|             | 
 
After you use Planning a User and Group Strategy to determine your group structure, you can create, move, and delete a small number of groups in the Administration Console. Developers might prefer to do these same tasks for a large number of users in WorkSpace Studio with JSP tags and controls.
You can also use groups to set up delegated administration and visitor entitlement; see the Administration Console. If the group exists before you add a user, you can then immediately add the user to the group.
Portal administrators with full group management rights can use the following tools to create and manage a small number of groups:
Developers can use the following tools to create and manage a large number of groups:
createGroup JSP tag to create a new group. Other JSP tags let you add a subgroup, remove a group or subgroup, and create a group profile. See Creating a Group with a JSP Tag.createGroup action in the Group Provider control to create a new group. Other controls allow you to add a subgroup, remove a group or subgroup, and create a group profile. See Creating a Group with a Control.com.bea.p13n.security.management.authentication.AtnManagerProxy Java class to add groups, create group profiles, and remove groups. See the
 Javadoc for more information.| Tip: | Users and groups are stored in the RDBMS user store server by default. The BEA Propagation Utility does not propagate this data from your staging environment to production. | 
The chapter includes the following sections:
If the user store you are accessing already has users organized into groups, you can build a hierarchical tree in the Administration Console to organize and manage those existing groups. If you are using WebLogic server's default RDBMS user store, you do not need to build a group hierarchy tree.
This section contains the following topics:
A tree view of groups provides a visual way to change group properties, find users in groups, and add users and groups to rules for delegated administration and visitor entitlement. Figure 8-1 shows a group hierarchy tree for the default SQLAuthenticator.

If you are connecting WebLogic Server to an external user store, your ability to see a hierarchy tree in the Administration Console depends on how the user store is supported. If the provider does not allow read access by external tools (such as the Administration Console), you will not be able to see the tree representation of the groups. See the Security Guide to determine if your user store allows read access. If the provider does not allow read access to its groups, you can still use the Administration Console to enter the names of known users and groups.
Use the Authentication Hierarchy Service page to build and configure a group hierarchy tree for a read-access user store connected to WebLogic Server.
To build a group hierarchy tree:
| Note: | When you change the value of the Build Group Hierarchy Trees field, you must redeploy your enterprise application or restart the server. | 
If a sweep finds the trees expired, the trees are cleared from memory and are not rebuilt until you try to access them in the Administration Console. Refreshing the trees more frequently can impact performance, but changes to users and groups are picked up more frequently.
| Tip: | Set the Sweep Interval to the same value as Time to Live if you want the trees to be cleared from memory as soon as they expire. When you change this value, you must redeploy your enterprise application or restart the server. | 
| Tip: | You can configure the default Locale Language in the netuix-config.xmlfile in theWEB-INF/directory and also in the user’s preferred language setting in the browser. If the user's preferred language setting is empty, some browsers will automatically choose the default Locale Language on the client machine. | 
To remove a hierarchy tree for a user store in the Administration Console, select the name of the user store you want to remove, click Remove Selected, and click Update. The providers you can remove are listed in the Authentication Providers to Build field. After you remove the ability to build a hierarchy tree for a provider, you can still use a text entry field in the Administration Console to select users and groups for that provider.
| Tip: | If a list of groups does not appear, verify that you built a group hierarchy tree for the user store. If you built the tree but you still do not see a list of groups, the user store probably does not allow read access. See the Security Guide for instructions on giving the provider read access. | 
You can use the Administration Console to add a group during Staging. If you have a large number of groups to add, you can add them programmatically with JSP tags and controls during the Development phase. Typically, you will add just a few groups or make small changes to your group structure using the Administration Console during the Staging phase.
When you create a group, you are creating an empty group to which you can add an infinite number of users. You can also add a group profile, which contains additional information about a group.
| Tip: | Create groups before you add users to the Administration Console. If the group exists before you add a user, you can then immediately add the user to the group. | 
To create a group in the Administration Console:
| Note: | If you create a large number of groups, you can press PgDn to sort through the list of groups. Pagination improves performance by returning a smaller number of items. | 
If you add a subgroup to a group, the Remove From Group button appears. Clicking Remove From Group removes the subgroup’s membership from the parent group. The subgroup is not deleted from the system.
When you create a group, a group profile is automatically created for the group. A group profile contains information about the group that is stored in editable fields in the Administration Console. You can edit properties for groups, but users belonging to those groups do not automatically inherit the group properties you specify. Group properties might include group manager, location, department, and so on.
 
