23 Understanding Security

This chapter provides information about security in the Spaces application. It contains the following sections:

Audience

The content of this chapter is intended for Spaces administrators and anyone who wants to understand the application's security model. For detailed instructions, see Chapter 24, "Managing Users, Roles, and Permissions".

See also "Managing Security" in Oracle Fusion Middleware Administrator's Guide for Oracle WebCenter Portal.

23.1 Introduction to Security in Spaces

The Spaces application provides a comprehensive security model that enables you to control what users can see and change on your portal. You can control which users (and groups) have access to individual spaces, space hierarchies, and the Home space, and you can also control exactly what users and groups can see and do by enabling and disabling various permissions.

With a particular space you can restrict user and group access to individual pages, page content (such as task flows, portlets, documents, and folders), and resources (such as page templates, page styles, skins, resource catatlogs, and so on).

Figure 23-1 Spaces Security

WebCenter: Portal Spaces Security

User and Groups

A user is a single person in the identity store and a group contains multiple users. In the Spaces application you can grant permissions to individual users and to groups of users.

Unregistered Users and Self-Registration

Self-registration allows unregistered users to create their own login and password for the Spaces application. A user who self-registers is immediately and automatically granted access to Spaces and a new user account is created in the application's identity store. To access a particular space, the user can subscribe to the space. If the subscription request requires moderator approval, the user will need to wait for that approval; otherwise, the user is granted immediate access to the space.

Application Roles and Space Roles

Application roles determine what a user (or group) can see and do in the Home space which, for some administrative functions, can impact the entire Spaces application. Space roles control actions within a particular spaces.

Spaces and Space Hierarchies

Spaces support the formation and collaboration of project teams and communities of interest by providing a dedicated and readily accessible area for relevant services, pages, and content and by supporting the inclusion of specified members.

A space hierarchy consists of a parent space with one or more subspaces. Subspaces can inherit the security (members, roles, and permissions) of their parent.

Home space

The Home space is a shared space that, by default, is accessible to everyone who is logged in. Application roles apply while a user is working within the Home space. In most applications, the Home space focuses on social networking and personal content.

Resources

Various portal resources help define the overall structure, look and feel, and content in spaces, and these include page templates, page styles, skins, navigation models, Resource Catalogs, content presenter display templates, mashup styles, data controls, task flows. Users with appropriate privileges can build and customize portal resources for the entire application, a single space, or a space hierarchy.

Pages

Anyone authorized to edit a page can grant access and permissions to other users and groups. For example, you might grant view-only permissions to everyone in the sales group, edit permissions to sales managers, and manage permissions to a single user. Alternatively, you can specify that the page inherits its access from the application.

Page Content, Files and Folders

Some pages might contain content that you want only a select set of users, or even only one other user, to see. For example, a page aimed at sales people might include two Announcement task flows; one aimed at all sales people and the other at sales managers only. By restricting access to the second Announcement task flow, you can hide management-level announcements from anyone who is not a sales manager.

23.2 Understanding Users

A Spaces user has a login account for the Spaces application—provisioned directly from an existing identity store. See also "Adding Users to the Embedded LDAP Identity Store" in the Oracle Fusion Middleware Administrator's Guide for Oracle WebCenter Portal.

All users in the identity store are assigned minimal privileges in the Spaces application through the Authenticated-User role. The only exception is the Fusion Middleware Administrator (weblogic by default). Out-of-the-box, the Fusion Middleware Administrator is the only user assigned full administrative privileges through the Administrator role. For more information, read the next section Section 23.3.1.1, "Default Application Roles".

It is the Fusion Middleware Administrator's job to assign each user an appropriate application role. Alternatively, the Fusion Middleware Administrator may choose to assign the Administrator role to another user and delegate this responsibility.

Table 23-1 Default Administrator in Spaces

User Description

Fusion Middleware Administrator (weblogic)

Administrator for the entire application server, sometimes referred to as the super administrator. This user can manage any application on the server, including Spaces.


23.3 Understanding Application Roles and Permissions

Application roles control the level of access a user has to information and services in the Spaces application. Specifically, application roles and their permissions determine what a user can see and do in their Home space.

This section includes:

Section 23.3.1, "Understanding Application Roles"

Section 23.3.2, "Understanding Application Permissions"

23.3.1 Understanding Application Roles

Application role assignment is the responsibility of the Spaces administrator. Administrators can assign users a default application role or create additional, custom roles specific to their Spaces application. For more detail, see:

Application roles only apply while a user is working within their Home space. Within all other spaces a different set of roles and permissions apply and it is the space moderator's responsibility to determine suitable role assignments for each of its members. See also Section 54.2, "Managing Roles and Permissions for a Space".

