7
Task 4: Set Up Security

This chapter provides information on setting up user, folder, and document security. Topics include:

• Overview of Security in Oracle iFS

• Users and Groups as Grantees

• Primary User Profiles and Default ACLs

• Creating a Custom ACL

• Modifying ACLs

• Deleting ACLs

• Using the Web Interface to Apply ACLs to a Folder or File

• Using the Windows Interface to Apply an ACL

• Using XML to Create an ACL

Overview of Security in Oracle iFS

Security for all objects, including folders and files, is maintained through Access Control Lists (ACLs) and Access Control Entries (ACEs). An ACL has a name and a set (one or more) of ACEs.

The System ACLs

There are four system ACLs for you to apply to your documents and folders. These ACLs cover the most common security needs in most shared environments. The system ACLs are listed and described in the table below.

ACL	Description
Private	Grants no permissions to any other user. Other users cannot view, modify, or delete a user's document in any way, unless changed by the owner.
Protected	Enables other users to see the files in the folder, add documents and folders to the folder, and remove documents and folders they have created from the folder, but are not allowed to delete the folder itself.
Public	Allows full access to the item. All users can make any changes that the owner can make.
Published	Allows other users to view the contents, but they are not allowed to modify or delete the document.

Note: You should not modify these system ACLs.

All objects may have an associated ACL. If no ACL is assigned, the object is PRIVATE (only the owner has full access to it). If a default ACL is specified in a user's Primary User Profile, that ACL is assigned to the new public object created by that user.

Similar to files, ACLs have an ACL associated with them to manage the users who can use them or modify them. System ACLs can be created and modified by system administrators only.

Working with ACEs

Each ACE is comprised of a:

• Grantee--A grantee is a specific Oracle iFS user or group.

• Set of Permissions--The permissions granted to the user or group, or revoked from the user or group.

• Action--Specifies the action to be taken, either Grant or Revoke.

For each user or group, you need to decide which of the permission bundles will be granted to them. Permission bundles are sets of permissions that are applied to users. The set of permission bundles assigned to a specific user or group is called an Access Control Entry (ACE).

ACLs give you the flexibility to grant the permission bundles your co-workers require while helping to protect your files against accidental modification or unauthorized access.

By setting the permission bundles for an individual or group, you create an Access Control Entry (ACE) in your Access Control List (ACL). It's possible to create a different ACE for every user in your Oracle iFS repository for every file you control, but, in most cases, the standard ACLs that come with Oracle iFS should meet your needs, and the remaining cases can be handled by creating an ACL.

When you define an ACE, the first choice you must make is whether the ACE you're creating is going to grant the permission bundles you select, or revoke them. If you are going to give only a few permission bundles to a selected user or group, choose Grant, and select only the permission bundles that they will be given. If you are going to give the selected user or group general access with only a few restrictions, choose Revoke. Then explicitly grant those permission bundles to the grantee.

Working with Permission Bundles

A permission bundle is a collection of permissions. Permission bundles are convenient because you do not have to specify the individual permissions. For example, the permission bundle, "All," is a collection of permissions which grants all possible permissions. A permission bundle can be granted to a user or group, or revoked from a user or group. Oracle iFS Manager, the Web interface, and the Windows interface support ACLs and ACEs with permission bundles.

The following table lists the permission bundles used in Oracle iFS and the permissions they contain. The ClassCreate and ClassRestrictedCreation permission bundles are used exclusively for ACLs associated with class objects and are also known as ClassAccessControlLists.

Permission Bundle	Description	Permissions
All	All permissions are included.	Discover, SetAttribute, GetContent, SetContent, Delete, Lock, Grant, AddMember, RemoveMember, AddItem, RemoveItem, AddRelationship, RemoveRelationship, AddVersionSeries, RemoveVersionSeries, AddVersion, RemoveVersion, SetDefaultVersion, SetPolicy
Read	User can find and read the content of the object.	Discover, GetContent
Delete	Users can find and delete the object.	Discover, Delete
Modify	Users can find and modify the object.	Discover, SetAttribute, GetContent, SetContent, Lock, AddMember, RemoveMember, AddItem, RemoveItem, AddRelationship, RemoveRelationship, AddVersionSeries, RemoveVersionSeries, AddVersion, RemoveVersion, SetDefaultVersion, SetPolicy
Protected	To be used for folders; users can find the folder and add or delete folder items, but they cannot modify the folder.	Discover, AddItem, RemoveItem
ClassPublic	To be used with class object; users can create instances of this class and search them.	Create, SelectorAccess
ClassRestrictCreation	To be used with class object; users can access instances of this class.	SelectorAccess

The permissions bundled in the above permission bundles are listed and defined in the table below. "Item" can be either a file or directory, unless stated otherwise.

