Skip Headers
Oracle® Fusion Middleware User's Guide for Oracle WebCenter Spaces
11g Release 1 (11.1.1.5.0)

Part Number E10149-09
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

20 Understanding WebCenter Spaces Security

This chapter provides information about security in WebCenter Spaces. It contains the following sections:

Audience

The content of this chapter is intended for WebCenter Spaces administrators and anyone who wants to understand the application's security model. For detailed instructions, see Chapter 21, "Managing Users, Roles, and Permissions".

See also, "Managing Security" in Oracle Fusion Middleware Administrator's Guide for Oracle WebCenter.

20.1 Introduction to Security in WebCenter Spaces

WebCenter Spaces provides a comprehensive security model that enables you to control what users can see and change on your portal. You can control which users (and groups) have access to individual Spaces, Space hierarchies, and the Home Space, and you can also control exactly what users and groups can see and do by enabling and disabling various permissions.

With a particular Space you can restrict user and group access to individual WebCenter pages, page content (such as task flows, portlets, documents, and folders), and WebCenter resources (such as page templates, page styles, skins, resource catatlogs, and so on).

Figure 20-1 WebCenter Spaces Security

WebCenter Spaces Security

User and Groups

A user is a single person in the identity store and a group contains multiple users. In WebCenter Spaces you can grant permissions to individual users and to groups of users.

Unregistered Users and Self-Registration

Self-registration allows unregistered users to create their own login and password for WebCenter Spaces. A user who self registers is immediately and automatically granted access to WebCenter Spaces and a new user account is created in the application's identity store.

Application Roles and Space Roles

Application roles determine what a user (or group) can see and do in the Home Space which, for some administrative functions, can impact the entire WebCenter Spaces application. Space roles control actions within a particular Spaces.

Spaces and Space Hierarchies

Spaces support the formation and collaboration of project teams and communities of interest by providing a dedicated and readily accessible area for relevant services, pages, and content and by supporting the inclusion of specified members.

A Space hierarchy consists of a parent Space with one or more Subspaces. Subspaces can inherit the security (members, roles, and permissions) of their parent.

Home Space

The Home Space is a shared Space that, by default, is accessible to everyone who is logged in. Application roles apply while a user is working within the Home Space. In most applications, the Home Space focuses on social networking and personal content.

Resources

Various portal resources help define the overall structure, look and feel, and content in WebCenter Spaces, and these include page templates, page styles, skins, navigation models, resource catalogs, content presenter display templates, mashup styles, data controls, task flows. Users with appropriate privileges can build and customize portal resources for the entire application, a single Space, or a Space hierarchy.

Pages

Anyone authorized to edit a page can grant access and permissions to other users and groups. For example, you might grant view-only permissions to everyone in the sales group, edit permissions to sales managers, and manage permissions to a single user. Alternatively, you can specify that the page inherits its access from the application.

Page Content, Files and Folders

Some pages might contain content that you want only a select set of users, or even only one other user, to see. For example, a page aimed at sales people might include two Announcement task flows; one aimed at all sales people and the other at sales managers only. By restricting access to the second Announcement task flow, you can hide management-level announcements from anyone who is not a sales manager.

20.2 Understanding Users

A WebCenter user has a login account for WebCenter Spaces—provisioned directly from an existing identity store. See also, "Adding Users to the Embedded LDAP Identity Store" in the Oracle Fusion Middleware Administrator's Guide for Oracle WebCenter.

All users in the identity store are assigned minimal WebCenter Spaces privileges through the Authenticated-User role. The only exception is the Fusion Middleware Administrator (weblogic by default). Out-of-the-box, the Fusion Middleware Administrator is the only user assigned full administrative privileges through the Administrator role. For more information, read the next section Section 20.3.1.1, "Default Application Roles".

It is the Fusion Middleware Administrator's job to assign each WebCenter user an appropriate application role. Alternatively, the Fusion Middleware Administrator may choose to assign the Administrator role to another user and delegate this responsibility.

Table 20-1 Default Administrator in WebCenter Spaces

User Description

Fusion Middleware Administrator (weblogic)

Administrator for the entire application server, sometimes referred to as the super administrator. This user can manage any application on the server, including WebCenter Spaces.


20.3 Understanding Application Roles and Permissions

Application roles control the level of access a user has to information and services in WebCenter Spaces. Specifically, application roles and their permissions determine what a user can see and do in the Home Space.

This section includes:

Section 20.3.1, "Understanding Application Roles"

Section 20.3.2, "Understanding Application Permissions"

20.3.1 Understanding Application Roles

Application role assignment is the responsibility of the WebCenter Spaces administrator. Administrators can assign users a default application role or create additional, custom roles specific to their WebCenter Spaces application. For more detail, see:

Application roles only apply while a user is working within the Home Space. Within all other Spaces a different set of roles and permissions apply and it is the Space moderator's responsibility to determine suitable role assignments for each of its members. See also Section 52.2, "Managing Roles and Permissions for a Space".

