, it allows you to configure many server settings, including:
Information about the site
Authentication options, including Single Sign-On and LDAP integration
Default User Associations
Reserved Screen Names
Mail Host Names
You will use the Enterprise Admin portlet to create your portal structure, implement security, and administer your users. Note that only users with the Administrator role—a portal scoped role—have permission to add the Enterprise Admin portlet to a page.
Let's begin by adding a user account for yourself. We will then configure this account so that it has the same administrative access as the default administrator account. Click the Add User button in the Enterprise Admin portlet.
Illustration 54: The Add User screen. The portlet will maximize to take up the whole screen and then present you with the Add User form. Fill out the form using your name and email address. When you are finished, click Save.
The portlet will then reappear with a message saying that the save was successful, and there will now be an expanded form which allows you to fill out a lot more information about the user. You don't have to fill anything else out right now, but one thing is important to note: when the user ID was created, a password was automatically generated and, if Liferay has been correctly installed (see Chapter 2), an email message with the password in it was sent to the user. This of course requires that Liferay can properly communicate with your SMTP mail server in your organization.
If you have not yet set up your mail server, you will need to use this screen to change the default password for the user ID to something you can remember. You can do this by clicking on the Password tab, entering the new password in the two fields, and clicking Save.
Next, you will want to give your user account the same administrative rights as the default administrator's account. This will allow you to perform administrative tasks with your own ID instead of having to use the default ID. And this allows you to make your portal more secure by deleting or disabling the default ID.
Illustration 55: Liferay's User Account editor. Click the Regular Roles tab, and then click the Assign Regular Roles button. You will then be taken to a screen which shows the regular roles to which your ID is currently assigned. By default, these are User and Power User. A User role is held by anyone in the system: it defines the difference between a Guest and a person who has a user ID in the portal. By default, all users are also assigned the Power User role. This role by default gives users their own personal pages (both public and private) where they can place portlets, though this functionality can now be changed in Liferay 5.1. You can define the default roles a new user receives in the Enterprise Admin portlet; we will go over this later.
To make yourself an Administrator, click the Available tab. You will see a list of all the roles in the system. Check off the Administrator role and then click the Update Associations button. You are now an administrator of the portal. Log out of the portal and then log back in with your own user ID. You can now create a private page for the administration portlets and set them up in your own space.
If you click the Users tab in the Enterprise Admin portlet, you will see that there are now two users in the list of users. If you wanted to change something about a particular user, you can click the Actions button next to that user.
Edit User: This takes you back to the Edit User page, where you can modify anything about the user.
Permissions: This allows you to define which Users, User Groups, or Roles have permissions to edit the user.
Manage Pages: If the user has pages, this allows you to edit them.
Impersonate User: This opens another browser window which allows you to browse the site as though you were the user.
Deactivate: Clicking this will deactivate the user's account.
Note that most users will not be able to perform most of the above (in fact, they won't even have access to the Enterprise Admin portlet). Because you have administrative access, you can perform all of the above functions.
Organizations in Liferay are meant to model organizations in real life. They can be used to represent different companies, non-profit organizations, churches, schools, clubs, and so on. The example we use in our Lifecasts uses them to represent a sports league, with various sports (soccer, baseball, basketball, etc.) and their teams as sub-organizations. If you have a collection of users that all belong to the same grouping, you may be able to model that as an organization.
Your portal may have only one organization or several, depending on what kind of site you are building. For example, a corporate site may model its own organization hierarchy in Liferay, while a social networking site may have users from many separate organizations who access the site. Organizations can have a hierarchy to unlimited levels, and Users can be members of one or many organizations—inside of a hierarchy or across hierarchies.
Additionally, Organizations can be granted permissions over portal resources, and can also be associated with Roles. One application of this in a corporate setting could be an IT Security group. You may have an organization within your IT organization that handles security for all of the applications company-wide. If you had users as members of this organization, you could grant the Administrator role you just granted to your own ID to the whole Organization, thereby giving the members of the IT Security organization administrative access to the portal. If a user in this organization later was hired by the Human Resources department, the simple administrative act of moving the user from the IT Security organization to the HR organization would remove this privilege from the user, since the user would no longer be in an organization that has the Administrator role. By adding the user to the HR organization, any roles the HR organization has (such as access to a benefits system in the portal) would be transferred to the user. In this manner, you can design your portal to correspond with your existing organization chart, and have users' permissions reflect their positions in the chart.
