5
Task 2: Add Users and Groups

The second task involved in setting up Oracle iFS is to add users and define groups of users for ease of administration. This chapter steps you through determining which Oracle iFS administration tool to use and the basic steps to follow with each tool. The following topics are included:

• Understanding Users in Oracle iFS

• Set the Default User Definitions Using Oracle iFS Manager

• Create the Oracle iFS Users Using Oracle iFS Manager

• Using an XML Configuration File to Create Users

• Creating Groups Using Oracle iFS Manager

• Creating Groups with XML

Understanding Users in Oracle iFS

Out-of-the-box, most people will use Oracle iFS as an enhanced file system. To customize Oracle iFS for your organization, some of these users should have administrative permissions. To manage users, you need to manage information in both the Oracle iFS server and the Credential Manager.

User Profiles

Oracle iFS maintains Oracle iFS-specific user information in user profiles. Each active Oracle iFS user has a Primary User Profile, an e-mail user profile, and, optionally, extended user profiles:

• Primary user profile--Contains user information, such as the user's home folder, default Access Control List (security), and quota control information.

• E-mail user profile--(optional) Contains e-mail management information.

• Extended user profile--(optional) Custom applications can define extended user profiles to contain application-specific profile information for a user. An e-mail user profile is an extended user profile.

Credential Manager Users

Oracle iFS uses a credential manager to authenticate users. A credential manager is an extensible authentication mechanism that determines the validity of a credential, such as a user name and password.

Each Oracle iFS user specifies the name of the credential manager used to authenticate that user, as well as the distinguished name that identifies that user to the credential manager.

A single default credential manager is created when Oracle iFS is installed. For each Oracle iFS user created, a corresponding entry, consisting of the user's distinguished name and password, is stored in this default credential manager.

The default credential manager optionally requires users to be RDBMS users. If this feature is enabled, the Oracle iFS user named "jsmith" could only log into Oracle iFS if there was an RDBMS user named "jsmith." The credential manager only checks the user name. The RDBMS password does not have to match the Oracle iFS password.

To enable this feature, set the CredentialManagerIfsRdbmsUserMustExist property to true in the secondary properties file. This property is located in the following directory:

Platform	Directory
UNIX	$ORACLE_HOME/ifs<version>/settings/oracle/ifs<version>/server/properties
Windows NT	%ORACLE_HOME%\ifs<version>\settings\oracle\ifs<version>\ server\properties

Note: Currently, Oracle iFS currently supports the default credential manager.

HTTP Authentication

HTTP authentication is a common mechanism for adding security to static Web pages. Oracle iFS uses its own security features as the basis for HTTP authentication. Files and folders need to have the PUBLISHED ACL applied for users to use a browser to access these objects without being forced to log in. If they are forced to log in, they must supply their Oracle iFS username and password.

Creating Users

Users can be created with all the Oracle iFS administration tools. Oracle recommends that you use Oracle iFS Manager, XML, or the Web interface. These tools create all objects associated with a new users with standardized settings. Creating users involves two steps:

1. Set the default user definitions in Oracle iFS Manager.

2. Create the user using Oracle iFS Manager, XML, or the Web interface.

Note: In the sections that follow, the Oracle iFS Manager is used to illustrate the procedures for setting up Oracle iFS.

See Also

• For information on permission bundles, see Chapter 7, "Task 4: Set Up Security".

• For more information on the secondary properties, see Appendix B, "Secondary Properties".

• For more information on HTTP authentication, see the Oracle Internet File System Developer's Guide.

Set the Default User Definitions Using Oracle iFS Manager

Before creating a user, you can set the default user definitions which will be applied to all users you create. Using the user definitions provide a uniform way of creating users that is consistent with the various clients. If you do not set the user definitions, the defaults apply.

To set the default user definitions:

1. From the Menu bar, select Options from the Object menu.

2. Select User Definitions from the Options menu. The User Definition Dialog displays:

3. Specify the Home Folder Parent, the directory in which to store the users' home folders. The default is /home.

4. Specify whether or not users have the ability to change their passwords. You can override this setting on the Create User dialog.

5. Enable or disable quota control. If you enable quota control, type the storage size, in bytes, in the Quota Storage field. If you disable quota, the user has an unlimited quota. Users with administrative permissions usually have an unlimited quota amount.

