This chapter provides information about security in WebCenter Spaces. It contains the following sections:
Section 20.1, "Introduction to Security in WebCenter Spaces"
Section 20.3, "Understanding Application Roles and Permissions"
Section 20.4, "Understanding Roles and Permissions within a Space"
The content of this chapter is intended for WebCenter Spaces administrators and anyone who wants to understand the application's security model. For detailed instructions, see Chapter 21, "Managing Users, Roles, and Permissions".
See also, "Managing Security" in Oracle Fusion Middleware Administrator's Guide for Oracle WebCenter.
WebCenter Spaces provides a comprehensive security model that enables you to control what users can see and change on your portal. You can control which users (and groups) have access to individual Spaces, Space hierarchies, and the Home Space, and you can also control exactly what users and groups can see and do by enabling and disabling various permissions.
With a particular Space you can restrict user and group access to individual WebCenter pages, page content (such as task flows, portlets, documents, and folders), and WebCenter resources (such as page templates, page styles, skins, resource catatlogs, and so on).
User and Groups
A user is a single person in the identity store and a group contains multiple users. In WebCenter Spaces you can grant permissions to individual users and to groups of users.
Unregistered Users and Self-Registration
Self-registration allows unregistered users to create their own login and password for WebCenter Spaces. A user who self registers is immediately and automatically granted access to WebCenter Spaces and a new user account is created in the application's identity store.
Application Roles and Space Roles
Application roles determine what a user (or group) can see and do in the Home Space which, for some administrative functions, can impact the entire WebCenter Spaces application. Space roles control actions within a particular Spaces.
Spaces and Space Hierarchies
Spaces support the formation and collaboration of project teams and communities of interest by providing a dedicated and readily accessible area for relevant services, pages, and content and by supporting the inclusion of specified members.
A Space hierarchy consists of a parent Space with one or more Subspaces. Subspaces can inherit the security (members, roles, and permissions) of their parent.
Home Space
The Home Space is a shared Space that, by default, is accessible to everyone who is logged in. Application roles apply while a user is working within the Home Space. In most applications, the Home Space focuses on social networking and personal content.
Resources
Various portal resources help define the overall structure, look and feel, and content in WebCenter Spaces, and these include page templates, page styles, skins, navigation models, resource catalogs, content presenter display templates, mashup styles, data controls, task flows. Users with appropriate privileges can build and customize portal resources for the entire application, a single Space, or a Space hierarchy.
Pages
Anyone authorized to edit a page can grant access and permissions to other users and groups. For example, you might grant view-only permissions to everyone in the sales group, edit permissions to sales managers, and manage permissions to a single user. Alternatively, you can specify that the page inherits its access from the application.
Page Content, Files and Folders
Some pages might contain content that you want only a select set of users, or even only one other user, to see. For example, a page aimed at sales people might include two Announcement task flows; one aimed at all sales people and the other at sales managers only. By restricting access to the second Announcement task flow, you can hide management-level announcements from anyone who is not a sales manager.
A WebCenter user has a login account for WebCenter Spaces—provisioned directly from an existing identity store. See also, "Adding Users to the Embedded LDAP Identity Store" in the Oracle Fusion Middleware Administrator's Guide for Oracle WebCenter.
All users in the identity store are assigned minimal WebCenter Spaces privileges through the Authenticated-User
role. The only exception is the Fusion Middleware Administrator (weblogic
by default). Out-of-the-box, the Fusion Middleware Administrator is the only user assigned full administrative privileges through the Administrator
role. For more information, read the next section Section 20.3.1.1, "Default Application Roles".
It is the Fusion Middleware Administrator's job to assign each WebCenter user an appropriate application role. Alternatively, the Fusion Middleware Administrator may choose to assign the Administrator
role to another user and delegate this responsibility.
Application roles control the level of access a user has to information and services in WebCenter Spaces. Specifically, application roles and their permissions determine what a user can see and do in the Home Space.
This section includes:
Section 20.3.1, "Understanding Application Roles"
Section 20.3.2, "Understanding Application Permissions"
Application role assignment is the responsibility of the WebCenter Spaces administrator. Administrators can assign users a default application role or create additional, custom roles specific to their WebCenter Spaces application. For more detail, see:
Application roles only apply while a user is working within the Home Space. Within all other Spaces a different set of roles and permissions apply and it is the Space moderator's responsibility to determine suitable role assignments for each of its members. See also Section 52.2, "Managing Roles and Permissions for a Space".
