| Oracle® Fusion Middleware Administrator's Guide for Oracle WebCenter 11g Release 1 (11.1.1) E12405-02 |
|
 Previous |
 Next |
| Oracle® Fusion Middleware Administrator's Guide for Oracle WebCenter 11g Release 1 (11.1.1) E12405-02 |
|
Previous |
Next |
This chapter describes how to manage users, roles, and permissions in WebCenter Spaces. It includes the following sections:
Audience
The content of this chapter is intended for WebCenter Spaces administrators. Users granted the WebCenter Spaces Administrator role or a custom role that grants the Application-Manage permission).
Refer to Chapter 14, "Managing Security" if you are a Fusion Middleware Administrator responsible for security-sensitive administrative duties that require configuration through Fusion Middleware Control or WLST.
Read this section to understand more about WebCenter users, application roles, and permissions granted to WebCenter users working in their personal space. It includes the following subsections:
When a WebCenter user becomes a member of a group space, a different set of roles and responsibilities apply. See "What You Should Know About Group Space Roles and Permissions" in Oracle Fusion Middleware User's Guide for Oracle WebCenter.
A WebCenter user is an member of WebCenter Spaces—provisioned directly from an existing identity store. See also, Section 14.3, "Configuring the Identity Store".
All users in the identity store are assigned minimal WebCenter Spaces privileges through the Spaces-User role. The only exception is the Fusion Middleware Administrator (weblogic). Out-of-the-box, the Fusion Middleware Administrator is the only user assigned full administrative privileges through the Administrator role. For more information, read the next section Section 19.1.2.1, "Default Application Roles".
It is the Fusion Middleware Administrator's job to assign each WebCenter user an appropriate application role. Alternatively, the Fusion Middleware Administrator may choose to assign the Administrator role to another user and delegate this responsibility.
Table 19-1 Default Administrator in WebCenter Spaces
| User | Description |
|---|---|
|
Fusion Middleware Administrator (weblogic) |
Administrator for the entire application server, sometimes referred to as the super administrator. This user can manage any application on the server, including WebCenter Spaces. |
WebCenter Spaces supports self-registration. When new WebCenter users self-register, they create their own login and password and a new user account is created in the identity store. See also, Section 19.4, "Allowing Self-Registration".
Application roles control the level of access a user has to information and services in WebCenter Spaces. Specifically, application roles determine what a user can see and do in their personal space.
Application role assignment is the responsibility of the WebCenter Spaces administrator. Administrators can assign users one of the default application roles or create additional, custom roles specific to their WebCenter Spaces application. For more detail, see:
Application roles only apply while a user is working within their personal space. Within a particular group space a different set of roles and permissions apply and it is the group space moderator's responsibility to determine suitable role assignments for each of its members. See also "Managing Group Space Roles and Permissions" in Oracle Fusion Middleware User's Guide for Oracle WebCenter.
|
Note: Application roles and permissions defined within WebCenter Spaces are stored in its policy store and, consequently, apply to this WebCenter Spaces application only. Enterprise roles are different; enterprise roles are stored within the application's identity store and do not imply any permissions within WebCenter Spaces. |
WebCenter Spaces provides several default application roles that cannot be deleted (Table 19-2).
Table 19-2 Default Application Roles for WebCenter Spaces
| Application Role | Description | Modify? |
|---|---|---|
|
Administrator |
Users with the Administrators can also manage users and roles for WebCenter Spaces, delegate or revoke privileges to/from other users, manage group spaces and group space templates, as well as import and export group space information. Out-of-the-box, the Fusion Middleware Administrator is the only user assigned full WebCenter Spaces administrative privileges through the |
Yes* *Except for Application permissions which are read-only |
|
Spaces-User |
Authenticated users of WebCenter Spaces are granted the This role inherits permissions from the In WebCenter Spaces, the |
Yes |
|
Public-User |
Anyone with access to WebCenter Spaces who is not logged in, is granted the In WebCenter Spaces, the |
Yes |
Custom application roles (sometimes known as user-defined roles) are specific to your WebCenter Spaces application. When setting up WebCenter Spaces, it is the WebCenter Spaces administrator's job to identify which application roles are required, choose suitable role names, and define the responsibilities of each role.
