Implementation 
When the portal application archive is loaded in the system, zones are created if they do not exist. Entries corresponding to the portal objects are then created in the zone.
When a portal object (portal component or portal service) is accessed, the portal runtime checks whether the current user has the permissions required to access the zone to which the portal object belongs. This zone is defined in the portal application descriptor by the property SecurityZone. The check is performed by the application repository by testing if the current user has execute permission for that “security zone”. If the user does not have sufficient permission, a security exception will be returned by the portal runtime.
The naming convention for the security zones is the following:
{Namespace of business application}/{safety level}/{portal application (optional)}
The namespace of the business application is defined as follows:
Business Application |
Namespace |
Portal appications |
com.sap.portal |
User Management |
com.spa.ume |
KM |
com.sap.km |
The third part of the name, the portal application name, is optional. It is the full name of the application for which the security zone is defined. This enables the administrator to configure the permissions for one portal application separately. In most cases, this is not necessary and only increases complexity.
Example
Example of portalapp.xml containing the definition of a zone for a portal component.
<component-config> ... <property name="SecurityZone" value="com.sap.portal/high_safety"/> ... </component-config> |
Example of portalapp.xml containing the definition of a zone for a portal Web service.
<services> ... <service-config> ... <property name="SecurityZone" value="com.sap.test.TestBO/medium_safety"> </property> <property name="WebEnable" value="true"> </property> <property name="WSDL" value="TestBO.wsdl"> </property> </service-config> ... |