Note:
Application roles and permissions defined within WebCenter Spaces are stored in its policy store and, consequently, apply to this WebCenter Spaces application only. Enterprise roles are different; enterprise roles are stored within the application's identity store and do not imply any permissions within WebCenter Spaces. See "Application Roles and Enterprise Roles" in the Oracle Fusion Middleware Administrator's Guide for Oracle WebCenter.WebCenter Spaces provides several default application roles that cannot be deleted (Table 20-2).
Table 20-2 Default Application Roles for WebCenter Spaces
Application Role | Description | Modify? |
---|---|---|
Users with the Administrators can also manage users and roles for WebCenter Spaces, delegate or revoke privileges to/from other users, manage Spaces and Space templates, and also import and export Space information. Out-of-the-box, the Fusion Middleware Administrator is the only user assigned full WebCenter Spaces administrative privileges through the |
Yes* *Except for Application permissions which are read-only |
|
Authenticated users of WebCenter Spaces are granted the This role inherits permissions from the In WebCenter Spaces, the |
Yes |
|
Anyone with access to WebCenter Spaces who is not logged in, is granted the In WebCenter Spaces, the |
Yes |
Custom application roles (sometimes known as user-defined roles) are specific to your WebCenter Spaces application. When setting up WebCenter Spaces, it is the WebCenter Spaces administrator's job to identify which application roles are required, choose suitable role names, and define the responsibilities of each role.
For example, an education environment might require roles such as Teacher, Student, and Guest. While roles such as Finance, Sales, Human Resources, and Support would be more appropriate for a corporate environment.
In WebCenter Spaces, custom application roles inherit permissions from the Authenticated-User
role.
To learn how to set up applications roles for WebCenter users, see Section 21.2.2, "Defining Application Roles"
Every application role has specific, defined capabilities known as permissions. These permissions allow individuals to perform specific actions in the Home Space. Permissions are categorized as follows and listed individually in the subsequent tables:
Application
Spaces
Space Templates
Pages
Content Presenter Templates
Data Controls
Discussions
Links
Mashup Styles
Navigations
Page Styles
Page Templates
People Connections
Resource Catalogs
Skins
Task Flows
No permission, except for Manage All
, inherits privileges from other permissions.
Table 20-3 Application Permissions in WebCenter Spaces
Category | Application Permissions |
---|---|
Application |
Manage All - Enables access to all WebCenter Spaces Administration pages: Spaces, Pages, Resources, Security, and Configuration. Through these pages, users can manage application security (users/roles), configure application-wide properties and services, manage resources, create business role pages, manage everyone's personal pages, customize system pages, view Spaces accessible to them, as well as export/import Spaces and Space templates. Some administrative tasks are exclusive to the out-of-the-box Manage Configuration - Same as the View Application - Enables users to view the WebCenter Spaces application, and gives user access to the Home Space. See also, Section 5.12, "Enabling and Disabling Access to the Home Space". |
Spaces |
Manage All - Enables access to all Space administration pages (General, Roles, Members, Pages, Content, Subspaces, Services, Services, Custom Attributes). Through these pages users can manage Space membership, assign permissions and roles, manage, delete, and export Spaces and resources, set Space properties, and manage service availability. Manage Configuration - Same as the Manage Membership - Users can manage Space membership through Roles and Members pages. Create Spaces -Users can create Spaces. |
Space Templates |
Manage All - Enables users to manage and delete any Space templates that is accessible to them. Create Space Templates - Users can create Space templates. |
Pages |
Create, Edit, and Delete - Create, edit and delete pages in your Home Space. Delete - Delete pages in your Home Space. Edit - Add or edit personal page content, rearrange content, and set page parameters and properties. Customize - Customize your view of pages in the Home Space by adding, editing, or removing content. View - View pages in the Home Space. Create - Create or design a new page for your Home Space view. These permissions only apply to the Home Space. The permissions do not apply to pages that are created within a Space. Page permissions within a Space are granted on a per Space-basis by the moderator. See Section 52.2, "Managing Roles and Permissions for a Space". |
