3 Working with Oracle WebCenter Collaboration Security

This chapter describes the security model used by Oracle WebCenter Collaboration. Oracle WebCenter Collaboration security is based on the use of roles and access levels. Additionally, activity rights are used to manage access to Oracle WebCenter Collaboration functionality. These concepts are described in the following sections.

• Project Security

• Activity Rights

Project Security

Access to Oracle WebCenter Collaboration projects is set and managed through project roles. Roles control access levels and permissions for Oracle WebCenter Collaboration objects. Users are assigned to a project role, and the access level of the role determines the actions that the user can perform.

Project Roles

A portal user can access a project only when assigned a role in that project.

Oracle WebCenter Collaboration contains the following roles:

Table 3-1 Descriptions of Project Roles

Role	Description
Project Leader	The Project Leader role has Admin access for the project and its objects. Project Leaders can: Create, edit, and delete project objects. Set permissions for project objects. Perform all project tasks. Note: Portal administrators are default members of the Project Leader role and cannot be removed.
Project Member	By default, the Project Member role has Write access for the project and its objects.
Project Guest	By default, the Project Guest role has Read access for the project and its objects.

Role assignments are project-specific, and the same portal user can have different roles in different projects. Additionally, under the same role, users can have different permissions in different projects, because the role itself can have one set of permissions in one project and a different set of permissions in another.

Access Levels

All Oracle WebCenter Collaboration objects have five levels of access that can be assigned to them. These access levels are:

• Admin

• Edit

• Write

• Read

• No Access

Each access level includes the rights of all lower access levels.

Each role in a project has an associated access level for each object type. A user's access level to an object or functional area is determined by his or her assigned role in the project.

Access Level Permissions Matrix

The following table shows what permissions each access level allows for each object type:

Table 3-2 Permissions Matrix

	Read	Write	Edit	Admin
Projects	View project View announcements	View project View announcements	View project View announcements	Create, edit and delete announcements Subscribe others
Events	View events Notify other users about an event	Create events	Attach files, task lists, and discussions Edit event properties	Configure event security Delete events
Tasks	View task lists Notify other users about a task list or task	Claim tasks (assign tasks to self) Create tasks Order tasks Update task status for assigned tasks	Assign owners to tasks Attach files and discussions Copy task lists Create task lists Import and export task lists Edit task list and task properties	Configure task list security Delete task lists and tasks Generate overdue task alerts Move task lists Subscribe others
Document Folders	View folders Notify other users about changes to folder contents	Create new Microsoft Office documents directly in the project Upload documents to folders	Assign a moderator to a folder Copy folders Create folders Edit folder properties Rename folders	Moderate a folder even though a different user is assigned as the moderator. Note: Users with Admin access to document folders cannot perform this task on document folders that are not moderated. Configure folder security Delete folders Move folders within the project Subscribe others
Document Files	View documents Notify other users about documents View versions	Check documents in and out Undo check-out WebEdit	Attach task lists and discussions Copy documents Create shortcuts Edit document properties Publish documents to the Knowledge Directory Revert documents to previous versions	Configure document security Delete documents Delete previous versions of the document Move documents Remove owner security settings from a document Subscribe others
Discussions	View Discussions Notify other users about discussions	Post messages Reply to messages	Assign a moderator to a discussion Attach task lists and files Copy discussions Create new discussions Export discussions Edit discussion properties	Moderate a discussion even though a different user is assigned as the moderator Note: Users with Admin access to discussions cannot perform this task on discussions that are not moderated. Configure discussion security Delete discussions and messages Edit messages Subscribe others

Default Project Security Settings

Oracle WebCenter Collaboration provides default security settings for the Project Members and Project Guests roles that are automatically applied to a project when it is created. However, Project Leaders can change the default security settings for their individual projects. For more information, see Changing Default Permissions for Roles.

Object-Level Security Settings

By default, all Oracle WebCenter Collaboration objects derive their security from the project security settings. Changes made to the project security settings apply immediately to all objects that are configured to inherit the default settings. These changes apply to the objects retroactively. Project Leaders can choose to disable this setting and configure security directly on an object. When this setting is disabled, an object retains its security setting regardless of the security settings of the rest of the functional area.

The access levels that can be assigned to Oracle WebCenter Collaboration objects are the same as those that can be set as the default security settings. Object-level security can be set for events, task lists, document folders, documents, and discussions.

To set security on an Oracle WebCenter Collaboration object:

1. Navigate to the object in the project application view.

2. Select the object in the table pane.

3. Click Edit Properties in the action bar.

4. Click the Security tab.

5. Clear the Inherit Default Security Settings check box.

6. Select the access level for Project Members and Project Guests.

7. Click Finish.

Object Properties

This section discusses:

• Default Document Owner Security

• Setting Content Crawler Access to Folders

• Assigning Moderators

Default Document Owner Security

A user who uploads a document, or other file, to a document folder is the owner of that file. By default, an owner has full control of the file and can perform all actions on the file.

Project leaders can remove default owner security settings from any file in the project. Additionally, users with Admin access to a file can remove default owner security settings from the file. You may want to remove owner security settings from a file if the owner is no longer participating in the project and consequently should not have high-level access privileges to the file.

