6 Working with ACLs and Roles

You control access to WebCenter Sites with the use of Access Control Lists (ACLs), user accounts, and roles. You begin site configuration with the creation of ACLs, user accounts, and roles. This section provides an overview of ACLs and roles, and describes how to set up and manage users’ access on the management system.

ACLs are used on both your management and your delivery systems. However, the main focus of the following topics is user management on the management system. For more information about user management on your delivery system, see The WebCenter Sites Development Process in Developing with Oracle WebCenter Sites.

6.1 Overview of ACLs and Roles

You can control access to the WebCenter Sites system or database tables by assigning ACLs to users, database tables, and WebCenter Sites pages. To manage access to sites and their components you use roles. If you would like to enable interface functions or hide them, you can assign roles to users and interface functions on a site.

If a user's ACLs match the database ACLs, the user has permission (defined by the ACLs) to operate on the database tables. ACLs therefore serve as the foundation of the security and user management model. Without ACLs user accounts cannot be created.

If the user's roles match the roles that are assigned to the interface functions, the functions are enabled for the user. Otherwise, the functions are hidden.

Before you can establish users you must determine ACLs and roles for the users. If the ACLs and roles do not exist, you must create them in WebCenter Sites, even if you intend to use LDAP plug-ins to create the user accounts.

6.2 Access Control Lists (ACLs)

Access Control Lists (ACLS), are named sets of database operation permissions such as read, write, create, and retrieve. Because just about everything in WebCenter Sites (and the WebCenter Sites content applications) is represented as one or more rows in one or more database tables, user management on any of your WebCenter Sites systems starts with ACLs.

With ACLs, you can limit access to the following items:

Individual database tables
Individual WebCenter Sites pages

Oracle WebCenter Sites and the WebCenter Sites content applications control a user's access rights to the database tables that represent those functions through ACLs. WebCenter Sites verifies that the users attempting the function have the same ACL assigned to their user accounts as are assigned to the database table.

For example, user account information is contained in the system tables named SystemUsers and SystemUserAttrs. Because certain ACLs are assigned to those system tables, only a user with the same ACLs assigned to his or her user account is able to create users or edit existing user information.

ACLs serve as the foundation of the security and user management model in your WebCenter Sites system by providing authorization functionality. Even if you are using an external user manager like LDAP to store user information, you must use WebCenter Sites ACLs.

A user must always have at least the Browser ACL to view WebCenter Sites pages. However, additional ACL restrictions are enforced only when the cc.security property in the wcs_properties.json file (categorized under Core) is set to true. For more information about the cc.security property, see Core Properties in Property Files Reference for Oracle WebCenter Sites. Also see Setting Up External Security.

ACLs are assigned to three things: user accounts, database tables, and page entries in the SiteCatalog table (that is, WebCenter Sites pages).

Note:

User management on your delivery system is also based on ACLs. If your online site is designed to require visitors to register or log in before they can access areas of the site, you create the ACLs that are required on the delivery system and then assign them to the appropriate database tables.

Typically your site designers take care of assigning ACLs to WebCenter Sites pages. Managing Users on the Management System in Developing with Oracle WebCenter Sites discusses how to design a user management process on the delivery system and provides code samples for pages that log visitors in to the site and verify their identities.

Topics:

6.2.1 ACLs for User Accounts

Every user must be assigned at least one ACL and the ACLs assigned to a user define that user's access to the WebCenter Sites system.

While users have one user account and one set of ACLs, no matter how many sites they have access to, they can have one set of roles for one site and a different set of roles for another site. Therefore, users must be assigned all the ACLs necessary to provide them the permissions that they must fulfill all of their site-specific roles.

For example, if you create a role that allows a user with the role the ability to create template assets, the user assigned that role must also be assigned the ElementEditor ACL, because creating templates writes data to the ElementCatalog table.

Oracle WebCenter Sites and the WebCenter Sites content applications use several system ACLs to control user access to their features and functions. Different combinations of these ACLs must be assigned to users. Information about system ACLs and their permissions are given in System Defaults.

6.2.2 ACLs for Database Tables

To restrict access to the data in a table, assign an ACL to it through the WebCenter Sites Database forms available through the Admin node (under the General Admin tree). Then, only those users with the same ACL have access to the data in that table.

If you assign multiple ACLs to a table, a user only requires one of those ACLs to access the table. The user's access rights to that table (read, write, create, and so on) are the ones defined by the ACL.

All of the WebCenter Sites system tables (and several of the WebCenter Sites content applications tables) have ACL restrictions. The SystemInfo table lists all the tables in the WebCenter Sites database and the ACLs assigned to them. See Assigning ACLs to Custom Tables.

Note:

Do not add ACLs to database tables through the Oracle WebCenter Sites Explorer application. Instead, use the Sites Database option in the System Tools node of the Admin node.

