|             | 
 
Developers can use JSP tags and controls in WorkSpace Studio to provide the capability to add users to your portal application or allow users to add themselves. Portal administrators might prefer to add or edit a small number of users in the Administration Console.
Developers can also use JSP tags and controls to create and edit user profiles to store additional information about users. Portal administrators might prefer to perform these tasks in the Administration Console.
If you have a large number of users stored in an external user store, you can use the WebLogic Scripting Tool to retrieve those users. You could use JSP tags and controls in BEA WorkSpace Studio to add the ability to your portal for users to add themselves. If you want to add a portal administrator with special privileges to manage portal content and users, use the Administration Console. See Adding and Managing Users for instructions.
Developers can use the following tools to add and manage large numbers of users:
createUser JSP tag to create a new JSP tag to add a new user. You can also use the tag to create the ability for visitors to your portal to register themselves and be added to the user store. Other JSP tags let you place users in groups, change passwords, and delete users.createUser action in the User Provider control to add a new user. You can also use the User Provider control to create the ability for visitors to your portal to register themselves and be added to the user store. Other controls let you place users in groups, change passwords, and delete users. See the
 Javadoc for more information.com.bea.p13n.security.management.authentication.AtnManagerProxy Java class to add users, change passwords, and delete users. When you use the API to create a user, a user profile is not automatically created. See the
 Javadoc for more information.| Note: | When you create a user with the p13n API, the new user does not appear in the User Management section of the WLP Administration Console. You must log out and log back in to the Administration Console to see the newly added user. | 
Portal administrators can use the following tools to create and manage a small number of users:
Adding a user with any of these methods (except the Java API) adds the user to the user store and creates a basic user profile that contains the user’s identity (username and password). The Java API does not automatically create a user profile when you add a user.
You can set up other user properties (such as address, phone number, e-mail, and so on) to enable personalization and define rules for delegated administration and visitor entitlement.
| Tip: | Users and groups are stored in the RDBMS server by default. The BEA Propagation Utility does not propagate this data from your staging environment to production. | 
This chapter includes the following sections:
Developers can build functionality into your portal application that lets users add themselves to the domain. This self-registration is often used by visitors to your portal. If you have a large number of users stored in a user store, you can use WorkSpace Studio to access those users. If you want to add a few users or a portal administrator, use the Administration Console.
If a tracked anonymous user registers at your portal, the tracking data is transferred to the new user. The new user is now considered a registered user and is no longer an anonymous user. See Setting Up Anonymous User Tracking for instructions on setting up this user tracking.
When you create a new user, WebLogic Portal creates a user profile containing the user’s identity (name and password) in the user store. Other user properties (such as address, phone number, e-mail, and so on) can be used to set up personalization and define rules for delegated administration and visitor entitlement.
WebLogic Portal does not support multiple RDBMS authenticators under a single Security realm.
This section contains the following topics that explain how to add a user programmatically with JSP tags and controls:
 
The <ugm:createUser> tag adds the ability to create a user and sets the user's password. You can add this JSP tag to a Java Page Flow (JPF) and show that functionality in a portlet. If the user already exists, the <ugm:createUser> tag does not create another user.
You can determine the roles that can perform this action in the Administration Console. See the Security Guide for instructions on defining roles.
| Note: | You must have WebLogic Server running in the cluster for self-registration to work. | 
 
If you set the saveAnonymous attribute for this tag to true and an AnonymousProfile exists, any properties defined in the AnonymousProfile are set for the new user. 
 
After you create the user, you can use the <profile:createProfile> tag to create a user profile for the new user. You can verify your results with the <ugm:getUsernames> tag.
See the JSP Tag Javadoc for more information on the Java class.
 
The User Provider control contains an action called createUser, which adds the ability to create a user and sets the user's password. You can add this control to a Java Page Flow (JPF) and show that functionality in a portlet.
 
The createUser action provides a pre-built form (a form bean) you can add to your page flow to add a new group. Using a form can save you development time because it simplifies data entry and group management. 
 