   Enabling quota control limits storage content. The default allocated quota storage is 25 megabytes per user. If a user's quota is reached, they will be unable to save documents in Oracle iFS.

6. Specify whether or not to create an e-mail profile. If Yes, type the e-mail address domain and the e-mail folder name in the fields provided. If you select No, these fields are disabled.

   The Email Address field is automatically populated when the users' name is entered and consists of the <username>@<domain>. By default, the suffix for the users' e-mail address is what you specify when setting the user definitions.

   The Email Folder field is a specified value that is the parent folder for all mailboxes, such as Inbox.

7. Click OK.

Tips

Quota checking is only completed when the Quota Agent is running and quota is enabled. Enabling a user's quota without a running agent will allow users to go over their quota.

See Also

For more information on the Quota Agent, see Chapter 8, "Using Server Manager to Start and Stop Servers".

Create the Oracle iFS Users Using Oracle iFS Manager

To create an Oracle iFS user:

1. From the toolbar, select Create from the Object menu.

2. Select User from the Select Object Type window.

   The Create User dialog displays:

3. Enter information in the following required fields:
   • Name--The user name for the user you are creating. When you enter a user name, the Home Folder and Mail Folder fields are automatically populated based on the name you entered.

   • Distinguished Name--The fully qualified name in a domain used by Credential Manager for authentication. You usually enter user's full name.

   • Description (Full Name)--(optional) You can specify the full name of the user.

   • Password and Confirm--The user's password. This can be changed by the user you are creating. Or, you can keep users from changing passwords by checking the box next to User Cannot Change Password.

4. If this user is to have administrative permissions, select the Admin Enabled checkbox.

5. The Primary Profile checkbox is checked as the default. If you do not want to create a Primary User Profile, unselect this checkbox.

   Each user has a Primary User Profile. This profile points to the user's home folder location and the user's default ACLs. The default ACLs determine which ACLs should be associated when the user creates different objects, such as folders and documents. By default, Oracle iFS sets the non-administrator user's default ACL to PUBLISHED (except for e-mail-related objects, such as messages. These have the PRIVATE ACL as the default), and sets the administrator's default ACL to PRIVATE (except ACL, PropertyBundle, DirectoryObject, VersionSeries, and VerionsDescription, which are PUBLISHED).

6. In the Home Folder field, enter a folder name if it is different from the user name.

   A user's home folder is the default directory where a user starts when logging into Oracle iFS. Users can use their home folder as their personal workspace and to store their private files. A user's home folder can reside anywhere, so Oracle iFS Manager provides a dialog to change the default home folder location. The Web interface creates a user's home folder as the user's login name, under the /home directory. For example, /home/jsmith. The user's Primary User Profile points to the user's home folder location.

7. In the Quota section, select Enable or Disable to enable or disable quota for this user and override the quota established on the User Definitions Dialog. If you select Enable, enter the quota number of bytes in the Allocated field. If you select Disable, the user has an unlimited quota. Users with administrative permissions usually have an unlimited quota amount.

   If a user's quota is enabled, content storage is limited, by default, to 25 megabytes. Users cannot store content in Oracle iFS when this limitation is reached.

8. By default, the E-mail Profile checkbox is enabled. If you do not want to create an e-mail profile, unselect this checkbox. In the Mail Folder field, enter a folder name if it is different from the user name.

   The user's e-mail profile points to the user's e-mail folder location and specifies the user's e-mail address. Oracle iFS Manager and the Web interface create the user's e-mail folders under the home folder. For example, /home/jsmith/mail/inbox.

9. To add this user to existing groups, click the Group tab. The Select Group window displays:

10. From the Available Groups list, select the groups to which to add the user. Click the Add button to add the user to the selected group. The groups display in the Selected Groups list.

11. Click Create.

Using an XML Configuration File to Create Users

Creating users can be complicated since many other user-related objects, such as home folders, user profiles, and mail boxes are created at the same time. Using the <SimpleUser> tag within the XML file applies all the default definitions found in Table 5-1, "Additional User Definitions". You can change the user default settings in Oracle iFS Manager to suit your requirements. You do not need to specify every single value unless you want to override any of the default values. You override the defaults by explicitly setting them in the XML file. The values are case-sensitive.