Of course, this is only one way to design it. If you have more complex requirements, you can combine Organizations with User Groups and Roles to assemble the sets of permissions you wish to grant to particular users.
Organizations are one of two types of Liferay resources (the other being Communities) that can have its own pages. This allows members of the organizations (if they are granted the Manage Pages permission) to maintain their own pages. They can have a set of public pages which include information and applications appropriate for guests or logged in users to make use of (such as a help desk ticket entry system for an IT page), and they can have a set of private pages with applications for the organization's own use (such as the back-end portlets of the same ticketing system).
To add an organization, click the Organizations tab in the Enterprise Admin portlet, and then click the Add Organization button.
Illustration 56: Adding an organization. Name: The name of the organization.
Parent Organization: Click the Select button to bring up a window which allows you to select the organization in the system that is the direct parent of the organization you are creating. Click the Remove button to remove the currently configured parent.
Type: Use this to choose whether this is a regular organization or a location.
Country: Choose the country where this organization is located.
Region: Select the region within the country where this organization is located.
Fill out the information for your organization and click Save.
As before with users, the form reappears and you can enter more information about the organization. Organizations can have multiple email addresses, postal addresses, web sites, and phone numbers associated with them. The Services tab can be used to indicate the operating hours of the organization, if any.
For now, click the Back button. This will take you back to the list of organizations.
Click the Actions button next to the new organization you have created. You will then see the many actions you can take to manipulate this organization.
Edit: Lets you edit the organization.
Permissions: This allows you to define which Users, User Groups, or Roles have permissions to edit the Organization.
Manage Pages: Lets you create and manage public and private pages for the Organization.
Assign User Roles: Lets you assign Organization-scoped roles to users. By default, Organizations are created with three roles: Organization Administrator, Organization Member, and Organization Owner. You can assign one or more of these roles to users in the organization. All members of the Organization get the Organization Member role.
Assign Members: Takes you to a screen where you can search and select users in the portal to be assigned to this organization as members.
Add User: Adds a new user in the portal who will be a member of this organization.
View Users: Shows a list of users who are members of this organization.
Add Suborganization: Lets you add a child organization to this organization. This is how you create hierarchies of organizations with parent-child relationships.
View Suborganizations: Shows a list of all the organizations that are children of this organization.
Delete: Deletes this organization from the portal. You will have to ensure that the organization has no users in it first.
Tip: Note that you are already a member of the organization you created, because you created it. By creating an organization, you become both a member and have the Organization Owner role, which gives you full rights to the organization.
User Groups are arbitrary groupings of users. These groups are created by portal administrators to group users together who don't have an obvious organizational or community-based attribute or aspect which brings them together. Groups can have permissions, much like roles. You would therefore use a User Group to grant permissions to any arbitrary list of users.
For example, a User Group called People Who Have Access to My Stuff could be created, and permission to a particular Document Library folder could be granted to that User Group. This list of users could be members of separate Organizations, Communities, or Roles, who happen to also have access to this Document Library folder which is on some personal, community, or organization page that is accessible to them in the portal.
Creating a User Group is easy. Click the User Groups tab and then click the Add User Group button. There are only two fields to fill out: Name (the name of the User Group) and Description (an optional description of what the group is for). Click Save and you will then be back to the list of groups.
As with the other resources in the portal, you can click the Actions button to perform various operations on User Groups.
Edit: Allows you to modify the name or description of the User Group.
Permissions: This allows you to define which Users, User Groups, or Roles have permissions to edit the User Group.
Manage Pages: Though User Groups don't have pages of their own, you can create page templates for a group. When a User Group has page templates, any users added to the group will have the group's pages copied to their personal pages. This allows you to do things like create a Bloggers user group with a page template that has the Blogs and Recent Bloggers portlets on it. The first time users who are added to this group log in to the portal, this page will get copied to their personal pages. They will then automatically have a blog page that they can use.
Assign Members: Takes you to a screen where you can search for and select users in the portal to be assigned to this User Group.
View Users: Lets you view the users who are in the User Group.