With one exception—to register a foreign table in the WebCenter Sites database—never attempt to change the information in the SystemInfo table even if your user account has the ACL that allows you to do so. See Foreign Tables in Developing with Oracle WebCenter Sites.

6.2.3 ACLs for Page Entries in the SiteCatalog Table

The SiteCatalog table holds page entries for all the pages shown for the WebCenter Sites content applications and the pages shown for your online site (that is, the site that you are delivering from the delivery system). To restrict access to a page, assign an ACL to it.

Typically, site developers determine how page restrictions should be configured on the delivery system. If you are customizing the user interface on the management system, however, you might have to use ACLs to restrict access to your custom pages.

6.2.4 System ACLs

A newly installed WebCenter Sites system contains only system ACLs. No additional ACLs have been created for any of the sample sites that are packaged with WebCenter Sites.

6.2.5 Custom ACLs

Because WebCenter Sites provides a comprehensive set of ACLs, it is unlikely that you will have to create your own. However, situations can arise where user management requirements on the management or delivery systems require you to create ACLs. For example:

If your site requires user registration, you may have to create a set of ACLs for site visitors.
If your developers create functions and put them on new tabs to customize the management system, you might have to create additional ACLs (or roles) to support the new functions and tabs.

Although creating and applying ACLs is an administrative task, you must first work with your site designers and developers to determine which ACLs you require and how to apply them.

6.3 Working with ACLs

Note:

When using an LDAP integration option, be aware of system response to user and site management operations. For information about system response, see Users, Sites, and Roles in LDAP‐Integrated Sites Systems.

6.3.1 Creating an ACL

Note:

When creating ACLs, consider the roles you are using to ensure that the ACLs are commensurate with the roles. For example, if you are creating a role that allows a user to create template assets, the user who is assigned that role must also be assigned the ElementEditor ACL, because creating templates writes data to the ElementCatalog table.

To create a new ACL:

In the General Admin tree, expand the Admin node, expand the User Access Management node, and then double‐click ACLs.

The ACLs form opens.
Select Add ACL and click OK. The value in the Select an ACL field does not matter at this point.

The Add ACL form opens.

Figure 6-1 Add ACL Form

Description of "Figure 6-1 Add ACL Form"
In the ACL Name field, enter a unique name.
Select the access privileges you want to assign to this ACL.
Click Add.

WebCenter Sites creates the ACL and writes it to the SystemACL table. The new ACL opens in the drop-down list in the form described in step 1 of this procedure.

Note:
For a new ACL that is created in LDAP, in order to use it in Sites user interface, add an entry for the newly created ACL in SystemACL table.
If you are using LDAP, create a group (on your LDAP server) that exactly matches the ACL you just created. After you create the group, assign it to the appropriate users.

6.3.2 Editing a Custom ACL

Caution:

Never modify any of the system ACLs. For a list of these ACLs, see System ACLs and Their Permissions.

To edit a custom ACL:

In the General Admin tree, expand the Admin node, expand the User Access Management node, and then double‐click ACLs.

The ACLs form opens.
In the Select an ACL field, select the ACL to edit.
Select Modify ACL and click OK.

If the ACL you selected is a system ACL, an alert opens. Do not modify system ACLs.
In the Modify ACL form, make the changes to the Description and Access Privileges. For information about the options, see Permissions.
Click Modify.

WebCenter Sites writes your changes to the SystemACL table.

6.3.3 Deleting a Custom ACL

Caution:

Never delete a system ACL. For a list of these ACLs.

To delete a custom ACL:

If you are using LDAP, delete (from your LDAP server) the group corresponding to the ACL you are deleting.
In the General Admin tree, expand the Admin node, expand the User Access Management node, and then double‐click ACLs.

The ACLs form opens.
In the Select an ACL field, select the ACL to delete.
Select the ACL from the drop-down list and click OK.

A warning message opens.
Click OK.

The ACL has been deleted.

6.3.4 Assigning ACLs to Custom Tables

If you or the site designers create tables, you might have to restrict access to those tables by assigning ACLs to them. Typically, you assign ACLs to new tables when you create those tables. (See Controlling User Access in Developing with Oracle WebCenter Sites.)

Note:

Do not assign additional ACLs (beyond the ones assigned by default) to system or core product tables.

To assign ACLs to an existing table:

In the General Admin tree, expand the Admin node, expand the System Tools node, and then double‐click Sites Database.

The Sites Database form opens.
Enter the name of the table to which you want to assign ACLs. If you do not know the name of the table you want to work with, do the following:
- Leave the field blank. WebCenter Sites will return a list of all tables in the database.
- Enter a partial name, ending with the wildcard character (%). WebCenter Sites will return a list of tables named similarly to your criteria.
Select Modify Table and click OK.
In the list of tables, select the table.

