|Oracle® Fusion Middleware Administrator's Guide for Imaging and Process Management
11g Release 1 (11.1.1)
Part Number E12782-01
Definition and definition management security is managed through the I/PM user interface. This section covers the following topics:
Definition management security is managed using the Manage Security pages, accessed from the Manage Security panel of the Navigator Pane. To grant, revoke, or copy users and groups rights to applications, inputs, searches or connections, do the following:
Changing Existing User and Group Rights To Definitions
Click Manage Security in the Navigator Pane to expand the pane and expose the definition type you want to manage.
Click the definition type you want to manage:
The Manage Security page for that definition type is displayed.
Click Modify. A toolbar is displayed above the listing of security members and the Create and Administrator security rights columns become active.
Enable or disable the rights next to the security member being modified and click Submit. The modification toolbar closes and the definition management security has been changed.
Revoking Existing Users and Groups Security Rights to Definitions
With the Manage Security page displayed, click Modify.
Select the user or group to delete from the Security Member column.
Click Remove. The user or group is removed from the list and definition management rights for the definition type are revoked.
Granting Users and Groups Rights to Definitions
With the Manage Security page displayed, click Modify.
Click Add. The Add Security Member Page is displayed.
Select Search Groups or Search Users from the choice list and enter the search criteria, then click Search. If no criteria is entered, a listing of all users or groups is returned.
Select the user or group to grant rights from the Security Member column. Multiple selections can be made by holding down either the Shift key on your keyboard when clicking to select a range, or the Control key when clicking to select non-sequential members.
Click Add. The Add Security Member page closes and the users or groups are listed in the Security Member column of the security page.
Enable or disable the rights next to the security member being added and click Submit. The modification toolbar closes and the definition management security has been changed.
Definition security is defined when the definition is created and managed using the appropriate panel of the Navigator Pane. For example, Searches are managed using the Manage Searches panel in the Navigator Pane.
Managing definition security is detailed in the sections of this guide specific to the definition:
Note:Definitions can be accessed and modified by anyone with Administrator security rights to the definition. Definitions cannot be locked while being modified. Consequently, if the same definition is being modified at the same time by different people, only the last changes submitted are saved.
While application definition security and document security are different, document security is defined in the application when it is created. Groups are added and document security rights specified for each group using the Application Document Security Page when the application is defined. Note that this means if you modify document security rights in an application, all documents currently in that application are affected. The following document rights can be enabled:
|View||Grants a user group rights to view documents within a specific application. If a user does not have at least View rights to a document, the document is not listed in a search result when the user executes a search.|
|Write||Grants a user group rights to upload, update, and copy documents and document metadata within a specific application. Until a user has Write security rights to documents in at least one application, the Upload tool is not visible in the Tools panel of the Navigator Pane.|
|Delete||Grants a user group rights to delete a specific document from an application. If a user has Delete rights to one application and Write security rights to a second application, then they can move a document from the first to the second application. Note that users with Delete permission are automatically assigned Write permission.|
|Lock Admin||Grants an admin group rights to unlock any locked document in the application.|
|Grant Access||Grants a user group rights to assign document rights to other user groups. Note that users with Grant Access rights are automatically assigned Delete and Write security rights.|
Annotations are specific to individual documents, but security rights are defined in an application when specifying document security on the Application Document Security Page. Annotation security rights granted when the application is created apply to every document in the application. Changing annotation security rights for a group in an application affects access to all annotations on documents in the application.
Note that even though annotations are associated with and specific to each document in a repository, they are stored separately. Annotations are overlaid on a document, and all or some can be hidden based on the security rights granted a group when the application is defined.
Because annotations are laid on top of documents, documents containing text data can sometimes shift underneath annotations. This can be a concern if text or images overlaid with a redaction annotation shift and become exposed. This is not an issue with improper security rights. It can happen when documents are created using fonts not available to the rendering engine when the document was uploaded. The rendering engine will then substitute fonts which may cause text shift and repagination. For information on how to avoid this problem, see "Font Errors".