Note:

Application roles and permissions defined within WebCenter Spaces are stored in its policy store and, consequently, apply to this WebCenter Spaces application only. Enterprise roles are different; enterprise roles are stored within the application's identity store and do not imply any permissions within WebCenter Spaces. See "Application Roles and Enterprise Roles" in the Oracle Fusion Middleware Administrator's Guide for Oracle WebCenter.

20.3.1.1 Default Application Roles

WebCenter Spaces provides several default application roles that cannot be deleted (Table 20-2).

Table 20-2 Default Application Roles for WebCenter Spaces

Application Role Description Modify?

Administrator

Users with the Administrator role can set application-wide properties for WebCenter Spaces, create business role pages, configure defaults for discussion forums, mail, and people connection services, register producers and external applications, as well as perform other administrative duties such as editing the login page and the self-registration page.

Administrators can also manage users and roles for WebCenter Spaces, delegate or revoke privileges to/from other users, manage Spaces and Space templates, and also import and export Space information.

Out-of-the-box, the Fusion Middleware Administrator is the only user assigned full WebCenter Spaces administrative privileges through the Administrator role.

Yes*

*Except for Application permissions which are read-only

Authenticated-User

Authenticated users of WebCenter Spaces are granted the Authenticated-User role. Users who login are assigned with this role and, by default, have access to their own Home Space, pages that they create, and public pages. These users can also view public Spaces, create Spaces, and create Space templates.

This role inherits permissions from the Public_User role.

In WebCenter Spaces, the Authenticated-User role is equivalent to authenticated-role—a standard OPSS (Oracle Platform Security Services) role.

Yes

Public-User

Anyone with access to WebCenter Spaces who is not logged in, is granted the Public_User role. Such users are anonymous, unidentified, and can see public content only.

In WebCenter Spaces, the Public-User role is equivalent to anonymous-role—a standard OPSS (Oracle Platform Security Services) role.

Yes


20.3.1.2 Custom Application Roles

Custom application roles (sometimes known as user-defined roles) are specific to your WebCenter Spaces application. When setting up WebCenter Spaces, it is the WebCenter Spaces administrator's job to identify which application roles are required, choose suitable role names, and define the responsibilities of each role.

For example, an education environment might require roles such as Teacher, Student, and Guest. While roles such as Finance, Sales, Human Resources, and Support would be more appropriate for a corporate environment.

In WebCenter Spaces, custom application roles inherit permissions from the Authenticated-User role.

To learn how to set up applications roles for WebCenter users, see Section 21.2.2, "Defining Application Roles"

20.3.2 Understanding Application Permissions

Every application role has specific, defined capabilities known as permissions. These permissions allow individuals to perform specific actions in the Home Space. Permissions are categorized as follows and listed individually in the subsequent tables:

  • Application

  • Spaces

  • Space Templates

  • Pages

  • Content Presenter Templates

  • Data Controls

  • Discussions

  • Links

  • Mashup Styles

  • Navigations

  • Page Styles

  • Page Templates

  • People Connections

  • Resource Catalogs

  • Skins

  • Task Flows

No permission, except for Manage All, inherits privileges from other permissions.

Table 20-3 Application Permissions in WebCenter Spaces

Category Application Permissions

Application

Manage All - Enables access to all WebCenter Spaces Administration pages: Spaces, Pages, Resources, Security, and Configuration. Through these pages, users can manage application security (users/roles), configure application-wide properties and services, manage resources, create business role pages, manage everyone's personal pages, customize system pages, view Spaces accessible to them, as well as export/import Spaces and Space templates.

Some administrative tasks are exclusive to the out-of-the-box Administrator role and cannot be performed by granting the Application-Manage All permission. These tasks include editing the login page, the self-registration page, and profile gallery pages, as well as the ability to manage all Spaces, all Space templates, external applications, and portlet producers.

Manage Configuration - Same as the Application-Manage All permission but excludes security privileges. Users with this permission cannot access the Security page.

View Application - Enables users to view the WebCenter Spaces application, and gives user access to the Home Space. See also, Section 5.12, "Enabling and Disabling Access to the Home Space".

Spaces

Manage All - Enables access to all Space administration pages (General, Roles, Members, Pages, Content, Subspaces, Services, Services, Custom Attributes). Through these pages users can manage Space membership, assign permissions and roles, manage, delete, and export Spaces and resources, set Space properties, and manage service availability.

Manage Configuration - Same as the Spaces-Manage permission but excludes security privileges. Users with this permission cannot access the Roles and Members pages unless they are a Space moderator.