Creating a single user and all its user-related objects are created in a single transaction. This includes a Directory User, Primary User Profile, Email Profile, Inbox, and a Home Folder are created in one step. Therefore, do not include creating any other objects besides users in your XML file. Also if you are creating 10 users in a single file, and an error occurs on the 7th user, the previous 6 users and their user related objects are not rolled back.

XML Example

The following XML file lists the definitions used to create users with an XML file. When using XML, you really only need to include the username and password, but this example displays other definitions you can include to override the defaults you set using Oracle iFS Manager. This example also shows you how to create users by parsing the XML file and checking that the users were created using the Command Line Utilities.

1. Create your user XML file:

       <SimpleUser>
          <UserName>gking</UserName>
          <Password>ifs</Password>
          <DistinguishedNameSuffix>.yourcompany.com</DistinguishedNameSuffix>
          <AdminEnabled>true</AdminEnabled>
          <HomeFolderRoot>/home</HomeFolderRoot>
          <EmailAddressSuffix>@yourcompany.com</EmailAddressSuffix>
       </SimpleUser>
   
   

2. Create the users by loading the XML file into Oracle iFS. Use the following command to load the XML file into Oracle iFS using the Command Line Utilities. You must be an administrator.

   $ORACLE_HOME/ifs<version>/bin/ifslogin system/<password>
   $ORACLE_HOME/ifs<version>/bin/ifsput users.xml
   
   

3. Confirm that the users were created:

   $ORACLE_HOME/ifs<version>/bin/ifsls -class DirectoryUser
   
   

You can also drag and drop the user file into Oracle iFS through the Windows or Web interface and FTP. Oracle iFS invokes the XML parser and the users are created.

Additional User Definitions

The following table lists the complete set of user definitions you can set and a brief description. The definitions in this table can be set using an XML configuration file for creating users.

Table 5-1 Additional User Definitions

Definition Option	Default Value	Data Type	Description/Purpose
UserName	None	String	Required. A name for the user being created.
Password	None	String	Required. A password for the user being created.
ShouldCreateCredentialManagerUser	TRUE	Boolean	If the user exists.
ReplaceCredentialManagerPassword	FALSE	Boolean	If using an existing credential manager user, set true to override old password.
CredentialManager	DEFAULT	String	Which credential manager to use for access to the 'authentication engine.'
AdminEnabled	FALSE	Boolean	If user will have administration privileges.
CanChangePassword	TRUE	Boolean	If creating a guest user, this can be set to false.
HasPrimaryUserProfile	TRUE	Boolean	Whether to create a primary user profile for this user.
HasHomeFolder	TRUE	Boolean	Whether to create a home folder for this user.
HomeFolderRoot	"/home"	String	Root folder of the user's home folder.
HomeFolderHasPolicyBundle	TRUE	Boolean	If administration privileges required to free home folder.
HasContentQuota	TRUE	Boolean	Whether to implement a content quota for this user.
ContentQuotaAllocatedStorage	25000000	Long	Storage space allocated to user in bytes.
ContentQuotaEnabled	FALSE	Boolean	Whether to enable or disable the implemented content quota.
HasEmail	TRUE	Boolean	Whether to create an email profile for this user.
DistinguishedName	None	String	If none specified, the DistinguishedName is constructed from username + suffix.
PrimaryUserProfileName		String	If none specified, the DistinguishedName is constructed from username + suffix.
EmailUserProfileName		String	If none specified, the DistinguishedName is constructed from username + suffix.
ContentQuotaName		String	If none specified, the DistinguishedName is constructed from username + suffix.
HomeFolderName		String	If none specified, the DistinguishedName is constructed from username + suffix.
HomeFolderDescription		String	If none specified, the DistinguishedName is constructed from username + suffix.
DefaultAclsBundleName		String	If none specified, the DistinguishedName is constructed from username + suffix.
HomeFolderPolicyBundleName		String	If none specified, the DistinguishedName is constructed from username + suffix.
EmailAddress		String	If none specified, the DistinguishedName is constructed from username + suffix.
DistinguishedNameSuffix	The value you enter as the distinguished name during installation is the default value.	String	Suffix of the distinguished name.
PrimaryUserProfileNameSuffix	"Primary Profile"	String	Suffix of the primary user profile name.
EmailUserProfileNameSuffix	"Email Profile"	String	Suffix of the email profile name.
EmailAddressSuffix	The value you enter as the distinguished name during installation is the default value with an "@" attached.	String	Suffix of the email address.
ContentQuotaNameSuffix	"Content Quota"	String	Suffix of the content quota name.
HomeFolderNameSuffix	""	String	Suffix of the home folder name.
HomeFolderDescriptionSuffix	"'s home folder"	String	Suffix of the home folder description.
DefaultAclsBundleNameSuffix	"DefaultACLs"	String	Suffix of the default ACL's name.
HomeFolderPolicyBundleNameSuffix	"Policy Bundle for Home folder and Inbox"	String	Suffix of the home folder policy bundle name.
EmailSubfolderName	"mail"	String	Name of the email subfolder.
InboxName	"inbox"	String	Name of the email inbox.
DirectoryUserAcl	Published	SystemAcl	ACL of a directory user.
HomeFolderPolicyBundleAcl	Published	SystemAcl	ACL of the home folder policy bundle.
HomeFolderAcl	Private	SystemAcl	ACL of home folder.
DefaultAclsBundleAcl	Published	SystemAcl	ACL of default ACLs bundle.
ContentQuotaAcl	Private	SystemAcl	ACL of the content quota.
PrimaryUserProfileAcl	Private	SystemAcl	ACL of the primary user profile.
EmailUserProfileAcl	Private	SystemAcl	ACL of the email profile.
EmailSubfolderAcl	Private	SystemAcl	ACL of the email subfolder.
InboxAcl	Private	SystemAcl	ACL of the email inbox.
AclBundleAllPublished	AclBundleAllPublished	Property Bundle	An out-of-an-the-box property bundle for the default ACLs of a non-administration user.
AclBundleForAdmin	AclBundleForAdmin	Property Bundle	An out-of-the-box property bundle for the default ACLs of an administration user.
DefaultAcls	AclBundleAllPublished	String	The property bundle to use for the defaults.
DefaultAclsTable	None	Hashtable	Customizing a property bundle for the default ACLs