For example, an education environment might require roles such as Teacher, Student, and Guest. While roles such as Finance, Sales, Human Resources, and Support would be more appropriate for a corporate environment.
To learn how to set up applications roles for WebCenter users, see Section 19.3.2, "Defining Application Roles."
Every application role has specific, defined capabilities known as permissions. These permissions allow individuals to perform specific actions in their personal space. Permissions are categorized as follows and listed individually in the subsequent tables:
Application
Group Spaces
Group Space Templates
Pages
Discussions
Links
Profile Management
With a particular category, the Manage permission (such as Group Spaces-Manage) contains all other permissions (for example, Group Spaces-Configure and Group Spaces-View). No permission, except Manage, inherits privileges from other permissions.
Table 19-3 Application Permissions in WebCenter Spaces
| Category | Application Permissions |
|---|---|
|
Application |
Manage - Manage security, application-wide properties, services, personal pages, and business role pages. Configure - Manage application-wide properties, services, personal pages, and business role pages. View - View the WebCenter Spaces application. |
|
Group Spaces |
Manage - Manage group space membership and assign permissions and roles. Manage, delete, and export all group spaces. Create group space content, set properties, and manage service availability. Configure - Manage, delete, and export all group spaces. Contribute to group spaces, for example, add pages, content, post discussion forum topics, add list items, upload documents. Set group space properties, and manage service availability. View - View group space information. Create -Create group spaces. |
|
Group Space Templates |
Manage - Manage and delete all group space templates. Export group space templates. View - View group space template information. Create group spaces based on a template. Create - Create group space templates. |
|
Pages |
Manage - Edit properties of a personal page, set personal page permissions, and all other page actions. Delete - Delete a personal page. Edit - Add or edit personal page content, rearrange content, and set page parameters and properties. Personalize - Personalize your view of a personal page by adding, editing, or removing content. View - View a personal page. Create - Create or design a new personal page. These permissions do not apply to group space pages. Group space page permissions are granted on a per group space-basis by the group space moderator. |
|
Discussions |
Manage - Manage categories, forums, and topics on the back-end discussions server. Set discussion forum properties for all group spaces. See also, Section 19.1.4, "Understanding Discussions Server Role and Permission Mapping". |
|
Links |
Manage - Create and delete links between objects, and manage link permissions. Delete - Delete a link between two objects. Create - Create links between objects. |
|
Profile Management |
Manage - Configure profile data display options. Enable profile data and WebCenter password updates. Edit - Edit your own profile data. |
WebCenter Spaces uses application roles to manage user permissions in personal spaces and group space roles to manage user permissions with a group space. On the Oracle WebCenter Discussions server, a different set of roles and permissions apply.
Users who are working with discussions and announcements in WebCenter Spaces automatically map to the appropriate Oracle WebCenter Discussions server role, see Table 19-4 and Table 19-5.
Table 19-4 Discussions Server Roles and Permissions - Application
| Discussion Server Role | Discussion Server Permissions | WebCenter Spaces Equivalent Application Permission |
|---|---|---|
|
Administrator |
Category Admin |
Create, read, update and delete sub categories, forums and topics inside the category for which permissions are granted. |
Table 19-5 Discussions Server Roles and Permissions - For Group Spaces
| Discussion Server Role | Discussion Server Permissions | WebCenter Spaces Equivalent Group Space Permissions |
|---|---|---|
|
Moderator |
Category Admin Forum Admin |
|
|
Read Forum Create Thread Create Message Create Announcement |
|
|
|
Read Forum |
|
Any user assigned the Application-Discussions-Manage permission in WebCenter Spaces is automatically added to Oracle WebCenter Discussions and assigned the Administrator role with the Category Admin permission. Out-of-the box, WebCenter Spaces assigns the Application-Discussions-Manage permission to the Administrator role only, as shown in Figure 19-1.
Similarly, in group spaces, any member assigned the Discussions-Manage, Discussions-Edit, or Discussion-View permission is granted the corresponding permissions on the Oracle WebCenter Discussions server. Out-of-the box, discussion and announcement permissions for the default group space roles Moderator, Participant, and Viewer, are as shown in Figure 19-2.
