This chapter describes the security model used by Collaboration. Collaboration security is based on the use of roles and access levels. Additionally, activity rights are used to manage access to Collaboration functionality. These concepts are described in the following sections.
Access to Collaboration projects is set and managed through project roles. Roles control access levels and permissions for Collaboration objects. Users are assigned to a project role, and the access level of the role determines the actions that the user can perform.
Project Roles
A portal user can access a project only when assigned a role in that project.
Collaboration contains the following roles:
Table 4-1 Descriptions of Project Roles
Role
Description
Project Leader
The Project Leader role has Admin access for the project and its objects. Project Leaders can:
create, edit, and delete project objects
set permissions for project objects
perform all project tasks
Note:
Portal administrators are default members of the Project Leader role and cannot be removed.
Project Member
By default, the Project Member role has Write access for the project and its objects.
Project Guest
By default, the Project Guest role has Read access for the project and its objects.
Role assignments are project-specific, and the same portal user can have different roles in different projects. Additionally, under the same role, users can have different permissions in different projects, because the role itself can have one set of permissions in one project and a different set of permissions in another.
Access Levels
All Collaboration objects have five levels of access that can be assigned to them. These access levels are:
Admin
Edit
Write
Read
No Access
Each access level includes the rights of all lower access levels.
Each role in a project has an associated access level for each object type. A user's access level to an object or functional area is determined by his or her assigned role in the project.
Access Level Permissions Matrix
The following table shows what permissions each access level allows for each object type:
Table 4-2 Permissions Matrix
Read
Write
Edit
Admin
Projects
View project
View announcements
View project
View announcements
View project
View announcements
Create, edit and delete announcements
Subscribe others
Events
View events
Notify other users about an event
Create events
Attach files, task lists, and discussions
Modify event properties
Configure event security
Delete events
Tasks
View task lists
Notify other users about a task list or task
Claim tasks
Create tasks
Order tasks
Update task status for assigned tasks
Assign owners to tasks
Attach files and discussions
Copy task lists
Create task lists
Import and export task lists
Modify task list and task properties
Configure task list security
Delete task lists and tasks
Generate overdue task alerts
Move task lists
Subscribe others
Document Folders
View folders
Notify other users about changes to folder contents
Create new Microsoft Office documents directly in the project
Upload documents to folders
Assign a moderator to a folder
Copy folders
Create folders
Modify folder properties
Rename folders
Configure folder security
Delete folders
Move folders within the project
Subscribe others
Document Files
View documents
Notify other users about documents
View versions
Check documents in and out
Undo check-out
WebEdit
Attach task lists and discussions
Copy documents
Create shortcuts
Modify document properties
Publish documents to the Knowledge Directory
Revert documents to previous versions
Configure document security
Delete documents
Delete previous versions of the document
Move documents
Remove owner security settings from a document
Subscribe others
Discussions
View Discussions
Notify other users about discussions
Post messages
Reply to messages
Assign a moderator to a discussion
Attach task lists and files
Copy discussions
Create new discussions
Export discussions
Modify discussion properties
Approve or reject messages
Configure discussion security
Delete discussions and messages
Edit messages
Subscribe others
Default Project Security Settings
Collaboration provides default security settings for the Project Members and Project Guests roles that are automatically applied to a project when it is created. However, Project Leaders can change the default security settings for their individual projects. For more information, see Changing Default Permissions for Roles.
Object-Level Security Settings
By default, all Collaboration objects derive their security from the project security settings. Changes made to the project security settings apply immediately to all objects that are configured to inherit the default settings. Project Leaders can choose to disable this setting and configure security directly on an object. When this setting is disabled, an object retains its security setting regardless of the security settings of the rest of the functional area.
The access levels that can be assigned to Collaboration objects are the same as those that can be set as the default security settings. Object-level security can be set for events, task lists, document folders, documents, and discussions.
To set security on a Collaboration object:
Navigate to the object in the project application view.
Select the object in the table pane.
Click Edit Properties in the action bar.
Click the Security tab.
Clear the Inherit Default Security Settings check box.
Select the access level for Project Members and Project Guests.
A user who uploads a document, or other file, to a document folder is the owner of that file. By default, an owner has full control of the file and can perform all actions on the file.
Project leaders can remove default owner security settings from any file in the project. Additionally, users with Admin access to a file can remove default owner security settings from the file. You may want to remove owner security settings from a file if the owner is no longer participating in the project and consequently should not have high-level access privileges to the file.
To remove owner security settings from a file:
In the Documents application view page, select the check box of a file in the table pane.
