Skip Headers
Oracle® Fusion Middleware User's Guide for Oracle WebCenter Portal: Spaces
11g Release 1 (11.1.1.6.0)

Part Number E10149-10
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

21 Managing Users, Roles, and Permissions

Application roles control the level of access a user has to information and services in the Spaces application. Specifically, application roles and their permissions determine what a user can see and do in their Home space. This chapter describes how to define and grant application roles to Spaces users. It contains the following sections:

When a Spaces user becomes a member of a particular space, a different set of roles and responsibilities apply. For details, see Section 52, "Managing Space Members and Roles."

Audience

The content of this chapter is intended for Spaces administrators with the Application-Manage All permission.

21.1 Managing Users

Administrators must ensure that all Spaces users have appropriate permissions. To get permissions, users must be assigned to an appropriate application role.

This section tells you how to assign roles and contains the following subsections:

21.1.1 What You Need to Know About Managing Users

From the Users and Groups page (Figure 21-1), administrators can manage application roles for all the users who have access to the Spaces application, that is, all users defined in the identity store. From here, you can change user role assignments, grant administrative privileges, and revoke user permissions.

Only users granted special (nondefault) application privileges appear in this table. Initially, all users in the Spaces identity store are assigned minimal privileges through the Authenticated-User role. Users with the default Authenticated-User role are not listed here. See also, Section 20.3.1.1, "Default Application Roles".

Figure 21-1 Spaces Administration - Users and Groups Page

Spaces Administration - Users Tab

21.1.2 Assigning Users (and Groups) to Roles

Initially, all users in the Spaces identity store are assigned minimal privileges through the Authenticated-User role. You can assign individual users (or multiple users in the same enterprise group) to a different application role through Spaces Administration.

Updates in your back-end identity store, such as new users or someone leaving an enterprise group, are automatically reflected in the Spaces application. Initially, when you assign an enterprise group to a Spaces role, everyone in the enterprise group is granted that role. If someone moves out of the group, the role is revoked. If someone joins the group, they are granted the role.

Note:

For the Spaces application to properly maintain enterprise group-to-role mappings, back-end servers, such as the discussions server and content server, must support enterprise groups too. When back-end servers do not support enterprise groups, the message "Group [name] not found in the Identity Store" displays. See also, Section 21.3, "Troubleshooting Issues with Users and Roles".

To assign a user (or a group of users) to a different application role:

  1. Open Spaces Administration.

    For details, see Chapter 4, "Accessing Spaces Administration Pages."

  2. Click Security, then Users and Groups (Figure 21-1).

    This page lists users to which additional roles are defined.

  3. Choose User or Group from the drop down.

    Select User to grant permissions to one or more users defined in the identity store. Select Group to grant permissions to groups of users.

  4. If you know the exact name of the user or group, enter the name in the box provided, separating multiple names with a comma.

    If you are not sure of the name you can search your identity store:

    1. Click the Find icon (Figure 21-2).

      Figure 21-2 Find Icon

      Grant Roles to Users in the Identity Store

      The Find User (or Find Group) dialog box opens (Figure 21-3).

      Figure 21-3 Finding Users and Groups in the Identity Store

      Choosing a User From Your Identity Store
    2. Enter a search term for a user or group, then click the Search icon.

      For tips on searching for a user or group in the identity store, see Section 52.3.4.1, "Searching for a User or Group in the Identity Store".

      Users (or groups) matching your search criteria display in the Select User dialog box. For more details on which fields are searched, see Section 52.3.4.1, "Searching for a User or Group in the Identity Store."

      Tip:

      • Use * as a wildcard, for example *sales.

      • Leave the search field blank to list all users (or groups) in the identity store.

      • Enter a space between two search terms to search First Name and Last Name, for example jo sm, searches for jo in First Name and sm in Last Name.

    3. Select one or more names from the list.

      To assign roles to multiple users or groups, multi-select all the names required. Ctrl-Click rows to select multiple names.

    4. Click OK.

      The names that you select display on the User and Groups tab.

  5. To assign a role, select a Role from the drop down (Figure 21-4).

    Figure 21-4 Assigning a User Role

    Change Membership Icon

    Select an appropriate role for the selected users (or groups). Only choose Administrator to assign full, administrative privileges for the Spaces application.

    If the role you want is not listed, create a new role that meets your requirements (see Section 21.2.2, "Defining Application Roles").

    When no role is selected, the user assumes the Authenticated-User role. See Section 20.3.1.1, "Default Application Roles".

