6
Managing Access to Files

This chapter covers ways to control who can use your files. Topics include:

• Security in Oracle iFS

• ACLs and ACEs

• Introduction to Permissions

• Types of ACL

• The System Administrator's Role

• Windows: Changing Your Password

• Web: Changing Your Password

• Windows: Assigning a Default ACL to a File

• Windows: Creating an ACL

• Windows: Deleting Users or Groups from an ACL

• Web: Applying an Existing ACL

• Web: Creating a Custom ACL

• Working with Groups

• Managing Access to Folders

Security in Oracle iFS

Controlling access to data files and folders is a critical aspect of data management. Oracle iFS provides security at two levels:

• At the account level, Oracle iFS checks passwords to verify that a user is entitled to access.

• At the content level, Oracle iFS provides access control by matching a user or user group's permissions with the permissions required to access a file or folder.

  Whenever you create a new user or user group, you assign permissions, or levels of access, to the user or the members of the group. When you create a file or folder, you, as the owner of the file or folder, indicate which permissions a user or group must have in order to access that file or folder. If a user group has a lesser permission than is required to access a file, members of the group can't open the file.

ACLs and ACEs

In Oracle iFS, user groups and individual users, along with the permissions assigned to them, are called Access Control Entries (ACEs). An ACE is one item in an Access Control List (ACL) that grants or revokes privileges to a user or group. Here's what an ACL looks like from the Windows interface:

Figure 6-1 ACL List

As you can see from this list, an ACL consists of:

• A grantee--A grantee can be a specific Oracle iFS user or a group. Groups are used in ACEs so that instead of assigning access to files or folders one user at a time, you can create a group, add users to it, then assign a set of permissions to the whole group at once. As a user, you could be listed on a ACL as an individual, but, in most cases, you would be included on an ACL as a member of a group.

• A set of permissions--Each permission groups a number of actions, definable by the system administrator. These actions might include deleting, modifying, moving content into or out of folders, and reading content. When you create an ACL, you'll indicate whether permissions are Granted or Revoked. The permissions granted or revoked may be different for each ACE (user or group) in the list.

Granting Access to Files and Folders

As the owner of any folders or files you create, you can control who can access them and the level of access permitted. You can assign the predefined ACLs that are built into Oracle iFS or tailor one or more ACLs to fit your publishing strategy. Also, you can apply an ACL at two different levels:

• To a specific file

• To a folder

When an ACL is applied to a file or folder, it defines what individual users and groups are allowed to do with it. For example, when the Public ACL is applied to a file, it means that all users and groups have full access to that file.

When an ACL is applied to a folder, it defines what folder-level operations individual users and groups are allowed to perform with the folder (add files, remove files, etc.).

Note: The ACL of a folder does not apply to files within the folder. It is possible, for example, for a folder to have an ACL of Published, but for files within it to be Private, Public, Protected, or a user-defined ACL. The ACL applied to the folder may also be more restrictive than those applied to the folders and files in it. Access to the content of the folder is determined by the ACL associated with the files and folders within a folder.

As a user, you are assigned a default ACL that was determined by your system administrator. When you create a file or folder, your default ACL is applied to that item. In many cases, your default ACL will be Private, meaning that only you have access to that file or folder. To change your default ACL, you must have administrative permission. If you have any questions on this subject, you should contact your system administrator.

Introduction to Permissions

For each user or group, you need to decide which of five permissions will be granted to it. Permissions are actions that users are allowed to perform in relation to a file or folder. A set of permissions assigned to a specific user or group is called an Access Control Entry (ACE).

An Access Control List (ACL) is a list of ACEs that defines the level of access all of the listed users and groups will have to the files and folders to which you assign the ACL. ACLs give you the flexibility to grant the permissions your co-workers require, while helping to protect your files against accidental modification or unauthorized access.

The permissions you may grant and revoke for each ACE are listed and defined in the table below.

Permission	Definition
All	Grants or revokes all permissions to members of this ACE.
Delete	Allows members of the ACE to delete or undelete an object. If a folder is governed by this permission, and no ACE exists for individual files, all files within the folder can be deleted by members of this ACE. Delete permission is also required to set the ExpirationDate attribute on public objects.
Modify	Allows members of the ACE to modify the file or the contents of the folder.
Protected	Protects folders from modification. It allows a user to add or remove files from within the folder, but, at the same time, it prevents the user from renaming or deleting the folder itself. This permission is used to define the default Protected ACL.
Read	Allows members of the ACE to read the file or the contents of the folder.

By setting each of these permissions for an individual or group, you create an ACE in your Access Control List. It's possible to create a different ACE for every user in your Oracle iFS repository for every file you control, but in most cases the standard ACLs that come with Oracle iFS should meet your needs, and the remaining cases can be handled by creating a short ACL.