Administrators must ensure that all WebCenter users have appropriate permissions. To get permissions, users must be assigned to an appropriate application role.
This section tells you how to assign roles and contains the following subsections:
From the Users page (Figure 19-3), administrators can manage application roles for all the users who have access to WebCenter Spaces, that is, all users defined in the identity store. From here, you can change user role assignments, grant administrative privileges, and revoke user permissions.
Only users granted special (non-default) application privileges will appear in this table. Initially, all users in the WebCenter Spaces identity store are assigned minimal privileges through the Spaces-User role. Users with the default Spaces-User role are not listed here.
Initially, all users in the WebCenter Spaces identity store are assigned minimal privileges through the Spaces-User role.
To assign a user to a different application role:
Login to WebCenter Spaces with administrative privileges.
See Section 17.1, "Logging into WebCenter Spaces as an Administrator".
Click the Administration link at the top of the application.
Click the Security tab.
Click the Users tab (Figure 19-3).
This page lists WebCenter users to which additional roles are defined.
Choose User or Group from the drop down.
Select User to grant permissions to one or more users defined in the identity store. Select Group to grant permissions to groups of users.
If you know the exact name of the user or group, enter the name in the box provided, separating multiple names with a comma.
If you are not sure of the name you can search your identity store:
Click the Find User icon (Figure 19-4).
The Find User dialog box opens (Figure 19-5).
Enter two or more characters that appear in the name you are looking for.
Click the Search icon.
Users (or groups) matching your search criteria display in the Select User dialog box. The search is case-sensitive.
Select one or more names from the list.
To assign roles to multiple users, multi-select all the names required. Ctrl-Click rows to select more than one.
Click OK.
The names that you select are display on the Users tab.
To assign a role, select a Role from the drop down (Figure 19-6).
Select an appropriate role for the selected users (or groups). Only choose Administrator to assign full, administrative privileges for WebCenter Spaces.
If the role you want is not listed, create a new role that meets your requirements (see Section 19.3.2, "Defining Application Roles").
When no role is selected, the user assumes the Spaces-User role. See Section 19.1.2.1, "Default Application Roles".
Click Grant Access.
User's names and new role assignment display in the table.
From time to time, a user's role in WebCenter Spaces may change. For example, a user may move out of sales into the finance department and in this instance, the user's role assignment might need to change from Sales to Finance.
|
Note: You cannot modify your own role or the Fusion Middleware Administrator's role. See Section 19.1.2, "Understanding Application Roles". |
To assign a user to a different role:
Login to WebCenter Spaces with administrative privileges.
See Section 17.1, "Logging into WebCenter Spaces as an Administrator".
Click the Administration link at the top of the application.
Click the Security tab.
Click the Users tab.
In the Manage Existing Grants table, scroll down to the user you want.
Only users with non-default role assignments are listed in the table. If the user you want is not listed, grant the role required as described in Section 19.2.2, "Assigning Users to Roles".
Click the Actions icon, then choose Change Role from the drop down list.
The Change Role dialog box opens (Figure 19-7).
Select roles as follows:
Select Administrator to assign full, administrative privileges for WebCenter Spaces.
Select select one or more roles from the list available.
If the role you want is not listed, create a new role that meets your requirements (see Section 19.3.2, "Defining Application Roles").
At least one role must be selected. To revoke all role assignments, reverting user permissions to the default Spaces-User role, see Section 19.2.5, "Revoking Application Roles".
Click OK.
New role assignments display in the table.
It is easy to give a user full, administrative privileges for WebCenter Spaces through the Administrator role. Administrators have the highest privilege level and can view and modify anything in WebCenter Spaces so take care when assigning the Administrator role.
To give a user administrative privileges:
Login to WebCenter Spaces with administrative privileges.
See Section 17.1, "Logging into WebCenter Spaces as an Administrator".
Click the Administration link at the top of the application.
Click the Security tab.
Click the Users tab.
The Role column indicates which users already have full administrative privileges through the Administrator role.
In the Manage Existing Grants table, scroll down to the user you want.