Manage Membership - Users can manage Space membership through Roles and Members pages.

Create Spaces -Users can create Spaces.

Space Templates

Manage All - Enables users to manage and delete any Space templates that is accessible to them.

Create Space Templates - Users can create Space templates.

Pages

Create, Edit, and Delete - Create, edit and delete pages in your Home Space.

Delete - Delete pages in your Home Space.

Edit - Add or edit personal page content, rearrange content, and set page parameters and properties.

Customize - Customize your view of pages in the Home Space by adding, editing, or removing content.

View - View pages in the Home Space.

Create - Create or design a new page for your Home Space view.

These permissions only apply to the Home Space. The permissions do not apply to pages that are created within a Space. Page permissions within a Space are granted on a per Space-basis by the moderator. See Section 52.2, "Managing Roles and Permissions for a Space".

Content Presenter Templates

Create, Edit, and Delete - Create, edit and delete content display templates for the application through WebCenter Administration.

Create - Create content display templates for the application.

Edit - Edit application-level content display templates.

See also, Chapter 40, "Publishing Content Using Content Presenter".

Data Controls

Create, Edit, and Delete - Create, edit and delete data controls for the application through WebCenter Administration.

Create - Create data controls for the application.

Edit - Edit application-level data controls.

See also, Section 26.2, "Creating and Managing Data Controls".

Discussions

Create, Edit, and Delete - Manage categories, forums, and topics on the back-end discussions server. Set discussion forum properties for all Spaces.

See also, Section 20.3.2.2, "Understanding Discussion Server Role Mapping".

Links

Create, and Delete - Create and delete links between objects, and manage link permissions.

Delete - Delete a link between two objects.

Create - Create links between objects, and delete links that you create.

Mashup Styles

Create, Edit, and Delete - Create, edit and delete content display templates for the application through WebCenter Administration.

Create - Create content display templates for the application.

Edit - Edit application-level content display templates.

See also, Chapter 40, "Publishing Content Using Content Presenter".

Navigations

Create, Edit, and Delete - Create, edit and delete navigations for the application through WebCenter Administration.

Create - Create navigations for the application.

Edit - Edit application-level navigations.

See also, Chapter 11, "Working with Navigation".

Page Styles

Create, Edit, and Delete - Create, edit and delete page styles through WebCenter Administration.

Create - Create page styles for the application.

Edit - Edit application-level page styles.

See also, Chapter 15, "Working with Page Styles".

Page Templates

Create, Edit, and Delete - Create, edit and delete page templates through WebCenter Administration.

Create - Create page templates for the application.

Edit - Edit application-level page templates.

See also, Chapter 12, "Working with Page Templates".

People Connections

Manage People Connections -Manage application-wide settings for People Connection services.

Update People Connections Data -Edit content associated with People Connection services.

Connect with People -Share content associated with People Connection services with others.

Resource Catalogs

Create, Edit, and Delete - Create, edit and delete resource catalogs for the application through WebCenter Administration.

Create - Create resource catalogs for the application.

Edit - Edit application-level resource catalogs.

See also, Chapter 16, "Working with Resource Catalogs".

Skins

Create, Edit, and Delete - Create, edit and delete skins through WebCenter Administration.

Create - Create skins for the application.

Edit - Edit application-level skins.

See also, Chapter 14, "Working with Skins".

Task Flows

Create, Edit, and Delete - Create, edit and delete task flows based on a mashup style through WebCenter Administration.

Create - Create task flows for the application.

Edit - Edit application-level task flows.

See also, Section 26.3, "Creating and Managing Task Flows".


20.3.2.1 Understanding the Default Permissions

Table 20-4 shows the default permissions assigned to out-of-the-box application roles.

✔ - Shows an explicitly granted permission or action.

✙ - Shows an implied permission because of an explicitly granted permission.

Table 20-4 Default Application Roles and Permissions in WebCenter Spaces


Default Application Roles
Permissions Administrator Authenticated-User Public-User

Application

     

Manage All

   

Manage Configuration

   

View Application

Spaces

     

Manage All

   

Manage Configuration

     

Manage Membership

     

Create Spaces

 

 

Space Templates

     

Manage All

   

Create Space Templates

 

 

Pages

     

Create, Edit, and Delete

   

Delete

     

Edit

     

Customize

     

View

     

Create

 

 

Content Presenter Templates

     

Create, Edit and Delete

   

Create

     

Edit

     

Data Controls

     

Create, Edit and Delete

   

Create

     

Edit

     

Discussions

     

Create, Edit, and Delete

   

Links

     

Create and Delete

   

Delete

     

Create

     

Mashup Styles

     

Create, Edit and Delete

   

Create

     