From the Edit menu, select Properties.
The Property Editor appears.
Click the Security tab.
Select Permanently remove owner security settings from this document.
Click Finish.
Setting Content Crawler Access to Folders
By default, the contents of a folder -- including the contents of all of its subfolders -- are visible to Collaboration content crawlers for importing into the Knowledge Directory. When a folder is inaccessible to content crawlers, its contents can still be manually published to the Knowledge Directory.
To set content crawler accessibility for a folder:
Select a project in the My Projects or Community Projects portlet.
Click the Documents tab in the application view.
Select the check box of a folder in the table pane.
From the Edit menu, select Properties.
The Property Editor appears.
Perform one of the following:
To make the document folder accessible to content crawlers, select Accessible to Content Crawlers.
To make the document folder inaccessible to content crawlers, clear Accessible to Content Crawlers.
To manage the contents of a folder, you can assign a collection of users or a single user to moderate the folder. Folder moderators can approve or reject documents. Folder moderators with Admin access to the folder can edit documents before approving them. Documents in a moderated folder do not become publicly available unless approved by a moderator.
If a user has checked in changes to a document in a moderated folder, those changes will not be visible until a moderator approves the changes. If a user has uploaded a document to a moderated folder, the document will not be visible until a moderator approves the document.
When at least one moderator is set for a folder, that folder is marked as a moderated folder and anyone with Admin access to the folder can also act as a moderator.
When you assign moderators to a parent folder, all subfolders inherit the moderator list. If a subfolder of the parent folder already has a moderator list, the subfolder inherits changes made to the parent folder's moderator list. If all moderators are removed from a parent folder, the parent folder and all of its subfolders are no longer moderated.
When you add or remove a moderator from a folder, the moderator is subscribed to or unsubscribed from that folder.
To assign a moderator:
In the Documents application view page, right-click a folder in the navigation pane.
Select Edit Properties.
Make sure the Properties tab is selected in the Folder Editor.
Click Moderators.
In the Choose Users dialog box, select the project personnel whom you want to make moderators of this folder and click Finish.
In the Folder Editor, click Finish.
Assigning Moderators to Discussions
To manage the posting of messages in a discussion, you can assign a collection of users or a single user to moderate the discussion. Discussion moderators can approve or reject messages. Discussion moderators with Admin access to a discussion can edit messages before approving them. Messages posted in moderated discussions do not appear to users in the discussions unless approved by a moderator.
If a user has posted a message to a moderated discussion, that message will not be visible until a moderator approves the message. If a user has edited a message in a moderated discussion, the changes will not be visible until a moderator approves the change.
When at least one moderator is set for a discussion, that discussion is marked as a moderated discussion and anyone with Admin access to the discussion can also act as a moderator.
To assign a moderator to a discussion:
In the Discussions application view page, right-click a discussion in the navigation pane.
Select Edit Properties.
Make sure the Properties tab is selected in the Folder Editor.
Click Moderators.
In the Choose Users dialog box, select the project personnel whom you want to make moderators of this folder and click Finish.
In the Folder Editor, click Finish.
Activity Rights
Access to certain Collaboration functionality is managed through the use of portal activity rights. Collaboration Administrators who have been granted the Create Activities and Delegate Activities activity right can assign the Collaboration activity rights to users.
Collaboration uses the following activity rights to grant access to various functionality:
Table 4-3 Descriptions of Activity Rights
Activity Right
Description
Ability to View Instant Messaging Presence
Allows users to see the instant messaging presence icon on Collaboration pages.
Bulk Upload to Collaboration
Allows users to:
Upload multiple files and directories at the same time
Map Web folders to Collaboration
Manage Collaboration
Allows users to perform the following tasks:
Access the Collaboration Administration utility (when the necessary ALI activity rights are also granted).
Manage Collaboration project folder hierarchy. This includes the ability to perform the following operations on the Collaboration project folders:
Create
Delete
Move
Edit
Use the Project Recycle Bin
Manage Collaboration Projects
Allows users to perform the following tasks:
Create Collaboration projects
Archive Collaboration projects
Remove projects from the Recycle Bin System Folder
Restore (undelete) projects from the Recycle Bin System Folder
Granting Activity Rights to Users
To grant an activity right to a user:
Log in to the portal.
Click the Administration tab.
From the Select Utility drop-down menu, select Activity Manager.
Click the activity right you want to edit.
Click Add Groups.
Select the group you want to add.
Click OK.
Click Finish.
For more information on using activity rights, see the Administrator Guide for BEA AquaLogic Interaction.