Note:

Application roles and permissions defined within Spaces are stored in its policy store and, consequently, apply to this Spaces application only. Enterprise roles are different; enterprise roles are stored within the application's identity store and do not imply any permissions within the Spaces application. See "Application Roles and Enterprise Roles" in the Oracle Fusion Middleware Administrator's Guide for Oracle WebCenter Portal.

23.3.1.1 Default Application Roles

The Spaces application provides several default application roles that cannot be deleted (Table 23-2).

Table 23-2 Default Application Roles for Spaces

Application Role Description Modify?

Administrator

Users with the Administrator role can set application-wide properties for Spaces, create business role pages, configure defaults for discussion forums, mail, and people connection services, register producers and external applications, as well as perform other administrative duties such as editing the login page and the self-registration page.

Administrators can also manage users and roles for the Spaces application, delegate or revoke privileges to/from other users, manage spaces and space templates, and also import and export space information.

Out-of-the-box, the Fusion Middleware Administrator is the only user assigned full administrative privileges for the Spaces application through the Administrator role.

Yes*

*Except for Application permissions which are read-only

Authenticated-User

Authenticated users of Spaces are granted the Authenticated-User role. Users who login are assigned with this role and, by default, have access to their own Home space, pages that they create, and public pages. These users can also view public spaces, create spaces, and create space templates.

This role inherits permissions from the Public-User role.

In the Spaces application, the Authenticated-User role is equivalent to authenticated-role—a standard OPSS (Oracle Platform Security Services) role.

Yes

Public-User

Anyone with access to the Spaces application who is not logged in, is granted the Public-User role. Such users are anonymous, unidentified, and can see public content only.

In the Spaces application, the Public-User role is equivalent to anonymous-role—a standard OPSS (Oracle Platform Security Services) role.

Yes


23.3.1.2 Custom Application Roles

Custom application roles (sometimes known as user-defined roles) are specific to your Spaces application. When setting up Spaces, it is the Spaces administrator's job to identify which application roles are required, choose suitable role names, and define the responsibilities of each role.

For example, an education environment might require roles such as Teacher, Student, and Guest. While roles such as Finance, Sales, Human Resources, and Support would be more appropriate for a corporate environment.

In the Spaces application, custom application roles inherit permissions from the Authenticated-User role.

To learn how to set up applications roles for Spaces users, see Section 24.2.2, "Defining Application Roles"

23.3.2 Understanding Application Permissions

Every application role has specific, defined capabilities known as permissions. These permissions allow individuals to perform specific actions in the Home space. Permissions are categorized as follows and listed individually in the subsequent tables:

  • Application

  • Spaces

  • Space Templates

  • Pages

  • Content Presenter Templates

  • Data Controls

  • Discussions

  • Links

  • Mashup Styles

  • Navigations

  • Page Styles

  • Page Templates

  • People Connections

  • Resource Catalogs

  • Skins

  • Task Flows

No permission, except for Manage All, inherits privileges from other permissions.

Table 23-3 Application Permissions in Spaces

Category Application Permissions

Application

Manage All - Enables access to all Spaces Administration pages: Spaces, Pages, Resources, Security, and Configuration. Through these pages, users can manage application security (users/roles), configure application-wide properties and services, manage resources, create business role pages, manage everyone's personal pages, customize system pages, view spaces accessible to them, as well as export/import spaces and space templates.

Some administrative tasks are exclusive to the out-of-the-box Administrator role and cannot be performed by granting the Application-Manage All permission. These tasks include editing the login page, the self-registration page, and profile gallery pages, as well as the ability to manage all spaces, all space templates, external applications, and portlet producers.

Manage Configuration - Same as the Application-Manage All permission but excludes security privileges. Users with this permission cannot access the Security page.

View Application - Enables users to view the Spaces application, and gives user access to the Home space. See also Section 24.2.4, "Granting Permissions to the Public-User Role" and Section 24.2.5, "Granting Permissions to the Authenticated-User Role."

Spaces

Manage All - Enables access to all Space administration pages (General, Roles, Members, Pages, Content, Subspaces, Services, Services, Custom Attributes). Through these pages users can manage space membership, assign permissions and roles, manage, delete, and export spaces and resources, set space properties, and manage service availability.