  6. Click Grant Access.

User/user group names and new role assignment display in the table.

Note:

Group names are clickable enabling you to drill down to see user names of the current group members.

A list of members does not display for dynamic group based on Oracle Entitlements Server (OES) roles since OES roles are based on dynamic attributes and therefore do not have any static members. See also, "Configuring Dynamic Groups" in Oracle Fusion Middleware Administrator's Guide for Oracle WebCenter Portal.

21.1.3 Assigning a User to a Different Role

From time to time, a user's role in the Spaces application may change. For example, a user may move out of sales into the finance department and in this instance, the user's role assignment may change from Sales to Finance.

Note:

You cannot modify your own role or the Fusion Middleware Administrator's role. See Section 20.3.1, "Understanding Application Roles".

To assign a user to a different role:

  1. Open Spaces Administration.

    For details, see Chapter 4, "Accessing Spaces Administration Pages.".

  2. Click Security, then Users and Groups (Figure 21-1).

  3. In the Manage Existing Grants table, scroll down to the user you want.

    Only users with nondefault role assignments are listed in the table. If the user you want is not listed, grant the role required as described in Section 21.1.2, "Assigning Users (and Groups) to Roles."

  4. Click the Actions icon, then choose Change Role from the drop down list.

    The Change Role dialog box opens (Figure 21-5).

    Figure 21-5 Changing a User's Application Role

    Changing Your Space Role
  5. Select roles as follows:

    • Select Administrator to assign full, administrative privileges for the Spaces application.

    • Select select one or more roles from the list available.

      If the role you want is not listed, create a new role that meets your requirements (see Section 21.2.2, "Defining Application Roles").

      At least one role must be selected. To revoke all role assignments, reverting user permissions to the default Authenticated-User role, see Section 21.1.5, "Revoking Application Roles".

  6. Click OK.

New role assignments display in the table.

21.1.4 Giving a User Administrative Privileges

It is easy to give a user full, administrative privileges for the Spaces application through the Administrator role. Administrators have the highest privilege level and can view and modify anything in the Spaces application so take care when assigning the Administrator role.

Some administrative tasks are exclusive to the Administrator role and cannot be performed by granting the Application-Manage All permission. These tasks include editing the login page, the self-registration page, and profile gallery pages. See also, Section 20.3.1.1, "Default Application Roles".

To give a user administrative privileges:

  1. Open Spaces Administration.

    For details, see Chapter 4, "Accessing Spaces Administration Pages.".

  2. Click Security, then Users and Groups (Figure 21-1).

    The Role column indicates which users already have full administrative privileges through the Administrator role.

  3. Click the Users and Groups tab.

  4. In the Manage Existing Grants table, scroll down to the user you want.

    Only users with nondefault role assignments are listed in the table. If the user you want is not listed, follow steps in Section 21.1.2, "Assigning Users (and Groups) to Roles" to grant the Administrator role.

  5. Click the Actions icon, then choose Change Role from the drop down list.

    The Change Role dialog box opens (Figure 21-6).

    Figure 21-6 Changing a User's Application Role

    Changing Your Space Role
  6. Select Administrator to assign full, administrative privileges for the Spaces application.

  7. Select OK.

The new role assignment displays in the table.

21.1.5 Revoking Application Roles

It is easy to revoke application role assignments that no longer apply. You can revoke roles individually or revoke all application roles assigned to a particular user at once.

Revoking all a user's application roles does not remove that user from the identity store and the user still has access to the Spaces application through the default Authenticated-User role.

Note:

You cannot revoke your own role assignments or the Fusion Middleware Administrator's role. See Section 20.3.1, "Understanding Application Roles".

To revoke application roles:

  1. Open Spaces Administration.

    For details, see Chapter 4, "Accessing Spaces Administration Pages.".

  2. Click Security, then Users and Groups (Figure 21-1).

    This page lists users to which additional roles are defined.

  3. In the Manage Existing Grants table, scroll down to the user you want.

  4. Click the Actions icon:

    Access for that user is revoked immediately.

When you delete all the roles assigned to a particular user, the user is no longer listed on the Users page. The user remains in the identity store and still has access to the Spaces application through the Authenticated-User role. See Section 20.3.1.1, "Default Application Roles".

21.1.6 Adding or Removing Users

Spaces administrators cannot add new user data directly to the Spaces identity store or remove user credentials. Identity store management is the responsibility of the systems administrator and takes place through the WLS Administration Console or directly into embedded LDAP identity stores using LDAP commands. See also, "Adding Users to the Identity Store Using the WLS Administration Console" in Oracle Fusion Middleware Administrator's Guide for Oracle WebCenter Portal.