The Modify Catalog form opens.
In the ACL field, select the ACL(s) you want to assign to the selected table. To select multiple ACLs, Ctrl-click each ACL. You can also select a range of ACLs by selecting the first and last ACL in the range with Shift-click.

Note:

Do not change the value of the File Storage Directory field. For information about this field, look up the defdir property in Indirect Data Storage with the WebCenter Sites URL Field in Developing with Oracle WebCenter Sites.
Click Modify.

6.3.5 Assigning ACLs to WebCenter Sites Pages

ACLs are nearly always set using the Oracle WebCenter Sites Explorer tool. However, administrators can assign ACLs to the page entry created for SiteEntry or template assets through a field in the Create or Edit form.

To assign ACLs to a SiteEntry asset:

Find and open the SiteEntry asset to modify.
In the Access Control Lists field, select the ACLs to assign to this asset.
Save the asset.

The Access Control Lists field is available when creating a new SiteEntry asset as well. Assign ACLs when creating SiteEntry assets in the same way.

To assign ACLs to a template asset:

Find and open the template asset to modify.
Select the Element section.
In the Access Control Lists field, select the ACLs to assign to this asset.
Save the asset.

The Access Control Lists field is available when creating a new template asset as well. Assign ACLs when creating template assets in the same way.

To assign ACLs to pages that are not associated with a SiteEntry asset or a template asset, use the Oracle WebCenter Sites Explorer tool.

6.4 Roles

Roles manage site-specific access to WebCenter Sites interface functions. They represent a job description or the title of individuals with similar functions: for example, content provider, editor, site designer, and administrator. Each WebCenter Sites user has one user definition (account) no matter how many sites have been created; however, the user's roles can vary by site.

When you enable a user for a site, you enable that user within the context of the jobs that user does for that site.

The roles assigned to a user for a site determine the following:

Which assets the user can create on that site.
Which assets the user can search for on that site.
Which tabs are opened in the tree when the user logs in to the site.
Whether the user is eligible for participation in any workflow processes, and, if so, for which steps in those workflow processes.
Which functions a user can or cannot perform on an asset while it is moving through a workflow process.
Whether the user can administer a workflow process or create or modify a workflow group on that site.

Understanding System Roles

Several system roles are installed by WebCenter Sites. One role is required for the WebCenter Sites content applications to function, and three are required for the WebCenter Sites administrators to function. See System Roles.

Understanding Custom Roles

Unlike ACLs, roles are objects that you will most likely have to create to account for the full range of users' responsibilities on your sites. To create roles, follow instructions in the section, Working with Roles.

Understanding Sample Roles

If you installed one or more sample sites, you will have access to several sample roles that are included with the sites. The roles permit the sample site users to access different tree tabs. You can use the sample roles as examples of how you can configure access control on your sites.

6.5 Working with Roles

You can create, edit and delete roles assigned to the users of a site to manage access to the site and its components.

The following topics show you how to create, edit, and delete roles.

Note:

If you are using LDAP, be aware of system responses to user and site management operations. For more information about system responses, see Users, Sites, and Roles in LDAP‐Integrated Sites Systems.

6.5.1 Creating a Role From the Admin Interface

To create a new role:

In the General Admin tree, expand the Admin node, expand the User Access Management node, expand the Roles node, and then double-click Add New.

The Add New Role form opens.
In the Name field, enter a unique name of up to 32 characters.

Note:

The following characters are not permitted in the Name field: single quote ('), double quote ("), semicolon (;), colon (:), less-than sign (<), and greater-than sign (>). Additionally, the Name field cannot end with a backslash (\).
In the Description field, enter a short and informative description of no more than 255 characters.

Note:
If you want to see/use a new role that is created in LDAP in Sites user interface, for example, workflow related operations or assign roles to tree tabs, add an entry for the newly created role in CCRoles table.
Click Add New Role.
Add the role to the default tree tabs (Workflow, Bookmarks, Site Admin, Admin, and Site Plan), as appropriate. For instructions, see Editing Trees and Nodes.

6.5.2 Editing a Role From the Admin Interface

Although you cannot change the name of a role after you have created it, you can edit the description of the role.

To edit the description of a role:

In the General Admin tree, expand the Admin node, expand the User Access Management node, and then double-click Roles.

A list of all roles opens in the main window.
In the list of roles, navigate to the role you want to edit and click its Edit icon.
In the Edit Role form, make your changes, then click Save.

6.5.3 Deleting a Role in the Admin Interface

Caution:

Do not delete any of the system default roles: GeneralAdmin, SiteAdmin, WorkflowAdmin, AdvancedUser, WebCenter Sites User.

To delete a role:

In the General Admin tree, expand the Admin node, expand the User Access Management node, and then double-click Roles.

A list of all roles opens in the main window.
In the list of roles, navigate to the role you want to delete and click its Delete (trash can) icon.

A confirmation message opens.
Click Delete Role.

The role is deleted.