If you use the createUser action, you can also use the Profile control to create a user profile for the new user.
| Note: | You must have WebLogic Server running in the cluster for self-registration to work. | 
 
Use the createUser action instead of the JSP tag if you want to add a user in a page flow where a successful action forwards the user to another JSP. You can also use the createProfile action to create a user profile for the new user.
For more information on using the User Provider control and its properties, see the Javadoc.
If you decide to use multiple user stores (not the default RDBMS user store built into WebLogic Server), most of the effort is setting up and configuring those providers and then connecting WebLogic Server to those providers. See the Security Guide for instructions on setting up user stores. You can access multiple user stores.
Two ways exist to add more users to an external user store (such as openLDAP):
See Accessing Users in an External User Store for instructions on adding users to an external user store.
You can add a user to one or more groups using a JSP tag, a control, or the Administration Console. See Adding and Managing Users for instructions on using the Administration Console to place users into groups.
| Tip: | The WebLogic Portal’s internal RDBMS user store can store large numbers of users and groups. The internal LDAP is sufficient for storing policies for a small number of roles, as well as entitlements. | 
This section contains the following topics that explain how to locate users programmatically with JSP tags and controls:
 
The <ugm:addUserToGroup> tag adds a user to a group. The tag adds the username you provide to the specified group name. Both the user and the group must previously exist for proper tag behavior. The logged-in user must have administrator rights to execute this tag.
 
After you add the user to a group, you can verify your results with the <ugm:getUsernamesForGroup> tag. 
| Note: | If a user store does not allow write access to users and groups, you will not be able to add users to groups with the Administration Console. You must add users to groups in the user store directly. | 
See the JSP Tag Javadoc for more information on the Java class.
 
The addUserToGroup action in the Group Provider control adds an existing user to an existing group. The addUserToGroup action provides a pre-built form (a form bean) you can add to your page flow to add a user to a group. The logged-in user must have administrator rights to execute this tag.
 
Use the addUserToGroup action instead of the JSP tag if you want to add a user to a group in a page flow where a successful action forwards the user to another JSP.
 
The addUserToGroup action is often used with the isMemberofGroup action, which determines if a user belongs to a group. You can also verify that the user was added to the group with the getUsernamesForGroupLimited action.
For more information on using the Group Provider control and its properties, see the Javadoc.
 
A user can belong to more than one group. The <ugm:getGroupNamesForUser> JSP tag retrieves a String array that contains the group names to which the user belongs. The logged-in user must have administrator rights to execute this tag.
 
Developers use the <ugm:getGroupNamesForUser> tag to verify the results of the <ugm:addUserToGroup> tag.
If you are using an RDBMS user store, be aware of case sensitivity when looking up users and groups. For example, Bob is different than bob.
See the JSP Tag Javadoc for more information on the Java class.
 
A user can belong to more than one group. The getGroupNamesForUser action in the Group Provider control retrieves a string array that contains the group names to which the user belongs. The logged-in user must have administrator rights to execute this tag.
 
Developers use the getGroupNamesForUser action instead of the JSP tag to view a user’s group membership in a page flow where a successful action forwards the user to another JSP. 
 
You can use the getGroupNamesForUser action to verify the results of the following actions: createUser, createGroup, and addUserToGroup. 
For more information on using the Group Provider control and its properties, see the Javadoc.
 
The <ugm:removeUserFromGroup> tag removes a user from a group. The tag does not delete the user. The logged-in user must have administrator rights to execute this tag.
 
Developers often use the <ugm:removeUserFromGroup> tag with the following tags: <ugm:removeGroup>, <ugm:removeUser>, and <ugm:removeGroupFromGroup>.
See the JSP Tag Javadoc for more information on the Java class.
 
The removeUserFromGroup action in the Group Provider control removes a user from a group. The tag does not delete the user. The logged-in user must have administrator rights to execute this tag.
 
Developers use the removeUserFromGroup action instead of the JSP tag to remove a user from a group in a page flow where a successful action forwards the user to another JSP. 
 
The removeUserFromGroup action is often used with the following actions: removeGroup and removeGroupFromGroup. You can also verify that the user was removed from the group with the getUsernamesForGroupLimited action, which retrieves a list of users in a group.
For more information on using the Group Provider control and its properties, see the Javadoc.
WebLogic Portal support two ways to locate users by username:
| Tip: | If you are using an RDBMS user store, be aware of case sensitivity when looking up users and groups. For example, Bob is different than bob. | 
This section contains the following topics that explain how to locate users programmatically with JSP tags and controls:
 
The <ugm:userExists> JSP tag determines if a user exists in WebLogic Portal by searching for a specific username. 
 
Developers often use the <ugm:userExists> tag with the <ugm:createUser> tag to verify that a user does exist in the system.
See the JSP Tag Javadoc for more information on the Java class.
 
The <ugm:getUserNames> tag lets you use a wildcard search expression to retrieve a list of all user names in the WebLogic Portal. The search expression supports only the asterisk (*) wildcard character, and is case insensitive. You can use as many asterisks as you want in the search expression. You can limit the number of items that the tag returns; only usernames that match the search expression are returned.
 