Spaces administrators can, however, enable self-registration for the application. Through self-registration, invited and uninvited users can create their own login and password for the Spaces application. A user who self registers is immediately and automatically granted access to the Spaces application and a new user account is created in the identity store. See also, Chapter 22, "Enabling Self-Registration".

21.2 Managing Application Roles and Permissions

The Spaces application uses application roles to manage permissions for users working in their Home space. This section tells you how to manage application roles, and their permissions from Spaces Administration pages. It contains the following subsections:

21.2.1 What You Need to Know About Application Roles and Permissions

From the Roles page (Figure 21-7), administrators can manage application roles and permissions. From here, you can edit the permissions assigned to an application role, create new application roles, or delete unused roles.

Figure 21-7 Spaces Administration - Roles Page

Spaces Administration - Roles Tab

Application roles apply when a user is working within their Home space. A different set of roles and permissions apply when a user is working within a particular space. It is the space moderator's responsibility to determine suitable role assignments for each of its members. See also, Section 21.2, "Managing Application Roles and Permissions".

The Spaces application provides several default application roles. You cannot delete default application roles but you can modify the default permission assignments for each role. For more information, see Section 20.3, "Understanding Application Roles and Permissions".

21.2.2 Defining Application Roles

Use roles to characterize groups of Spaces users and determine what they can see and do in their Home spaces.

When defining application roles, use self-descriptive role names and try to keep the role policy as simple as possible. Choose as few roles as you can, while maintaining an effective policy.

Take care to assign appropriate access rights when assigning permissions for new roles. Do not allow users to perform more actions than are necessary for the role but at the same time, try not to inadvertently restrict them from activities they must perform. In some cases, users might fall into multiple roles.

To define a new application role:

  1. Open Spaces Administration.

    For details, see Chapter 4, "Accessing Spaces Administration Pages.".

  2. Click Security, then Roles (Figure 21-7).

    Current application roles for the Spaces application display as columns in the table.

  3. Click Create Role to define a new role for Spaces users.

    Figure 21-8 Creating a New Role

    Creting a new role
  4. Enter a suitable name for the role.

    Ensure the role names that are self-descriptive. Make it as obvious as possible which users should belong to which roles. Role names can contain alphanumeric characters, blank spaces, @, and underscores.

  5. (Optional) Choose a Template Role.

    The new role inherits permissions from the template role. You can modify these permissions in the next step.

    Choose Administrator to create a role that inherits full, administrative privileges. Conversely, choose Public-User to create a role that typically provides minimal privileges. Alternatively, choose a custom application role to be your template.

  6. Click OK.

    The new role appears as a column in the table. The permissions list shows which actions users with this role can perform.

  7. To modify user permissions for the role, select or clear each permission checkbox.

  8. Click Apply to save any changes that you make to the role's permissions.

21.2.3 Modifying Application Role Permissions

Administrators can modify the permissions associated with application roles at any time. Application permissions are described in Section 20.3.2, "Understanding Application Permissions".

Application role permissions allow individuals to perform specific actions in their Home space. No permission, except for Manage All, inherits privileges from other permissions.

Note:

Application permissions cannot be modified for the Administrator role. See also Section 20.3.1.1, "Default Application Roles".

To change the permissions assigned to a role:

  1. Open Spaces Administration.

    For details, see Chapter 4, "Accessing Spaces Administration Pages.".

  2. Click Security, then Roles (Figure 21-7).

    Current application roles for the Spaces application display as columns in the table.

  3. Select or clear Permissions checkboxes to enable or disable permissions for a role.

  4. Click Apply to save.

The new permissions are effective immediately.

21.2.4 Granting Permissions to the Public-User

Anyone who is not logged in to the Spaces application assumes the Public-User role. Out-of-the-box, the Public-User role is granted minimal privileges, that is, the View Application permissions only.

Caution:

Take care when granting permissions to the Public-User role. Avoid granting administrative permissions such as Application-Manage All, Application-Manage Configuration, or any permission that might be considered unnecessary. See also, Section 20.3.2, "Understanding Application Permissions".

Granting the Application-View Permission

The View Application permission allows unauthenticated users to see public Spaces application pages, such as the welcome page, and also content that individual users choose to make public.

When View Application permissions are granted to the Public-User role:

  • Ensure that users understand that any personal page or personal content they choose to make public will become accessible to unauthenticated users outside of the Spaces community, that is, anyone with Web access.