Viewing Users

Using Oracle iFS Manager, you can view the properties of existing Oracle iFS users.

To display all existing users:

• Click the user icon in the Navigator. The tree expands to display all users.

To display user properties:

• Navigate to the user whose properties you want to display and select that user by clicking it. The properties display in the Detail View.

Changing a User's Password

It may be necessary to change a user's password as you administer Oracle iFS. For example, if a user forgets his or her password, this is how to reset it.

1. Navigate to the user whose password you want to change and click that user. The user's properties display in the Detail View.

2. In the Password field, type a new password.

3. Confirm the password by typing it again in the Confirm field.

4. Click Apply.

See Also

For information on changing the ifssys password, or if you have lost the password, see Chapter 13, "Oracle iFS Log Files and Troubleshooting Information".

Changing a User's Home Folder

It may be necessary from time to time to change a user's home folder. For example, if the home directory is changed or moved, you must change their home folder directory.

1. Navigate to the user whose home folder you want to change and click that user.

2. In the Home field, type a new location for the user's home folder.

3. Click Apply.

Changing a User's Default ACL for Documents

It may be necessary to change a user's default ACL. To do this:

1. Navigate to the user whose default ACL you want to change and click that user.

2. Click the Default ACL drop-down list and select a new default ACL.

3. Click Apply.

Changing a User's E-mail Address

It may be necessary to change a user's e-mail address, for example, if their name changes.

1. Navigate to the user whose e-mail address you want to change and click that user.

2. In the Email Address field, type a new e-mail address for this user.

3. Click Apply.

Changing a User's Quota Control

It may be necessary to change a user's quota control. For example, some users need more space than others.

1. Navigate to the user whose quota control you want to change and click that user.

2. Select to either disable or enable the user's quota control. If you decide to enable quota control, enter the number of bytes allotted for this user.

3. Click Apply.

If a user's quota is enabled, content storage is limited, by default, to 25 megabytes. Users cannot store content in Oracle iFS when this limitation is reached.

Deleting Users

You can delete users using Oracle iFS Manager. When you delete a user, you can change the ownership of the objects owned by that user and specify if the user's home folder is to be deleted.

To delete a user:

1. Navigate and select the user you want to delete. The user's properties display in the Detail View.

2. Click the Delete button on the toolbar or select Delete from the Object menu. You can also click the Delete button on your keyboard.