Permission	Definition
Add Item	Grantee can add an item to a folder.
Add Member	Grantee can add a member to a group.
Add Relationship	Grantee can create a link to the item in another folder.
Add Version	Grantee can update a versioned file.
Add Version Series	Grantee can change a file to a versioned file.
Create	Grantee can create instances of a class object. Applies only to ClassAccessControlLists.
Delete	Grantee can delete the object.
Discover	Grantee can browse to the item through a Directory Tree, and can find the item using Find operations.
Get Content	Grantee can view and copy the content of the file.
Grant	Grantee can modify the ACL assigned to the item to grant additional permissions.
Lock	Grantee can lock and unlock the object.
Remove Item	Grantee can delete an item from the folder.
Remove Member	Grantee can remove a member from a group.
Remove Relationship	Grantee can delete an existing link to the item in another folder.
Remove Version	Grantee can remove a version of a versioned file.
Remove Version Series	Grantee can remove a version series from a family. Permission applies to the family.
Selector Access	Grantee can search a class in either a search or selector. Applies only to ClassAccessControlLists. Selector access is governed by the class's ClassACL.
Set Attribute	Grantee can change any of the item's attributes.
Set Content	Grantee can change the contents of the file.
Set Default Version	Grantee can change the default version of a version series of a family or version series.
Set Policy	Grantee can change a policy property bundle associated with a public object. Permission applies to the policy property bundle.

Oracle iFS only allows the creation of new permission bundles using XML.

Users and Groups as Grantees

Groups and ACLs provide a powerful mechanism for managing access to objects. Assume a group is defined as a grantee in an ACE. If the group membership is changed, either by adding or deleting a member, those changes are reflected automatically in access to the object. If the group is granted permissions on an object and a new member is added to the group, that new member automatically has access to the object the on which the group has permission. The order of the ACEs is significant. The ACL is resolved in the order of the ACEs.

Users can also be specified as a grantee in an ACE. For example, if the user "jsmith" is part of the group "ifsdev." The ACL results in everyone in "ifsdev" having full access, except "jsmith," who cannot delete the object.

• ACL Name--IFSDEV ACL

• ACL Description--Grants read access to "ifsdev" and, in addition, allows "jsmith" the delete permission.

• ACEs (or ACL):

  Grantee	Permission Bundle	Grant or Revoke
  IFSDEV	Read	Grant
  JSMITH	Delete	Grant

  Note: If the order of the grantees is reversed, the ACL in the example above would resolve to "jsmith" having only DELETE permissions.

Primary User Profiles and Default ACLs

Each user has a Primary User Profile. One of the attributes of this profile is a set of default ACLs. These ACLs determine the default ACL associated with all objects the user creates. Default ACLs can be:

• Explicit--An ACL for each class.

• General--One ACL for a public object and its subclass.

Default ACLs are used at the time an object is created, unless the creator specifies a different ACL. The ACL can be changed at any time after the object has been created.

When an object has no ACL, the owner and administrator have access to it. Therefore, it is strongly recommended that a Primary User Profile with the default ACLs specified is created for each user. Creating a user with Oracle iFS Manager, the Web interface, or XML creates a user profile with the following default ACLs:

• Non-administrator user--PUBLISHED, except Mailbox, Mail Document, Mail Folder, and Message, which are PRIVATE.

• Administrator user--PRIVATE, except ACL, Property Bundle, Directory Object, Version Series, and Version Description, which are PUBLISHED.

Creating a Custom ACL

If you want to create a batch of ACLs, use the Create Like option. This creates an ACL similar to an existing ACL, which you can then customize. To apply an ACL, to a file or folder, use the Web or the Windows interface.

Note: You do not need administrative permissions to define ACLs, therefore, users can also define ACLs.