  • Consider customizing the default welcome page that displays to public users before they login (Welcome Page). See Section 7.3.2, "Customizing System Pages".

If you do not want unauthenticated users to see Spaces content that is marked 'public', do not grant the View Application permission to the Public-User role. When public access is disabled, public content cannot be seen by unauthenticated users. Also, the welcome page for Spaces is not displayed; public users are directed straight to a login page. Administrators may customize the default login page, if required. See Section 7.3, "Working with System Pages".

Granting Other Permissions

Be careful when assigning permissions to the Public-User role. For security reasons, Oracle recommend that you limit what anonymous users can see and do in the Spaces application.

21.2.5 Granting Permissions to the Authenticated-User

Anyone who is logged in to the Spaces application assumes the Authenticated-User role. Out-of-the-box, the Authenticated-User role is granted minimal privileges, through the following permissions: View Application, Spaces-Create, Space Templates-Create, Pages-Create, Update People Connections Data, and Connect with People.

Other important notes:

  • The Authenticated-User role always inherits permissions from the Public-User role.

  • Custom application roles all inherit permissions from the Authenticated-User role.

21.2.6 Deleting Application Roles

When an application role is no longer required you should remove it from the Spaces application. This helps maintain a valid role list, and prevents inappropriate role assignment.

Application roles are deleted even when users are still assigned to the them. As you cannot delete any default roles, Spaces users will always have the Authenticated-User role.

Note:

Default roles cannot be deleted (Administrator, Authenticated-User, Public-User). See Section 20.3.1.1, "Default Application Roles".

To delete an application role:

  1. Open Spaces Administration.

    For details, see Chapter 4, "Accessing Spaces Administration Pages.".

  2. Click Security, then Roles (Figure 21-7).

    Current application roles for the Spaces application display as columns in the table.

  3. Select the Delete Role icon next to the role you want to delete (Figure 21-9).

    Figure 21-9 Deleting an Application Role

    Deleting a User Role
  4. Click OK to confirm that you want to delete the role.

    The role is removed from the table. Any users assigned to this role only, assume the default Authenticated-User role and do not display on the Users and Groups tab.

21.3 Troubleshooting Issues with Users and Roles

For the Spaces application to properly maintain enterprise group-to-role mappings, the back-end discussions server and content server must support enterprise groups. WebCenter Portal's Discussion Server and WebCenter Content's Content Server versions provided with Oracle WebCenter Portal 11.1.1.2.0 and later both support enterprise groups but previous versions may not.If a back-end server does not support enterprise groups, an error message similar to that shown in Figure 21-10 displays when you try to add a group.

Warning: Group [name] not found in Identity Store

Figure 21-10 Error Message Displayed If Back-end Servers Do Not Support Enterprise Groups

Message When Servers Do Not Support Enterprise Groups

Also, an error is logged containing more detailed information as shown here:

[2011-03-28T01:03:07.143-07:00] [WC_Spaces] [NOTIFICATION] [WCS-07855] 
oracle.webcenter.doclib.internal.spaces.AbstractDoclibRoleMapper] [tid: pool-1-daemon-thread-1] [userId: monty] 
[ecid: a4789a41d7e6bc9f:36de4556:12efb72d049:-8000-00000000000002c0,0:5] 
[APP: webcenter#11.1.1.4.0] Adding groups [oracle.webcenter.security.common.WCGroup@18b96a3] to documents service roles [Administration, Delete Documents, Create and Edit Documents, View Documents] for
 scope Scope[name=rbgs25mar01, guid=sbf125dd4_cd43_41cc_9d3d_467d06e84100][2011-03-28T01:03:09.122-07:00] [WC_Spaces] [ERROR] [WCS-44002] [oracle.webcenter.security.rolemapping.RoleManager] 
[tid: [ACTIVE].ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: monty] 
[ecid: a4789a41d7e6bc9f:36de4556:12efb72d049:-8000-00000000000002c0,0] 
[APP: webcenter#11.1.1.4.0] The Role Mapping provider encountered an exception while performing security role mapping for service oracle.webcenter.doclib.
[[oracle.webcenter.security.rolemapping.spi.RoleMappingSPIException: Cannot add role null and permissions, 15, to the account for the folder, rbgs25mar01 for the user/group Admin.        at
oracle.webcenter.doclib.internal.spaces.UCMSpacesUtils$2.newException(UCMSpacesUtils.java:2595)

Note:

In previous releases, if a back-end server did not support enterprise groups, users belonging to enterprise groups were individually added to Spaces roles; this behavior has changed.