When you define an ACE, the first choice you must make is whether you are going to grant permissions to the ACE, or revoke them. If you are going to give only a few permissions to a selected user or group, choose Grant, and select only those few permissions.

If you are going to give the selected user or group general access with only a few restrictions, choose Revoke and select the permissions you don't want the ACE to have. Users will receive all of the permissions except for the ones you revoked.

For example, if you want a group to have access to make changes to files in a directory, but not to delete the files, you would choose Revoke, then select the Delete permission. Users in the group would have complete access to the directory, but they couldn't delete any files. Conversely, the standard Published ACL only allows users to view and download the file.

ACE Precedence

Access Control Entries are listed in a specific order in the ACL, usually the order in which you create them. An ACE that's lower in the list supersedes all the ACEs above it.

For example, I can create an ACL named scottACL.

The first Access Control Entry I create is for the group scotts_group. I give scotts_group no permissions at all. If I apply the Access Control List to a folder at this time, no one, including Scott, will have access to the folder.

Scott is the manager of scotts_group. He needs to have full access to the folder. I create an ACE for the User scott. In the Access Control Entry for scott, I grant All. permissions. Since scott's ACE appears at the bottom of the Access Control List, his ACE supersedes the instructions in the scotts_group ACE.

Figure 6-2 ACE precedence can be seen on the iFS Security tab

The final result is that Scott has full access to the folder. No one else in Scott's group can view or modify anything in the folder.

It's important to keep the ACE precedence in mind as you create your ACL in order to implement the security settings you want. In this case, if I created the ACE for scott before I created the ACE for scotts_group, no one, including Scott, could access a folder or file assigned that ACL.

Types of ACL

There are two categories of ACL:

• Predefined ACLs, packaged with iFS, which provide basic security.

• User-defined ACLs, defined by individual users for special circumstances not covered by the predefined ACLs.

Predefined ACLs

Predefined ACLs provide the following security levels:

ACL	Description	Compatible Permissions
Private	This is the default ACL applied to all files and folders you create. It grants no permissions to any other user other than the owner and users with administrative privileges. Other users can't see or modify your file in any way.	You and users with administrative privileges are granted all permissions. All permissions are revoked for other users.
Protected	This ACL is applied to folders or files. It enables other users to see the files in the folder, add files and folders to the folder, and remove files and folders they have created from the folder. The grantee cannot delete the folder or change its properties.	Protected
Public	This ACL is applied to folders or files. It allows full access to the item. Users can make any changes to the directory that the owner can make.	All (Read, Modify, Delete)
Published	This ACL is applied to folders or files. It allows other users to see the item and its contents.	Read

User-defined ACLs

You can create a user-defined ACL to cover any specific security needs not provided by the predefined ACLs. For example, a marketing manager might decide that everyone in the marketing department needed access to all product collateral currently being developed. The manager could create a custom ACL to provide that access by performing the following steps:

1. Create a group called "Marketing."

2. Add each user in the marketing department to that group.

3. Create an ACL called "Collateral" that allows its members to have read access, but not write access or delete access.

4. Add the marketing group as an ACE to the Collateral ACL.

5. Assign the Collateral ACL to the directories containing data sheets and white papers about the product.

In this case, every member of the marketing group would have the same access to the files in the Collateral directory. Unspecified users (users for whom no ACE was created either granting or denying permission) would have whatever the default ACL for the creating user was.

The System Administrator's Role

Before you can begin managing access to your files, your system administrator must perform certain tasks related to Oracle iFS security:

• Create new users.

• Set up passwords for new users.

• Provide new passwords for current users when passwords are lost.

• Arrange users into groups and then grant permissions to those groups.

What You Can Do

Once the system administrator has created an initial set of users and groups, you can do the following:

• Change your existing password using either the Windows interface or the Web interface.

• Create ACLs.

• Create and manage groups.

The remainder of this chapter will deal with your security tasks.

Windows: Changing Your Password

To change your password, access your user profile:

1. In Windows Explorer, right-click the mapped drive.

2. On the context menu, click iFS User Profile...

Figure 6-3 The context menu displays available Oracle iFS utilities

3. In the Password text box of the dialog that is displayed next, type your old password.

4. In the New Password field, type the new password.

Figure 6-4 The User Profile window allows you to change passwords

5. In the Confirm Password text box type the new password again.

6. Click OK. Oracle iFS confirms that the password has been changed.

Web: Changing Your Password

To change your password:

1. At the top of the Directory Tree, double-click your login name or the User icon.

Figure 6-5 Change your password via your User icon

2. On the User screen, type your new password in the Password field.

Figure 6-6 Change your password on the User window of the Web interface

3. Type your new password again in the Confirm Password field.

4. Click OK.

Windows: Assigning a Default ACL to a File

You can assign any of the default ACLs to a folder or file you control.