Manage Configuration - Same as the Spaces-Manage permission but excludes security privileges. Users with this permission cannot access the Roles and Members pages unless they are a space moderator.

Manage Membership - Users can manage space membership through Roles and Members pages.

Create Spaces -Users can create spaces.

Space Templates

Manage All - Enables users to manage any space template (through the Space Templates page) and delete templates accessible to them. See also Section 52.3, "Managing Space Templates."

Create Space Templates - Users can create space templates.

Pages

Create, Edit, and Delete - Create, edit and delete pages in your Home space.

Delete - Delete pages in your Home space.

Edit - Add or edit personal page content, rearrange content, and set page parameters and properties.

Customize - Customize your view of pages in the Home space by adding, editing, or removing content.

View - View pages in the Home space.

Create - Create or design a new page for your Home space view.

These permissions only apply to the Home space. The permissions do not apply to pages that are created within a space. Page permissions within a space are granted on a per space-basis by the moderator. See Section 54.2, "Managing Roles and Permissions for a Space".

Content Presenter Templates

Create, Edit, and Delete - Create, edit and delete content display templates for the application through Spaces Administration.

Create - Create content display templates for the application.

Edit - Edit application-level content display templates.

See also Chapter 42, "Publishing Content Using Content Presenter."

Data Controls

Create, Edit, and Delete - Create, edit and delete data controls for the application through Spaces Administration.

Create - Create data controls for the application.

Edit - Edit application-level data controls.

See also Section 29.2, "Creating and Managing Data Controls."

Discussions

Create, Edit, and Delete - Manage categories, forums, and topics on the back-end discussions server. Set discussion forum properties for all spaces.

See also Section 23.3.2.2, "Understanding Discussion Server Role Mapping."

Links

Create, and Delete - Create and delete links between objects, and manage link permissions.

Delete - Delete a link between two objects.

Create - Create links between objects, and delete links that you create.

Mashup Styles

Create, Edit, and Delete - Create, edit and delete content display templates for the application through Spaces Administration.

Create - Create content display templates for the application.

Edit - Edit application-level content display templates.

See also Chapter 42, "Publishing Content Using Content Presenter."

Navigations

Create, Edit, and Delete - Create, edit and delete navigations for the application through Spaces Administration.

Create - Create navigations for the application.

Edit - Edit application-level navigations.

See also Chapter 12, "Working with Navigation."

Page Styles

Create, Edit, and Delete - Create, edit and delete page styles through Spaces Administration.

Create - Create page styles for the application.

Edit - Edit application-level page styles.

See also Chapter 15, "Working with Page Styles."

Page Templates

Create, Edit, and Delete - Create, edit and delete page templates through Spaces Administration.

Create - Create page templates for the application.

Edit - Edit application-level page templates.

See also Chapter 13, "Working with Page Templates."

People Connections

Manage People Connections -Manage application-wide settings for People Connection services.

Update People Connections Data -Edit content associated with People Connection services.

Connect with People -Share content associated with People Connection services with others.

Resource Catalogs

Create, Edit, and Delete - Create, edit and delete Resource Catalogs for the application through Spaces Administration.

Create - Create Resource Catalogs for the application.

Edit - Edit application-level Resource Catalogs.

See also Chapter 16, "Working with Resource Catalogs."

Skins

Create, Edit, and Delete - Create, edit and delete skins through Spaces Administration.

Create - Create skins for the application.

Edit - Edit application-level skins.

See also Chapter 14, "Working with Skins".

Task Flows

Create, Edit, and Delete - Create, edit and delete task flows based on a mashup style through Spaces Administration.

Create - Create task flows for the application.

Edit - Edit application-level task flows.

See also Section 29.3, "Creating and Managing Task Flows."


23.3.2.1 Understanding the Default Permissions

Table 23-4 shows the default permissions assigned to out-of-the-box application roles.

✔ - Shows an explicitly granted permission or action.

✙ - Shows an implied permission because of an explicitly granted permission.