To create a custom ACL:

1. On the Oracle iFS Manager toolbar, click Create.

2. Select Access Control List from the Select Object Type window and click Create. The Create Access Control List window displays:

3. In the Name field, type a name for the ACL.

4. Select the ACL type from the drop-down list. The choices are:
   • AccessControlList--Any custom ACL created.

   • SystemAccessControlList--Generally for system-wide use.

   • ClassAccessControlList--Used only for class objects.

5. In the Description field, type an optional description for the ACL. The description is used to describe the type of ACL.

6. Select an ACL for this ACL from the drop-down list. Because the ACL itself is a file, it needs access security.

7. Select the groups or users for whom you want to create ACEs. Hold down the Control key to select multiple items. Click the Add button to add the groups or users to the Selected Users/Groups list.

8. Associate a permission bundle with each grantee by selecting the corresponding checkbox.

   Each of the users or groups you selected can have a separate set of ACEs associated with it. For each, select Grant to grant the permission bundles you select. If Grant is not selected, the permission bundles you select are revoked from that user or group. Scroll right to see all of the available permission bundles.

9. Click Create. The ACL displays in the Navigator.

See Also

For more information on creating and applying ACLs, see "Using the Windows Interface to Apply an ACL".

Modifying ACLs

To modify ACLs, use the Detail View on the Oracle iFS Manager. To display the ACL you want to modify:

1. In the Navigator, under Administrator's tasks, click Access Control Lists.

2. Click the ACL you want to modify. The properties of the ACL display in the Detail View.

3. You can only perform the following tasks:
   • Modify the ACL description and the ACL applied to this ACL.

   • Add or remove entries (ACEs) and modify their permissions.

4. Click Apply to apply changes. Click Revert to restore the original ACL properties.

Note: Modifying system or class ACLs is not recommended.

Deleting ACLs

To delete an ACL, select the ACL to be deleted and do one of the following:

• Click the Delete button on the toolbar.

• On the menu bar, select Delete from the Object option.

Confirm the delete operation by selecting Yes in the confirmation dialog box.

Using the Web Interface to Apply ACLs to a Folder or File

To apply an ACL to a file or folder:

1. Navigate to the folder or file to which you want to apply the ACL.

2. Click the Select checkbox to the left of the file or folder. You can select more than one item at a time.

3. Click Edit and select Apply ACL. A dialog displays with a list of all system ACLs and custom ACLs you have added.

4. Select the ACL you want to apply to the selected file(s) or folder(s).

5. Click OK.

   A success message displays to tell you that the ACL has been applied to the items.

6. Click OK.

Using the Windows Interface to Apply an ACL

To apply an ACL to a file or folder:

1. Navigate to the file or folder for which you want to apply an ACL.

2. Right-click the file, then select Properties.

3. On the Properties dialog box, click the Oracle iFS Security tab.

4. To apply an existing ACL, click the Use Existing ACL and select the ACL from the window.

5. Click Use ACL. The ACL is ready to be associated with the file or folder.

   Click Apply or OK to associate the ACL with the file or folder.

Using XML to Create an ACL

Through XML, you can create an ACL using the existing permission bundles. In addition, you can also create your own custom permission bundle. Once you have created your own permission bundle, you can use Oracle iFS Manager, the Web interface, or XML to create ACLs using the custom permission bundle.

Example

To create your own custom permission bundle:

<PermissionBundle> 
      <Name> MyPermissionBundle </Name> 
      <AccessLevel> 
            <Discover> true </Discover> 
            <GetContent> true </GetContent> 
            <SetContent> false </SetContent> 
      </AccessLevel> 
</PermissionBundle> 

To create an ACL using the custom permission bundle:

<AccessControlList> 
  <Name> MyAcl </NAME> 
  <Description> Custom ACL using custom permission bundle </Description>
  <ACEs> 
    <AccessControlEntry> 
      <Grantee classname='directorygroup' Reftype="name"> ifsdev </Grantee> 
      <Active> true </Active> 
      <Granted> true </Granted> 
      <PermissionBundles> 
         <PermissionBundle Reftype='name'> MyPermissionBundle </PermissionBundle>
      </PermissionBundles>
    </AccessControlEntry> 
  </ACEs> 
</AccessControlList>