Skip Headers
Oracle® Fusion Middleware Administering Oracle WebCenter Content
11g Release 1 (11.1.1)

Part Number E26692-01
Go to Documentation Home
Go to Book List
Book List
Go to Table of Contents
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Go to next page
PDF · Mobi · ePub

16 Understanding Security and User Access

This chapter provides introductory information on Oracle WebCenter Content security as it is integrated with other Oracle products, and its own internal security features and supplemental security options.

This chapter includes the following topics:

16.1 Overview

A Content Server instance is deployed on a WebCenter Content domain, which is deployed on an Oracle WebLogic Server domain in Oracle Fusion Middleware. Security is supported at multiple levels including the Content Server instance, the WebCenter Content domain, the Oracle WebLogic Server domain, and Oracle Platform Security Services (OPSS).

Access to content in the Content Server repository requires a Content Server administrator to manage content, users, and groups, as well as roles, permissions, and accounts. An Oracle WebLogic Server administrator functions as the Content Server administrator. An Oracle WebLogic Server administrator must log in to the Content Server instance and set up the primary Content Server administrator account and password, if no such user was configured during deployment. After the Content Server administrator is configured, management tasks can be performed on the Content Server instance. For more information on the initial configuration of a WebCenter Content administrator, see Oracle WebCenter Content Installation Guide.

Most user management tasks must be performed using the Oracle WebLogic Server Administration Console instead of the User Admin applet on the Content Server instance. By default, WebCenter Content uses the Oracle WebLogic Server user store to manage user names and passwords, and the credential store is leveraged to grant users access to the Content Server instance. For an enterprise-level system, Oracle Platform Security Services (OPSS) can be used instead of the default Oracle WebLogic Server user store to authenticate and authorize users. For more information on integrating WebCenter Content security with Oracle WebLogic Server and OPSS, see Chapter 17.

Content Server offers several levels of security for repository content: security groups (which are required) and accounts (which are optional). Each content item is assigned to a security group, and if accounts are enabled then content items can also be assigned to an account. Users are assigned a certain level of permission (Read, Write, Delete, or Admin) for each security group and account, which enables them to work with a content item only to the extent that they have permissions to the item's security group and account. For more information on users, groups, and accounts internal to Content Server, see Chapter 18, Chapter 19, and Chapter 20.

Access control lists (ACLs) can be configured for a Content Server instance to provide extended control of content access to users on an enterprise-level system. An access control list is a list of users, groups, or Enterprise roles with permission to access or interact with a content item. For more information, see Chapter 21.

16.2 Security within Content Server

The administrator sets up initial user and content security within Content Server by using the User Admin application to define user roles, permissions to groups, and accounts. Then the administrator uses the Oracle WebLogic Server Administration Console to create users and assign each user to one or more of the Content Server roles, which in turn are assigned specific permissions to security groups. If accounts are enabled in Content Server, the administrator can assign users specific permissions to certain accounts, which then limits the permissions the users might otherwise have through their assigned roles.

For information on users, see Chapter 18. For information on security groups, roles, and permissions, see Chapter 19. For information on accounts, see Chapter 20.

The following components also can be used to provide additional internal Content Server security:

Be aware that Internet Explorer 7 supplies the following message to users logging in with basic authentication without a secure connection:

Warning: This server is requesting that your username and password be sent in an insecure manner

The behavior (sending user name and password in text) is not new for basic authentication and does not cause problems.

16.3 Additional Security Options

WebCenter Content can combine additional authentication methods. For example, you can define some users with the Oracle WebLogic Server Administration Console, allow some users to log in using their Microsoft domain identity, and grant other users access to the Content Server instance based on their external Lightweight Directory Access Protocol (LDAP) credentials. However, authentication is configured through Oracle WebLogic Server, so the combination of methods is limited. Users can authenticate against multiple authentication stores, but because of the Oracle Platform Security Services (OPSS) and Oracle WebLogic Server integration, only one of the configured user stores can be used to extract authorization (group) information.


As of 11g Release 1 ( Oracle WebCenter Content supports use of the Oracle Virtual Directory library (libOVD) feature, which enables a site to use multiple providers for login and group membership information. For example, it would be possible to use both Oracle Internet Directory (OID) and Active Directory as sources of user and role information. For information on multi-LDAP configuration in Oracle WebLogic Server, see Oracle Fusion Middleware Application Security Guide.

The following options can be used to provide additional security:

In all environments, a comprehensive understanding of your organization's security needs and a thorough planning phase is crucial to a successful security integration.