Table 23-4 Default Application Roles and Permissions in Spaces


Default Application Roles
Permissions Administrator Authenticated-User Public-User

Application

     

Manage All

   

Manage Configuration

   

View Application

Spaces

     

Manage All

   

Manage Configuration

     

Manage Membership

     

Create Spaces

 

 

Space Templates

     

Manage All

   

Create Space Templates

 

 

Pages

     

Create, Edit, and Delete

   

Delete

     

Edit

     

Customize

     

View

     

Create

 

 

Content Presenter Templates

     

Create, Edit and Delete

   

Create

     

Edit

     

Data Controls

     

Create, Edit and Delete

   

Create

     

Edit

     

Discussions

     

Create, Edit, and Delete

   

Links

     

Create and Delete

   

Delete

     

Create

     

Mashup Styles

     

Create, Edit and Delete

   

Create

     

Edit

     

Navigations

     

Create, Edit and Delete

   

Create

     

Edit

     

Page Styles

     

Create, Edit and Delete

   

Create

     

Edit

     

Page Templates

     

Create, Edit and Delete

   

Create

     

Edit

     

People Connections

     

Manage

   

Update

 

 

Connect

 

 

Resource Catalogs

     

Create, Edit and Delete

   

Create

     

Edit

     

Skins

     

Create, Edit and Delete

   

Create

     

Edit

     

Task Flows

     

Create, Edit and Delete

   

Create

     

Edit

     

23.3.2.2 Understanding Discussion Server Role Mapping

Some WebCenter Portal services that need access to "remote" (back-end) resources also require role-mapping based authorization, that is, the Spaces roles that allow users to work with the Discussions service in the Spaces application, must be mapped to corresponding roles on the WebCenter Portal's discussions server.

Spaces uses application roles to manage user permissions in the Home space and space roles to manage user permissions within a particular space. On the WebCenter Portal's discussions server, a different set of roles and permissions apply.

Users who are working with discussions and announcements in Spaces automatically map to the appropriate discussions server role, shown in Table 23-5 and Table 23-6.

Table 23-5 Discussions Server Roles and Permissions - Application

Discussion Server Role Discussion Server Permissions Spaces
Equivalent Application Permission

Administrator

Category Admin

Discussions-Create, Edit, and Delete

Create, read, update and delete sub categories, forums and topics inside the category for which permissions are granted.


Table 23-6 Discussions Server Roles and Permissions - For a Space

Discussion Server Role Discussion Server Permissions Spaces
Equivalent Permissions in a Space

Moderator

Category Admin

Forum Admin

  • Discussions-Create, Edit, and Delete

    Create, read, update and delete forums and topics.

  • Announcements-Create, Edit, and Delete

    Create, read, update and delete announcements.

 

Create Message

Create Announcement

  • Discussions-Create, and Edit

    Create and edit topics.

  • Announcements-Create, and Edit

    Create and edit announcements.

 

Read Forum

Create Thread

  • Discussions-Reply To

    Reply to discussion topics.

 

Read Forum

  • Discussions-View

    View forums and topics.

  • Announcements-View

    View announcements.


Any user assigned the Application-Discussions-Create Edit Delete permission in the Spaces application is automatically added to WebCenter Portal's discussions server and assigned the Administrator role with the Category Admin permission. Out-of-the box, the Spaces application assigns the Application-Discussions-Create Edit Delete permission to the Administrator role only, as shown in Figure 23-2.

Figure 23-2 Application Roles - Default Discussion Permissions

Application Roles - Default Discussion Permissions

Similarly, in a given space, any member assigned discussion and announcement permissions is granted the corresponding permissions on the discussions server. Figure 23-3 shows out-of-the box discussion and announcement permissions for the default roles Moderator, Participant, and Viewer.

Figure 23-3 Space Roles - Default Discussion Permissions

Space Roles - Default Discussion Permissions

23.3.2.3 Understanding Enterprise Group Role Mapping

In the Spaces application you can assign individual users or multiple users in the same enterprise group to Spaces roles. Subsequent enterprise group updates in the back-end identity store are automatically reflected in the Spaces application. Initially, when you assign an enterprise group to a Spaces role, everyone in the enterprise group is granted that role. If someone moves out of the group, the role is revoked. If someone joins the group, they are granted the role

For Spaces to properly maintain enterprise group-to-role mappings, back-end servers, such as the discussions server and content server, must support enterprise groups too. WebCenter Portal's Discussion Server and WebCenter Content's Content Server versions provided this release both support enterprise groups but previous versions may not. See also Section 24.3, "Troubleshooting Issues with Users and Roles."

23.4 Understanding Roles and Permissions within a Space

When a user becomes a member of an particular space, a different set of roles and responsibilities apply. For details, see Section 54.2, "Managing Roles and Permissions for a Space."

23.5 Understanding Self-Registration

Spaces administrators can enable self-registration for the application. Through self-registration, invited and uninvited users can create their own login and password for the Spaces application. A user who self registers is immediately and automatically granted access to Spaces and a new user account is created in the identity store. See also Chapter 25, "Enabling Self-Registration."