Only users with non-default role assignments are listed in the table. If the user you want is not listed, follow steps in Section 19.2.2, "Assigning Users to Roles" to grant the Administrator role.
Click the Actions icon, then choose Change Role from the drop down list.
The Change Role dialog box opens (Figure 19-7).
Select Administrator to assign full, administrative privileges for WebCenter Spaces.
Select OK.
The new role assignment displays in the table.
It is easy to revoke application role assignments that no longer apply. You can revoke roles individually or revoke all application roles assigned to a particular user at once.
Revoking all a user's application roles does not remove that user from the identity store and the user still has access to WebCenter Spaces through the default Spaces-User role.
|
Note: You cannot revoke your own role assignments or the Fusion Middleware Administrator's role. See Section 19.1.2, "Understanding Application Roles". |
To revoke application roles:
Login to WebCenter Spaces with administrative privileges.
See Section 17.1, "Logging into WebCenter Spaces as an Administrator".
Click the Administration link at the top of the application.
Click the Security tab.
Click the Users tab.
In the Manage Existing Grants table, scroll down to the user you want.
Click the Actions icon:
Choose Change Role icon to revoke one or more, specific application roles. See also Section 19.2.3, "Assigning a User to a Different Role".
Choose Delete Role Assignments to revoke all roles assigned to that user, and then click Delete when asked for confirmation.
Access for that user is revoked immediately.
When you delete all the roles assigned to a particular user, the user is no longer listed on the Users page. The user remains in the identity store and still has access to WebCenter Spaces through the Spaces-User role. See Section 19.1.2.1, "Default Application Roles".
WebCenter Spaces administrators cannot add new user data directly to the WebCenter Spaces identity store or remove user credentials. Identity store management is the responsibility of the systems administrator and takes place through the WLS Administration Console or directly into embedded LDAP identity stores using LDAP commands. See also, Section 14.3.3, "Adding Users to the Identity Store".
WebCenter Spaces administrators can, however, enable self-registration for the application. Through self-registration, invited and uninvited users can create their own login and password for WebCenter Spaces. A user who self registers is immediately and automatically granted access to WebCenter Spaces and a new user account is created in the identity store. See also, Chapter 19, "Allowing Self-Registration".
WebCenter Spaces uses application roles to manage permissions for users working in their personal space. This section tells you how to manage application roles, and their permissions from WebCenter Administration pages. It contains the following subsections:
From the Roles page (Figure 19-9), administrators can manage application roles and permissions. From here, you can edit the permissions assigned to an application role, create new application roles, or delete unused roles.
Application roles apply when a user is working within their personal space. A different set of roles and permissions apply when a user is working within a particular group space. It is the group space moderator's responsibility to determine suitable role assignments for each of its group space members. See also "Managing Group Space Roles and Permissions" in Oracle Fusion Middleware User's Guide for Oracle WebCenter.
WebCenter Spaces provides several default application roles. You cannot delete default application roles but you can modify the default permission assignments for each role. For more information, see Section 19.1, "Understanding Users, Roles, and Permissions".
Use roles to characterize groups of WebCenter users and determine what they can see and do in their personal spaces.
When defining application roles, use self-descriptive role names and try to keep the role policy as simple as possible. Choose as few roles as you can, while maintaining an effective policy.
Take care to assign appropriate access rights when assigning permissions for new roles. Do not allow users to perform more actions than are necessary for the role but at the same time, try not to inadvertently restrict them from activities they must perform. In some cases, users might fall into multiple roles.
To define a new application role:
Login to WebCenter Spaces with administrative privileges.
See Section 17.1, "Logging into WebCenter Spaces as an Administrator".
Click the Administration link at the top of the application.
Click the Security tab.
Click the Roles tab.
Current application roles for WebCenter Spaces display as columns in the table.
Click Create Role to define a new role for WebCenter users.
Enter a suitable name for the role.
Ensure the role names that are self-descriptive. Make it as obvious as possible which users should belong to which roles. Role names cannot include special characters or whitespace.
(Optional) Choose a Template Role.
The new role inherits permissions from the template role. You can modify these permissions in the next step.
Choose Administrator to create a role that inherits full, administrative privileges. Conversely, choose Public-User to create a role that typically provides minimal privileges. Alternatively, choose one of the custom application roles to be your template.