If a user belongs to two groups, for example, and you have edited each group’s properties, you must specify which set of group properties the user should inherit by configuring a ProfileWrapper successor at runtime. A ProfileWrapper is a lightweight object that can access the correct ProfileManager session beans based on the profile identity with which it is initialized.
To edit the values in a group profile in the Administration Console:
| Tip: | If you delete the saved value, a successor value is returned if there is one defined. A successor value specifies the value to use if more than one value exists. If a user belongs to more than one group, you can choose which group properties to inherit. If you do not define a successor, the default value is returned. If there is no defined successor value or a default value, the property value is null. | 
If you cannot modify property values because they are read-only, the properties might originate from an external property database set up by your development team. You cannot edit the properties, but you can still use those properties to set up personalization, delegated administration, and visitor entitlement.
You can determine which portal administrators can manage each user group by assigning delegated administration roles to those groups. See the Security Guide for instructions on assigning delegated administration.
| Tip: | If you are using more than one user store, you might have a group in one user store with a name that is the same as a group in another user store. When you set delegated administration on a group, an administrator in that delegated administration role can manage that group in all providers that contain that group (if the administrator also has delegated administration rights to those other providers). | 
To change the hierarchy of your groups and subgroups, you can move an existing subgroup from one group to another or change it from a parent group to a child group.
| WARNING: | Moving a group can affect delegated administration and visitor entitlement roles. For example, if a group called Managers is used in a delegated administration role that grants full administrative access to the Administration Console, and you move a group under the Managers group, all users in that new subgroup will have full administrative access to the Administration Console. This is a convenient way to grant users delegated administration or visitor entitlement privileges. | 
 
If you are using an external user store for users and groups (one that is not the default RDBMS user store built into WebLogic Server), and you want to move a group in that user store, the provider may be configured to prevent moving a group from an outside tool (such as the WebLogic Portal Administration Console). If the Group Editor field for the user store is set to No, you cannot move a group in that provider with the Administration Console. You must move the group directly in that provider.
To move a group in the group hierarchy:
If a user store contains thousands of groups, you might get better performance by not building a group hierarchy tree for the provider.
To find a specific group if you did not build a group hierarchy tree:
contains or ends with.When you select a group this way, you can add and edit users and set up delegated administration for the group. However, without a group hierarchy tree, you cannot create, delete, or rearrange groups.
| Note: | You can disable all group hierarchy trees by adding the following code to the JAVA_OPTIONSline in your server startup script: | 
| Note: | -Dcom.bea.jsptools.disableGroupTree=true | 
When you delete a group, you permanently remove the group and all of its subgroups from the user store. You must re-create all of the affected groups if you want to use them again. If you delete a group, the users that belong to the group are not deleted.
You can remove a subgroup from a group, and you can move a group within the group hierarchy to change its relationship to other groups. If the group was listed in a delegated administration or visitor entitlement role, you must also remove that group from the role definition.
You can delete a group in the Administration Console or if you use an external user store, you can remove the group there.
This section contains the following topics:
If you are using an external user store to hold users and groups (one that is not the default RDBMS user store built into WebLogic Server), you can delete groups that were created in that provider.
 
If the external user store you are using does not support group deletion from an outside tool (the Group Remover field in WebLogic Server for the provider is set to No) you cannot delete a group for that provider with the Administration Console. You must delete the group directly in that provider.
| Tip: | If you are using an RDBMS user store, group names are case sensitive. For example, the Managers group is different than managers. | 
To remove a group from an external user store with the WebLogic Server Administration Console:
Yes, you can use WebLogic Server or WebLogic Portal to remove groups in the user store. If you need to make the user store writable, follow the instructions in the
 Security Guide.| Note: | If you make changes to any user store configuration setting in the WebLogic Server Administration Console, restart the server. Restarting the server prevents exceptions in the WebLogic Portal Administration Console. | 
|       |