To remove owner security settings from a file:

1. In the Documents application view page, select the check box of a file in the table pane.

2. From the Edit menu, select Properties.

   The Property Editor appears.

3. Click the Security tab.

4. Select Permanently remove owner security settings from this document.

5. Click Finish.

Setting Content Crawler Access to Folders

By default, the contents of a folder -- including the contents of all of its subfolders -- are visible to Oracle WebCenter Collaboration content crawlers for importing into the Knowledge Directory. When a folder is inaccessible to content crawlers, its contents can still be manually published to the Knowledge Directory.

To set content crawler accessibility for a folder:

1. Select a project in the My Projects or Community Projects portlet.

2. Click the Documents tab in the application view.

3. Select the check box of a folder in the table pane.

4. From the Edit menu, select Properties.

5. Perform one of the following tasks:

   • To make the document folder accessible to content crawlers, select Accessible to Content Crawlers.

   • To make the document folder inaccessible to content crawlers, clear Accessible to Content Crawlers.

6. Click Finish.

Assigning Moderators

This section discusses:

• Assigning Moderators to Folders

• Assigning Moderators to Discussions

Assigning Moderators to Folders

To manage the contents of a folder, you can assign a collection of users or a single user to moderate the folder. Folder moderators can approve or reject documents. Folder moderators with Admin access to the folder can edit documents before approving them. Documents in a moderated folder do not become publicly available unless approved by a moderator.

If a user has checked in changes to a document in a moderated folder, those changes are not visible until a moderator approves the changes. If a user has uploaded a document to a moderated folder, the document is not visible until a moderator approves the document.

When at least one moderator is set for a folder, that folder is marked as a moderated folder and anyone with Admin access to the folder can also act as a moderator.

When you assign moderators to a parent folder, all subfolders inherit the moderator list. If a subfolder of the parent folder already has a moderator list, the subfolder inherits changes made to the parent folder's moderator list. If all moderators are removed from a parent folder, the parent folder and all of its subfolders are no longer moderated.

When you add or remove a moderator from a folder, the moderator is subscribed to or unsubscribed from that folder.

To assign a moderator:   

1. In the Documents application view page, right-click a folder in the navigation pane.

2. Click Edit Properties.

3. Make sure the Properties tab is selected in the Folder Editor.

4. Click Moderators.

5. In the Choose Users dialog box, select the project personnel whom you want to make moderators of this folder and click Finish.

6. In the Folder Editor, click Finish.

Assigning Moderators to Discussions

To manage the posting of messages in a discussion, you can assign a collection of users or a single user to moderate the discussion. Discussion moderators can approve or reject messages. Discussion moderators with Admin access to a discussion can edit messages before approving them. Messages posted in moderated discussions do not appear to users in the discussions unless approved by a moderator.

If a user has posted a message to a moderated discussion, that message is not visible until a moderator approves the message. If a user has edited a message in a moderated discussion, the changes is not visible until a moderator approves the change.

When at least one moderator is set for a discussion, that discussion is marked as a moderated discussion and anyone with Admin access to the discussion can also act as a moderator.

To assign a moderator to a discussion:   

1. In the Discussions application view page, right-click a discussion in the navigation pane.

2. Click Edit.

3. Make sure the Properties tab is selected in the Folder Editor.

4. Click Moderators.

5. In the Choose Users dialog box, select the project personnel whom you want to make moderators of this folder and click Finish.

6. In the Folder Editor, click Finish.

Activity Rights

Access to certain Oracle WebCenter Collaboration functionality is managed with portal activity rights. Collaboration Administrators who have been granted the Create Activities and Delegate Activities activity right can assign the Oracle WebCenter Collaboration activity rights to users.

Oracle WebCenter Collaboration uses the following activity rights to grant access to various functionality:

Table 3-3 Descriptions of Activity Rights

Activity Right	Description
Ability to View Instant Messaging Presence	Allows users to see the instant messaging presence icon on Oracle WebCenter Collaboration pages.
Bulk Upload to Collaboration	Allows users to: Upload multiple files and directories at the same time Map Web folders to Oracle WebCenter Collaboration
Manage Collaboration	Allows users to perform the following tasks: Access the Collaboration Administration utility (when the necessary Oracle WebCenter Interaction activity rights are also granted). Manage Oracle WebCenter Collaboration project folder hierarchy. This includes the ability to perform the following operations on the Oracle WebCenter Collaboration project folders: Create, Delete, MOve, Edit, Use the Project Recycle Bin.
Manage Collaboration Projects	Allows users to perform the following tasks: Create Collaboration projects. Archive Collaboration projects. Remove projects from the Recycle Bin System Folder. Restore (undelete) projects from the Recycle Bin System Folder.

Granting Activity Rights to Users

To grant an activity right to a user:

1. Log in to the portal.

2. Click the Administration tab.

3. From the Select Utility drop-down menu, select Activity Manager.

4. Click the activity right you want to edit.

5. Click Add Groups.

6. Select the group you want to add.

7. Click OK.

8. Click Finish.

For more information on using activity rights, see the Oracle Fusion Middleware Administrator's Guide for Oracle WebCenter Interaction.