Delete: Deletes the User Group.
User Groups and Page Templates
Liferay allows users to have a personal set of public and private pages that each user can customize at will. The default configuration of those pages can be determined by the portal administrator through the portal.properties file and optionally by providing the configuration in a LAR file. Though this has been a long-time feature of Liferay, it was not very flexible or easy to use.
Liferay version 5.1 introduces the concept of page templates which are tied to User Groups. This enables administrators to provide the same configuration for the personal pages of all (or just a subset of) users. In some cases you may want to provide a different configuration for each user depending on his or her profile. For example, in a portal for University students, staff and undergraduates would get different default pages and portlets. You can also set it up so that different groups are combined together to create the desired default configuration. When a user is assigned to a user group, the configured pages templates are copied directly to the user's personal pages.
Tip: The screen shots in this section show the old classic theme because they were taken right before it was revamped for 5.1. For that reason they'll be slightly different from what you'll find in an out-of-the-box Liferay 5.1 version. We thought it was more important to get the information to you as fast as possible.
User Group Page Templates: Defining page templates for a user group
The a User Group's page templates can be administered using the Enterprise Admin portlet. The User Groups tab lists all the existing user groups and allows you to perform several actions on each of them.
Illustration 57: Manage Pages action on a User Group. By selecting the new Manage Pages action the administrator will access the common Liferay UI for creating pages and organizing them in a hierarchy.
Illustration 58: Adding a Page Template. Note that it is possible to create both public and private pages. Each set will be used as templates to be copied to the user's personal public or private page sets respectively when the user becomes a member of the user group.
In the screen shot above, the administrator has created a new private page called You are a student within the Student2 user group. Since the page created is a portlet page, the administrator can now click the View Pages button to open the page and add as many portlets as desired to that page and configure them as needed. Let's assume for this example that the Loan Calculator and Calendar portlets are selected.
Applying the page templates by assigning members to the user group
The next step will be to assign an existing user to that group to verify that the page template is copied as a user's private page. To that end, the Assign Members action has to be selected in the list of available user groups.
Illustration 59: Assigning Members to a User GroupBy clicking the Available tab in the next screen, a list of all available users is shown. From that list, one or more users can be selected to make them members of the user group. When the Update Associations button is clicked, the users become members of the group and copies of any public or private page templates which are configured for the user group are copied to their page sets.
In the previous example, a user that already had an existing page called Welcome will now have a new page called You Are A Student the next time she accesses her private pages. That page will contain two portlets: Loan Calculator and Calendar as configured by the User Group administrator:
Illustration 60: Template copied to a user's page set. Additional details
Because the pages are copied to a user's set of pages, once copied, they can be changed at any time. When a user is removed from a user group the associated pages won't be removed: they have become that user's pages. The system is smart enough, however, to detect when a user is added again to a group of which he or she was already a part, and the pages are not added again.
If an administrator modifies page templates for a User group after users have already been added to the group, those changes will be used when new users are assigned to the user group. Since the pages are templates, however, the changes won't be applied to users that were already members of the user group.
Users can belong to many User Groups. If you have templates defined for a number of groups, this may result having many page templates copied to users' pages. To prevent this, you can combine pages from different user groups into a single page. This will be covered in the next section.
Composing A Page Out of Several User Groups
While the functionality described so far is quite powerful, in some complex scenarios it might not be enough. This section describes how more even flexibility can be achieved by combining the pages from different user groups into a single user page when he or she belongs to more than one of them.
Let's expand our previous example by dividing the Students into First Year Students, Second Year Students, Third Year Students, International Students, and Prospective Students. For each of these types of students we want them to have a page with the Loan Calculator and Calendar, but depending on which type we also want other different portlets to be on that page too.
This can be achieved by a naming convention for the pages. If two or more pages of different user groups have the same name, they will be combined into a single page when they are copied to a user's personal pages set.
In the example above, a User was added to a Students group which had a page called You are a Student. If the administrator creates a page template with the same name (You are a Student) in the First Year Students group and puts in it an RSS portlet pointing to information interesting for them, that page would be combined with the You are a Student page that's in the Students group, and the resulting page would contain the portlets configured for both User Groups:
Illustration 61: Combined portlet pages. Page Combination Rules
The following rules are used when composing a page by combining pages from different user groups:
If a user becomes a member of a User Group that has a page template with the same name in the same set (public or private) as a page that the user already has, those pages will be combined.