Click OK.
The new role appears as a column in the table. The permissions list shows which actions users with this role can perform.
To modify user permissions for the role, select or clear each permission check box.
Click Apply to save any changes that you make to the role's permissions.
Administrators can modify the permissions associated with application roles at any time. Application permissions are described in Section 19.1.3, "Understanding Application Permissions".
Application role permissions allow individuals to perform specific actions in their personal space. With a particular category, the Manage permission (such as Group Spaces-Manage) contains all other permissions (for example, Group Spaces-Configure and Group Spaces-View).
|
Note: Application permissions cannot be modified for theAdministrator role. See also Section 19.1.2.1, "Default Application Roles". |
To change the permissions assigned to a role:
Login to WebCenter Spaces with administrative privileges.
See Section 17.1, "Logging into WebCenter Spaces as an Administrator".
Click the Administration link at the top of the application.
Click the Security tab.
Click the Roles tab.
Select or clear Permissions check boxes to enable or disable permissions for a role.
Click Apply to save.
The new permissions are effective immediately.
Anyone who is not logged in to WebCenter Spaces assumes the Public-User role. Out-of-the-box, the Public-User role is granted minimal privileges, that is, the Application-View permissions only.
|
Caution: Take care when granting permissions to thePublic-User role. Avoid granting administrative permissions such as Application-Manage, Application-Configure, other Manage permissions, or any permission that might be considered unnecessary. |
Granting the Application-View Permission
The Application-View permission allows unauthenticated users to see public WebCenter Spaces application pages, such as the welcome page, as well as content that individual WebCenter users choose to make public.
When Application-View permissions are granted to the Public-User role:
Ensure that your WebCenter users understand that any personal page or personal content they choose to make public will become accessible to unauthenticated users outside of the WebCenter Spaces community, that is, anyone with Web access.
Consider customizing the default welcome page that displays to public users before they login. See Section 20.3.1, "Customizing the Public Welcome Page".
If you do not want unauthenticated users to see WebCenter Spaces content that is marked 'public', do not grant the Application-View permission to the Public-User role. When public access is disabled, public content cannot be seen by unauthenticated users. Also, the welcome page for WebCenter Spaces is not displayed; public users are directed straight to a login page. Administrators may customize the default login page, if required. See Section 20.3.2, "Customizing the Login Page".
Granting Other Permissions
Be careful when assigning permissions to the Public-User role. For security reasons, Oracle recommend that you limit what anonymous users can see and do in WebCenter Spaces.
Anyone who is logged in to WebCenter Spaces assumes the Spaces-User role. Out-of-the-box, the Spaces-User role is granted minimal privileges, that is, the Application-View, Group Space-Create, Group Space Templates-Create, Pages-Create, Profiles-Edit permissions only.
Note that the Spaces-User role always inherits permissions from the Public-User role.
When an application role is no longer required you should remove it from WebCenter Spaces. This helps maintain a valid role list, and prevents inappropriate role assignment.
Application roles are deleted even when users are still assigned to the them. As you cannot delete any default roles, WebCenter users will always have the Spaces-User role.
|
Note: Default roles cannot be deleted (Administrator, Spaces-User, Public-User). See Section 19.1.2.1, "Default Application Roles". |
To delete an application role:
Login to WebCenter Spaces with administrative privileges.
See Section 17.1, "Logging into WebCenter Spaces as an Administrator".
Click the Administration link at the top of the application.
Click the Security tab.
Click the Roles tab.
Select the Delete Role icon next to the role you want to delete (Figure 19-11).
Click OK to confirm that you want to delete the role.
The role is removed from the table. Any users assigned to this role only, assume the default Spaces-User role and do not display on the Users tab.
Self-registration allows users to create their own login and password for WebCenter Spaces. A user who self registers is immediately and automatically granted access to WebCenter Spaces and a new user account is created in the application's identity store.
When anyone is allowed to self-register, that is any public user, a Register link or Register button displays below the WebCenter Spaces login form. To enable this feature, see Section 19.4.2, "Enabling Anyone to Self-Register".