   The Delete User Selection dialog displays:

3. If you want to change the ownership of the objects owned by the user you are deleting, select Change the owner to and select the new owner from the drop-down list. If you do not select to change the ownership of the objects owned by the users, those files become unowned; their owner attribute is null. Any user with administrative permissions can own these files.

4. If you want to delete the user's home folder, select Delete the home folder and everything under it. Note that everything under the user's home folder is deleted as well.

5. If you want to delete the associated Credential Manager account, select Remove the account. It is recommended that you do this only if you created it.

6. Click OK to delete the user. Confirm the delete operation by selecting Yes.

Creating Groups Using Oracle iFS Manager

By assigning users to groups, you make administration and maintenance easier. Instead of adding each user to an Access Control List for a file or folder--a time consuming task--you can add a group of users all at the same time. Oracle iFS is shipped with world, a default group. When users are created, they are automatically added to this group. To create a group, you define the group itself, then populate it.

To create a group:

1. On the toolbar, click Create.

2. Select User Group and click Create. The Create User Group window displays:

3. Type a name for the group.

4. Type an optional description. The description displays only when you modify the group.

5. Select the ACL for the group from the drop-down list.

   The default ACL of the user that created this group is assigned to any new group you create. Therefore, a group with the PUBLISHED ACL cannot be edited by any user. When creating groups, it is important to discuss with department managers and other users if they want all Oracle iFS users to have read-only access to the groups you are creating for their respective departments. If you need to change the default ACL, you can do so by modifying the ACL for a specific group.

6. From the Available Users/Groups list, select the users and groups to add to the group. Click the Add button to add the user or group to the group.

7. Click Create. The new group displays in the Navigator.

Viewing Groups

Using Oracle iFS Manager, you can view existing Oracle iFS groups and their properties.

To display all existing groups:

• Click the group icon in the Navigator. The tree expands to display all groups.

To display group properties:

• Navigate to the group whose properties you want to display. The properties display in the Detail View.

Adding Users and Groups to the Target Group

The group you want to add users and groups to is called the target group.

1. Navigate to the target group for which you want to add users and groups and click the group to select it. The group properties display in the Detail View.

2. Select the users and groups from the Available Users/Groups list to be added and click the right arrow button. The selected users and groups display in the Selected Users/Groups list.

3. Click Apply.

Removing Groups and Users from the Target Group

1. Navigate to the target group for which you want to remove groups or users and click the group to select it. The group properties display in the Detail View.

2. Select the users and groups from the Selected Users/Groups list to be removed and click the left arrow button. The selected users and groups display in the Available Users/Groups list.

3. Click Apply.

Renaming Groups

To rename an existing group:

1. Navigate to the group you want to rename and select it by clicking its icon. The group properties display in the Detail View.

2. Enter a new name in the Name field. You can also enter a new description in the Description field. The group description is optional.

3. Click Apply.

Deleting Groups

You can delete groups using Oracle iFS Manager. Any user with the correct permissions can delete groups as long as they have the correct permissions.

To delete a group:

1. Navigate to the group you want to delete and select it by clicking its icon.

2. Click Delete on the toolbar or select the Delete option from the Object menu.

3. Select OK to confirm the delete operation. Oracle iFS Manager refreshes to display the changes.

Creating Groups with XML

This example XML file creates groups. You can use this file, although you must modify the name of the group to match the name of the group you are creating. When adding users to the group, the user names must exist. If you use FTP or CUP to load the XML file into Oracle iFS, it is parsed and not saved anywhere in Oracle iFS.

<DIRECTORYGROUP>
  <Name>DemonstrationUsers</Name>
  <Members>
    <REF reftype='name'>msmith</REF>
    <REF reftype='name'>mallen</REF>
    <REF reftype='name'>sward</REF>
    <REF reftype='name'>rjones</REF>
    <REF reftype='name'>tmartin</REF>
    <REF reftype='name'>dblake</REF>
    <REF reftype='name'>eclark</REF>
    <REF reftype='name'>sscott</REF>
    <REF reftype='name'>gking</REF>
    <REF reftype='name'>tturner</REF>
    <REF reftype='name'>jadams</REF>
    <REF reftype='name'>pjames</REF>
    <REF reftype='name'>gford</REF>
    <REF reftype='name'>amiller</REF>
  </Members>
</DIRECTORYGROUP>