Developers often use the <ugm:getUserNames> tag with the <ugm:getUserNamesForGroup> tag to retrieve a list of all users that belong to a specific group.
See the JSP Tag Javadoc for more information on the Java class.
 
The userExists action in the User Provider control determines if a user exists in WebLogic Portal by searching for a specific username.
 
Developers use the userExists action instead of the JSP tag to locate a user in a page flow where a successful action forwards the user to another JSP. The userExists action can be used with the createUser action to verify that a new user was successfully added.
For more information on using the User Provider control and its properties, see the Javadoc.
 
The getUserNames action in the User Provider control lets you use a wildcard search expression to retrieve a list of all user names in the WebLogic Portal. The search expression supports only the asterisk (*) wildcard character, and is case insensitive. You can use as many asterisks as you want in the search expression. You can limit the number of items that the tag returns; only usernames that match the search expression are returned.
 
Developers use the getUserNames action instead of the JSP tag to find users in a page flow where a successful action forwards the user to another JSP. You can use the getUserNames action with the getUserNamesForGroup action to retrieve a list of all users that belong to a specific group.
For more information on using the User Provider control and its properties, see the Javadoc.
You might need to reset a password if a user loses or cannot remember a password. If you have the appropriate delegated administration rights, you can change any user’s password. See the Security Guide for instructions on setting up delegated administration.
Ensure that your user knows the new password, because once the password is changed there is no way to find out what it is. If a user forgets a password, the portal administrator must change it again.
This section contains the following topics that explain how to update a user’s password programmatically:
 
The <ugm:setPassword> JSP tag updates the password for the user you specify in the Security realm. Due to Security constraints, only administrators should use this method. Users must be logged in to change their passwords.
 
The new password must be at least eight characters. Developers often use the <ugm:setPassword> tag with the <ugm:getUserNames> tag.
See the JSP Tag Javadoc for more information on the Java class.
 
The setPassword action in the User Provider controls updates the password for the user you specify in the Security realm. Due to Security constraints, only administrators should use this method. Users must be logged in to change their passwords.
 
The new password must be at least eight characters. Developers often use the setPassword action instead of the JSP tag to update a user’s password in a page flow where a successful action forwards the user to another JSP. You can use the setPassword action with the getUserNames action to update a user’s password. 
For more information on using the User Provider control and its properties, see the Javadoc.
Removing a user from a group does not delete the user from the system or change a user profile’s properties. A group does not own a user, so you can add and remove users from groups without affecting the user's properties. Removing a user from a group deletes the user from any delegated administration or visitor entitlement roles based on that group. For example, if you remove a user from the Administrators group, that user may no longer have full administrative access to the Administration Console.
When you delete a user, you remove the user from the user store. The deleted user is no longer available in any other group or subgroup, and the user will not be able to log into your portal application. To get the user back in the system, you must create the user again.
If you want to remove the user from a group but not remove the user from the entire system, see Searching for Users or Removing Users.
| Note: | If you are using an external user store to store users and groups (one that is not the default RDBMS provider built into WebLogic Server), and you want to remove a user from that provider, the provider might be configured to prevent user removal from an outside tool, such as the Administration Console. See Adding a User to an External User Store with an Outside Tool the instructions. | 
This section contains the following topics:
 
The <ugm:removeUser> JSP tag removes a user from the system. This tag does not remove the Security realm and user profile records for this user. (You can use the <profile:removeProperty> JSP tag or the removeProperty action in the Property control in your page flows to remove user profiles. See Deleting a Property Set and Properties for more information.). The tag can remove any type of extended user that has its profileType set in the database. Due to security constraints, only administrators should use this method.
 
Developers often use the <ugm:removeUser> tag with the <ugm:removeUserFromGroup> tag to remove the user from its group. 
See the JSP Tag Javadoc for more information on the Java class.
 
The removeUser action in the User Provider control removes a user from the system. This action does not remove the Security realm and user profile records for this user. (You can use the <profile:removeProperty> JSP tag or the removeProperty action in the Property control in your page flows to remove user profiles. See Deleting a Property Set and Properties for more information.) The control can remove any type of extended user that has its profileType set in the database. Due to security constraints, only administrators should use this method.
 
Use the removeUser action instead of the JSP tag if you want to delete a user in a page flow where a successful action forwards the user to another JSP. The removeUser action can be used with the removeUserFromGroup action to remove the user from its group. 
For more information on using the User Provider control and its properties, see the Javadoc.
|       |