Edit

     

Navigations

     

Create, Edit and Delete

   

Create

     

Edit

     

Page Styles

     

Create, Edit and Delete

   

Create

     

Edit

     

Page Templates

     

Create, Edit and Delete

   

Create

     

Edit

     

People Connections

     

Manage

   

Update

 

 

Connect

 

 

Resource Catalogs

     

Create, Edit and Delete

   

Create

     

Edit

     

Skins

     

Create, Edit and Delete

   

Create

     

Edit

     

Task Flows

     

Create, Edit and Delete

   

Create

     

Edit

     

20.3.2.2 Understanding Discussion Server Role Mapping

Some WebCenter services that need access to "remote" (back-end) resources also require role-mapping based authorization, that is, the WebCenter roles that allow users to work with the Discussions service in WebCenter Spaces, must be mapped to corresponding roles on the Oracle WebCenter Discussions Server.

WebCenter Spaces uses application roles to manage user permissions in the Home Space and Space roles to manage user permissions within a Space. On the Oracle WebCenter Discussions server, a different set of roles and permissions apply.

Users who are working with discussions and announcements in WebCenter Spaces automatically map to the appropriate Oracle WebCenter Discussions server role, shown in Table 20-5 and Table 20-6.

Table 20-5 Discussions Server Roles and Permissions - Application

Discussion Server Role Discussion Server Permissions WebCenter Spaces
Equivalent Application Permission

Administrator

Category Admin

Discussions-Create, Edit, and Delete

Create, read, update and delete sub categories, forums and topics inside the category for which permissions are granted.


Table 20-6 Discussions Server Roles and Permissions - For a Space

Discussion Server Role Discussion Server Permissions WebCenter Spaces
Equivalent Permissions in a Space

Moderator

Category Admin

Forum Admin

  • Discussions-Create, Edit, and Delete

    Create, read, update and delete forums and topics.

  • Announcements-Create, Edit, and Delete

    Create, read, update and delete announcements.

 

Read Forum

Create Message

Create Announcement

  • Discussions-Create, and Edit

    Create and edit topics.

  • Announcements-Create, and Edit

    Create and edit announcements.

 

Read Forum

Create Thread

  • Discussions-Reply To

    Reply to discussion topics.

 

Read Forum

  • Discussions-View

    View forums and topics.

  • Announcements-View

    View announcements.


Any user assigned the Application-Discussions-Create Edit Delete permission in WebCenter Spaces is automatically added to Oracle WebCenter Discussions and assigned the Administrator role with the Category Admin permission. Out-of-the box, WebCenter Spaces assigns the Application-Discussions-Create Edit Delete permission to the Administrator role only, as shown in Figure 20-2.

Figure 20-2 Application Roles - Default Discussion Permissions

Application Roles - Default Discussion Permissions

Similarly, in a Space, any member assigned discussion and announcement permissions is granted the corresponding permissions on the Oracle WebCenter Discussions server. Figure 20-3 shows out-of-the box discussion and announcement permissions for the default roles Moderator, Participant, and Viewer.

Figure 20-3 Space Roles - Default Discussion Permissions

Group Space Roles - Default Discussion Permissions

20.3.2.3 Understanding Enterprise Group Role Mapping

In WebCenter Spaces you can assign individual users or multiple users in the same enterprise group to WebCenter roles. Subsequent enterprise group updates in the back-end identity store are automatically reflected in WebCenter Spaces. Initially, when you assign an enterprise group to a WebCenter Spaces role, everyone in the enterprise group is granted that role. If someone moves out of the group, the role is revoked. If someone joins the group, they are granted the role

For WebCenter Spaces to properly maintain enterprise group-to-role mappings, back-end servers, such as the discussions server and content server, must support enterprise groups too. When back-end servers do not support enterprise groups, users belonging to enterprise groups are individually added to WebCenter Spaces roles and subsequent group updates in the identity store are not reflected in WebCenter Spaces. This can quickly become a maintenance issue, especially when enterprise groups contain a large number of users. Both versions of Oracle WebCenter Discussion Server and Oracle Universal Content Management provided with Oracle WebCenter Spaces 11.1.1.2.0 and later support enterprise groups but previous versions may not.

20.4 Understanding Roles and Permissions within a Space

When a WebCenter user becomes a member of a Space, a different set of roles and responsibilities apply. For details, see Section 52.2, "Managing Roles and Permissions for a Space".

20.5 Understanding Self-Registration

WebCenter Spaces administrators can enable self-registration for the application. Through self-registration, invited and uninvited users can create their own login and password for WebCenter Spaces. A user who self registers is immediately and automatically granted access to WebCenter Spaces and a new user account is created in the identity store. See also, Chapter 22, "Enabling Self-Registration".