To assign an ACL to a file or folder:

1. Right-click the file or folder to which you want to assign an ACL.

2. From the context menu, choose Properties.

3. In the Properties window, click the iFS Security tab.

Figure 6-7 The iFS Security tab shows the current ACL

The iFS Security tab displays the name of the ACL currently assigned to the item you selected with the Grantees and their abbreviated access levels. For example, in the illustration above, the Published ACL grants Read privileges to the World, a group that represents all users in the Oracle iFS repository.

• Click the Use Existing Access Control List button.

Figure 6-8 Choose an ACL from the Access Control List box

5. Select the ACL you want to use from the Access Control Lists box. When you select an ACL, its description appears in the box below the list of ACLs, along with abbreviations for the access levels granted by the ACL.

6. Click Use ACL.

7. In the Properties dialog, click OK to assign the ACL.

   When assigning ACLs, you must ensure that the folder enclosing the file or folder allows sufficient access to your users that they can discover (view and select) the items to which you're granting them access. For example, if you grant full access privileges to a file that is stored in a folder that uses the Private ACL, users will be unable to locate the file because even though they have been granted permission to view and edit the file, they don't have permission to look inside the folder where it's kept.

Windows: Creating an ACL

To create an ACL:

1. Right-click the file to which you want to assign the new ACL.

2. Select Properties from the context menu.

3. Click the Oracle iFS Security tab.

4. If the ACL you want to create is similar to an existing ACL, click Use Existing ACL and select the ACL on which you'll base your new ACL. Otherwise, continue with Step 7.

5. Enter a name for your new ACL in the Access Control List Name field.

6. If necessary, select any unwanted Grantees in the ACE list and click Remove.

7. Click New Entry.

Figure 6-9 Create Access Control Entry screen

8. In the Add Oracle iFS Access Control Entry dialog, click the Browse button.

Figure 6-10 Select Users and Groups screen

9. Select a group or user for this ACE and click OK.

   

10. Click the check boxes to set the permissions you want to grant in the ACE.

11. Click OK to create the ACE.

12. Repeat steps 7-11 to create any additional ACEs for this ACL.

13. Click OK to save the ACL.

    Once you've created your ACL, you can assign it to a file or folder as described in the "Windows: Assigning a Default ACL to a File" section.

    When you create an ACE, rather than defining the permissions you're granting to users, you can define the permissions you're revoking. If you're primarily granting full access but revoking one or two permissions, it may be easier to define just the actions the user can't take. To define an ACE that revokes privileges, click the Revoke Control Entry checkbox at the bottom of the Add Oracle iFS Access Control Entry dialog.

Windows: Deleting Users or Groups from an ACL

The Remove button lets you delete a selected ACE from an ACL. This can either provide more or less access for the users, depending on the definition of the ACE.

To remove an ACE from an ACL:

1. Right-click a file in an iFS folder.

2. Choose Properties.

3. Click the iFS Security tab.

4. Click the Use Existing ACL button.

5. From the Use an Existing ACL dialog, select the ACL you want to change and click Use ACL. The ACL is displayed in the iFS Security tab.

6. Select the ACE you want to remove.

7. Click Remove.

8. Click OK to store your changes.

There is no way to edit an existing ACE within the Windows interface. To change an ACE, remove the existing entry, as described in this topic, then recreate the ACE with the new permissions. You can, however, change the order of ACEs within an ACL. Select an ACE and click on the Move Up and Move Down buttons to reorder your ACL. For more information on ordering ACEs within an ACL and how this affects access, see "ACE Precedence".

Web: Applying an Existing ACL

To apply a standard ACL to a file or folder:

1. Navigate to the parent folder of the item to which you want to apply the ACL.

2. Click the Select checkbox to the left of the file or folder to which you want to assign the ACL. You can select more than one item at a time.

3. Click Edit and choose Apply ACL. A dialog appears with a list of defined ACLs.

4. Select the ACL you want to apply to the selected file(s) or folder(s).

5. Click OK. A success message appears to tell you that the ACL has been applied to the items.

6. Click OK.

Web: Creating a Custom ACL

To create an ACL in the Web interface:

1. Click ACLs in the Directory Tree.

2. Click the New icon and choose ACL.

3. In the dialog, enter a name for the ACL and click OK. The ACL is added to the ACL list.

4. Click the icon or ACL name you just created. The Edit ACL window is displayed.

5. Select the Users or Groups for whom you want to create ACEs.

Figure 6-11 The Edit Access Control List window

6. Click Add Access Control Entries.

7. Each of the users or groups you selected has a separate ACE. For each, choose whether the ACE will Grant the privileges you select or Revoke the privileges you select. Scroll right to see all of the available permissions.