If any of the pages has the name translated to several languages, only the default language is considered in the comparison.
The portlets on the new page will be copied to the bottom of the equivalent columns of the existing page.
If the existing and the new pages have different layout templates, the existing one is preserved.
If the new layout template has portlets in columns that do not exist in the existing page, those portlets will be automatically copied to the first column of the existing layout template.
As you can see, it is possible to have a very flexible configuration for the default pages of portal users. Furthermore, that configuration can be changed at any time using the UI administrators are used to and then assigning users to new user groups.
While these examples are somewhat simple, the system allows for as many user groups as desired. By using the convention of matching the page names it is possible to build any default page composition that you want for your users.
Roles are groupings of users that share a particular function within the portal, according to a particular scope. Roles can be granted permissions to various functions within portlet applications. Think of a role as a description of a function, such as Message Board Administrators. A role with that name is likely to have permissions to functions of the Message Board portlet delegated to it. Users who are placed in this role then inherit those permissions.
Roles are scoped by Portal, Organization, or Community. Because the Enterprise Admin portlet by definition is operating on the portal as a whole, you can create Organization or Community roles and assign permissions to them, but you can't assign users to them in the Roles tab. For that, you would need to go to the Community (in the Communities Portlet) or the Organization (on the Organizations tab of the Enterprise Admin portlet or the Organization Admin portlet).
To create a Role, click the Roles tab, and then click the Add Role button. Type a name for your role and an optional description. The drop down box at the bottom of the form lets you choose whether this is a Regular, Community, or Organization role. When you have finished, click Save.
You will be back at the list of roles. To see what functions you can perform on your new role, click the Actions button.
Edit: Click this action to edit the role. You can change its name or description.
Permissions: This allows you to define which Users, User Groups, or Roles have permissions to edit the Role.
Define Permissions: Click this to define what permissions this role has. This is outlined in the next section.
Assign Members: Takes you to a screen where you can search and select users in the portal to be assigned to this role. These users will inherit any permissions given to the role.
View Users: Lets you view the users who are in the Role.
Delete: Deletes the Role.
Defining Permissions on a Role
Roles exist as a bucket for granting permissions to the users who are members of them. So one of the main tasks you will be doing with a role is granting it the permissions that you want members of the role to have.
When you click the Define Permissions action, you are given a choice of two kinds of permissions that can be defined for this role: Portal Permissions and Portlet Permissions.
Illustration 62: Defining Permissions on a Role. Portal permissions cover portal-wide activities that are in several categories, such as Community, Location, Organization, Password Policy, etc. This allows you to create a Role that, for example, can create new Communities in the portal. This would allow you to grant users that particular permission without making them overall portal administrators.
Portlet permissions cover permissions that are defined within various portlets. Clicking the Portlet Permissions button brings you to a page where you can browse the names of the portlets that are currently installed in your portal. Once you choose a portlet, you can then define the actions within this portlet that the role will have permission to perform.
If we stick with our example of a Message Boards Admin role, we would then find the Message Boards portlet in the list and click on it. A new page with configurable permissions would then be displayed (see right).
Each possible action to which permissions can be granted is listed. To grant a permission, choose the scope of the permission. You have two choices: Enterprise and Communities. Granting Enterprise permissions means that permission to the action will be granted across the portal, in any community or organization where there is a Message Boards portlet.
If you choose Communities, a button appears next to the permission allowing you to choose one or more communities in which the permission will be valid. This lets you pick and choose specific communities (for a portal scoped role) in which these permissions are valid for users in this role.
Once you have chosen the permissions granted to this role, click Save. For a Message Boards Admin role, you would likely grant Enterprise permissions to every action listed. After you click Save, you will see a list of all permissions that are currently granted to this role. From here, you can add more permissions (by clicking Add Portlet Permissions or Add Portal Permissions), or go back by clicking a link in the breadcrumb list or the Return to Full Page link.
Roles are very powerful, and allow portal administrators to define various permissions in whatever combinations they like. This gives you as much flexibility as possible to build the site you have designed.