There are three levels of security applicable to a document annotation within a specific application.
|Annotate Standard||Grants view, create, modify, and delete security rights to all annotations within the application that are not explicitly specified as Restricted or Hidden.|
|Annotate Restricted||Grants security rights to mark annotations within an application as Restricted and create, modify, or delete annotations marked as Restricted by others. All users have permission to view restricted annotations but must have Restricted annotation rights to create, modify, or delete them.|
|Annotate Hidden||Grants security rights to mark annotations within an application as Hidden and create, modify, and delete annotations marked as Hidden by others. You must have Annotate Hidden rights to view Hidden annotations.|
Faith, John, Kay and Louis are employees at Company B. They have the following business roles and are members of the following departments and groups:
|Faith||IT||Administrator for Oracle I/PM at Company B. She was the first to log into Oracle I/PM after installation and set up all definitions, definition security rights, and definition management security rights. She has full administrative access to all of Oracle I/PM across the enterprise.||IT_Admin|
|John||HR||The Oracle I/PM administrator for the entire department. Because John is the HR Department administrator, he requires security rights to all Oracle I/PM actions pertinent to HR, but not security rights to anything pertinent to the Accounts Payable department, for example. John is the only individual allowed to create and modify application, search and input and connection definitions for Human Resources.||HR_IT|
|Kay||HR||Determines salary offerings to potential new employees, making the offer to a potential employee, and receiving the document when it has been accepted. Kay uses references external to the company to determine salary offers but once an offer has been accepted, she uploads the salary acceptance document to the Oracle I/PM system in an application called Offers and annotates it with an Accepted stamp. Once it has been uploaded, stamped, and saved, a BPEL process is initiated that creates an HR new employee file that contains the stamped salary acceptance document. So Kay requires security rights to View, Create and Modify Documents called Offers.||HR_Managers|
|Louis||HR||Administrative assistant. Updates the database of employees' personal information. He does not use the personal salary information in an Offers document for his job, therefore, Louis would not have security rights to access, search, or upload Offers documents in Oracle I/PM||HR_Users|
Definition Management Security Rights
Within the HR_Managers and HR_Users group of Oracle I/PM, Kay and Louis do not have any security rights to define definitions. That is because they do not create or manage applications, inputs, searches, and connections. They only use them.
Faith and John however are granted the following definition management security rights according to the needs of their specific job responsibilities:
Definition Security Rights
All four people need some level of security rights to the Offers definitions. Faith and John need to administer them. Kay must have full rights to upload, annotate (to approve and redact salary information), find, view, and initiate the BPEL process to create the HR new employee file. Louis must have rights to search and view documents to update personal information, but not to view redacted salary information.
Each are granted the following definition security rights according to the needs of their specific job responsibilities:
|Security Right||Offers Application||Offers Input||Offers Search||BPEL Connection|
|View||Faith, John, Kay, Louis||Faith, John, Kay||Faith, John, Kay, Louis||Faith, John|
|Modify||Faith, John||Faith, John||Faith, John||Faith, John|
|Delete||Faith, John||Faith, John||Faith, John||Faith, John|
|Grant Access||Faith, John||Faith, John||Faith, John||Faith, John|
Document Security Rights
Only Kay and Louis work with the documents stored in the Offers application, so only the HR_Managers and HR_Users groups would be added on the Application Document Security Page when the Offers application was defined. Faith and John would not have access to the documents in the application, even though the application definition security rights grant them access to see and modify the Application definition.
Kay and Louis are granted the following document security rights according to their specific responsibilities:
|Security Right||Documents||Group Members|
|View||HR_Managers, HR_Users||Kay, Louis|
|Annotate Standard||HR_Managers, HR_Users||Kay, Louis|
These permissions allow Kay to upload and redact salary information from a document into the Offers application, where Louis can search for and view it to get updated personal information without being able to modify the redactions and see the salary information.