Self-registration by invitation is allowed too. This feature allows group space moderators to send out membership invitations to people who are not currently registered with WebCenter Spaces but might be interested in their group space. Before accessing the group space, invitees must create an account with WebCenter Spaces and their account details are added to the application's identity store. When the group space moderator approves their subscription request they will gain access to the group space. See Section 19.4.1, "Enabling Self-Registration By Invitation-Only".
|
Note: If self-registration is not enabled in WebCenter Spaces, identity store management takes place through the WLS Administration Console (or directly into embedded LDAP identity stores using LDAP commands) and is the responsibility of your systems administrator. See also, Section 14.3.3, "Adding Users to the Identity Store". |
A self-registration page is supplied out-of-the-box. Administrators can add new components to the page and change the page layout if required. See Section 20.3.3, "Customizing the Self-Registration Page".
The self-registration page provided with WebCenter Spaces offers to send a "user name reminder email" to anyone who tries to register using an existing email address. This feature only works if public credentials are defined for the external application that is providing authentication for the Mail service. If users experience issues with this feature, ask your Fusion Middleware Administrator to check the mail server connection and its associated external application connection are configured correctly and that public credentials are defined. See also, Section 11.3.3, "Registering Mail Servers".
Out-of-the-box, only existing WebCenter users are candidates for group space membership. While this might meet the needs of most WebCenter Spaces applications it is likely that some group spaces will want to recruit members outside of the WebCenter Spaces community.
The WebCenter Spaces administrator can extend group space membership to users outside of WebCenter Spaces by allowing them to self-register on an invitation-only basis. When this facility is enabled, group space moderators can invite anyone to join their group space by sending them a customizable invitation by mail. The invitation includes a secure, self-registration URL which the invited party clicks to accept group space membership.
New members recruited in this way must create an account with WebCenter Spaces before gaining access to the group space. Users who self-register by invitation are added to the identity store, and to the group space member list.
|
Note: Users who self-register by invitation will be assigned the default application role too—Spaces-User. Out-of-the box, users with the Spaces-User role have access to their own personal space, pages that they create, and public pages. They are also allowed to view public group spaces, join any group space that allows self-subscription, and create group spaces of their own. When you enable self-registration, consider modifying Spaces-User permissions to suit your exact requirements. See also, Section 19.3.3, "Modifying Application Role Permissions". |
To allow external users to join group spaces:
Login to WebCenter Spaces with administrative privileges.
See Section 17.1, "Logging into WebCenter Spaces as an Administrator".
Click the Administration link at the top of the application.
Click the General tab.
Select Allow Self-Registration Through Invitations (Figure 19-12).
When you deselect this option, only existing WebCenter users are candidates for group space membership.
Click Apply.
Group space moderators may invite non-WebCenter users to become members of their group space. See "Inviting a Non-WebCenter Spaces User" in Oracle Fusion Middleware User's Guide for Oracle WebCenter.
When anyone is allowed to self-register, that is any public user, a Register link displays in the top right corner of the application or a Register button displays below the WebCenter Spaces login form (Figure 19-13).
New users must create an account before gaining access to the WebCenter Spaces application.
Users who self-register are added directly to the WebCenter Spaces identity store and assigned the Spaces-User application role. Out-of-the-box, users with Spaces-User role have access to their own personal space, pages that they create, and public pages. They are also allowed to view public group spaces, join any group space that allows self-subscription, and create group spaces of their own. If you enable self-registration, consider modifying Spaces-User permissions to suit your exact requirements. See Section 19.3.3, "Modifying Application Role Permissions".
To allow anyone to self-register with WebCenter Spaces:
Login to WebCenter Spaces with administrative privileges.
See Section 17.1, "Logging into WebCenter Spaces as an Administrator".
Click the Administration link at the top of the application.
Click the General tab.
Select Allow Public Users to Self-Register (Figure 19-14).
When you deselect this option, public users cannot self-register. with WebCenter Spaces. You still enable self-registration on an invitation-only basis if you want. See Section 19.4.1, "Enabling Self-Registration By Invitation-Only".
Click Apply.
See also, "Registering Yourself with WebCenter Spaces" in Oracle Fusion Middleware User's Guide for Oracle WebCenter.