Figure 6-12 Grant or Revoke privileges for users

8. Set the permissions by selecting the corresponding checkbox.

9. When you have selected all of the permissions for each of the ACEs, arrange the ACEs in the correct order of precedence. Click the Up arrow at the left edge of the ACE to move it up in the list. Click the Down arrow to move the ACE down. The lowest ACEs in the ACL always take precedence over those ACEs listed above. If a user's permission is revoked in the first ACE but granted in the second ACE, that user will be granted the permission.

10. When you have set all of the permissions and arranged the ACEs in order of precedence, click the Apply Permission Changes button.

    The ACL you have created can now be applied to any of the files or folders you control as described in the section Applying an Existing ACL.

Advantages of the Web Interface for Creating ACLs

The ACL editor in the Web interface has two advantages over the Windows ACL editor.

• ACEs are editable--The Windows interface does not enable you to open an existing Access Control Entry and change its settings. To change an ACE in the Windows interface you have to delete the entry, then recreate it. In the web interface, you can open the ACLs folder, click on an ACL, then make any changes you like to the permissions in the individual ACEs.

• ACEs can be rearranged--If you accidentally list your ACEs in the wrong order, you can use the Up and Down arrows at the far left of each ACE to move the entry up or down in the list. The lowest items always take precedence over the higher items.

Working with Groups

Groups are logical collections of users, usually organized by job function or project. By creating a group, you can assign the same permissions to several users at once.

Web: Creating a Group

To create a user group in the Web interface:

1. In the Directory Tree, click the Groups icon. (If there is no Groups icon, see your system administrator.) A list of existing user groups will be displayed at the right.

Figure 6-13 The Group list

2. Click the New icon and choose Group.

3. In the New Group dialog, enter a name for the group. When you click OK in the dialog,

4. Click the Users icon.

5. In the Users List, click the Select checkbox to the left of each user you want to add to your group.

6. Click the Edit icon and choose Copy.

7. In the Directory Tree, click the Groups icon.

8. Click the name of the group you just created.

9. Click the Edit icon and choose Paste.

You can add users to the group at any time by following steps 4-9.

Adding Individuals and Groups to Groups

If you have already defined groups, you can add a user or group to a group.

To add a group to a group:

1. Click the Groups icon.

2. In the Groups List, click the Select checkbox to the left of each group you want to add to your group.

3. Click the Edit icon and choose Copy.

4. Click the name of the group to which you want to add the second group.

5. Click the Edit icon and choose Paste.

You can also add individuals to groups, following the steps listed above. Instead of copying and pasting a group name, you'll select an individual from the Users icon, and copy and paste that individual's name into your group list.

Editing Groups

To edit a group, click the Groups icon in the Directory Tree, then click the group's name in the Groups List. Follow the steps for adding and removing users and groups.

To remove a Group, click the Select checkbox to the left of the Group name, then click the Delete icon.

Assigning ACLs to Groups

To ensure that the group can access the content they need, and only that content, you must assign an ACL to each group you create.

1. From the Directory Tree, select the Groups icon. A list of groups will be displayed to the right.

1. Select the group or groups to which you want to assign the ACL. If you select more than one group, all groups will have the same ACL.

2. Click the Edit icon and select Apply ACL. A list of all existing ACLs will be displayed. The ACL currently applied to your group will be selected.

Figure 6-14 Assign permissions to groups with the Apply ACL screen

3. Select the ACL you want to apply to your group.

4. Click OK.

Managing Access to Folders

Earlier, we noted that the ACL applied to a folder does not automatically apply to every file or folder in the folder. This grants you a great deal of flexibility in organizing your data and granting access. It allows you to, for example, place all Human Resources material in one folder or hierarchy of folders, but grant less access to certain files than to others.

Here's one scenario:

I create a folder called "Marketing Department," which has my default ACL of Private. However, I change the default to Published. I use Published, because I want others to be able to view the contents and download them, but not change them. (I could use Protected, but that would allow others to add files and folders to this folder, and in this case, I don't choose to allow them to do so.)

In the folder, I place a Word template (.dot) to be used for weekly reports by my staff. This template requires that users have the Published permission, so they can see and download it, but not change it or delete it from the folder.

I add an Excel spreadsheet (.xls) on monthly sales figures, but want to limit access to this data. So I apply a custom ACL, Marketing Managers, to it. Applying this ACL gives Marketing Managers full access to the data, but revokes all access for anyone else.

Finally, I add my own notes on prospective clients, which I don't want anyone but myself to read, and which has the ACL Private. No one else can see, modify, delete, or download this file.

Now, I have all my marketing data in one place, but access to specific content is granted or revoked based on the user groups' need to use it.

For more on managing access to data in folders, please refer to Chapter 3, "Managing Files and Folders".