Content Presenter Templates |
Create, Edit, and Delete - Create, edit and delete content display templates for the application through WebCenter Administration. Create - Create content display templates for the application. Edit - Edit application-level content display templates. See also, Chapter 40, "Publishing Content Using Content Presenter". |
Data Controls |
Create, Edit, and Delete - Create, edit and delete data controls for the application through WebCenter Administration. Create - Create data controls for the application. Edit - Edit application-level data controls. See also, Section 26.2, "Creating and Managing Data Controls". |
Discussions |
Create, Edit, and Delete - Manage categories, forums, and topics on the back-end discussions server. Set discussion forum properties for all Spaces. See also, Section 20.3.2.2, "Understanding Discussion Server Role Mapping". |
Links |
Create, and Delete - Create and delete links between objects, and manage link permissions. Delete - Delete a link between two objects. Create - Create links between objects, and delete links that you create. |
Mashup Styles |
Create, Edit, and Delete - Create, edit and delete content display templates for the application through WebCenter Administration. Create - Create content display templates for the application. Edit - Edit application-level content display templates. See also, Chapter 40, "Publishing Content Using Content Presenter". |
Navigations |
Create, Edit, and Delete - Create, edit and delete navigations for the application through WebCenter Administration. Create - Create navigations for the application. Edit - Edit application-level navigations. See also, Chapter 11, "Working with Navigation". |
Page Styles |
Create, Edit, and Delete - Create, edit and delete page styles through WebCenter Administration. Create - Create page styles for the application. Edit - Edit application-level page styles. See also, Chapter 15, "Working with Page Styles". |
Page Templates |
Create, Edit, and Delete - Create, edit and delete page templates through WebCenter Administration. Create - Create page templates for the application. Edit - Edit application-level page templates. See also, Chapter 12, "Working with Page Templates". |
People Connections |
Manage People Connections -Manage application-wide settings for People Connection services. Update People Connections Data -Edit content associated with People Connection services. Connect with People -Share content associated with People Connection services with others. |
Resource Catalogs |
Create, Edit, and Delete - Create, edit and delete resource catalogs for the application through WebCenter Administration. Create - Create resource catalogs for the application. Edit - Edit application-level resource catalogs. See also, Chapter 16, "Working with Resource Catalogs". |
Skins |
Create, Edit, and Delete - Create, edit and delete skins through WebCenter Administration. Create - Create skins for the application. Edit - Edit application-level skins. See also, Chapter 14, "Working with Skins". |
Task Flows |
Create, Edit, and Delete - Create, edit and delete task flows based on a mashup style through WebCenter Administration. Create - Create task flows for the application. Edit - Edit application-level task flows. |
Table 20-4 shows the default permissions assigned to out-of-the-box application roles.
✔ - Shows an explicitly granted permission or action.
✙ - Shows an implied permission because of an explicitly granted permission.
Table 20-4 Default Application Roles and Permissions in WebCenter Spaces
Default Application Roles | |||
---|---|---|---|
Permissions | Administrator | Authenticated-User | Public-User |
Application |
|||
Manage All |
✔ |
||
Manage Configuration |
✙ |
||
View Application |
✙ |
✔ |
✔ |
Spaces |
|||
Manage All |
✔ |
||
Manage Configuration |
|||
Manage Membership |
|||
Create Spaces |
✔ |
||
Space Templates |
|||
Manage All |
✔ |
||
Create Space Templates |
✔ |
||
Pages |
|||
Create, Edit, and Delete |
✔ |
||
Delete |
|||
Edit |
|||
Customize |
|||
View |
|||
Create |
✔ |
||
Content Presenter Templates |
|||
Create, Edit and Delete |
✔ |
||
Create |
|||
Edit |
|||
Data Controls |
|||
Create, Edit and Delete |
✔ |
||
Create |
|||
Edit |
|||
Discussions |
|||
Create, Edit, and Delete |
✔ |
||
Links |
|||
Create and Delete |
✔ |
||
Delete |
|||
Create |
|||
Mashup Styles |
|||
Create, Edit and Delete |
✔ |
||
Create |
|||
Edit |
|||
Navigations |
|||
Create, Edit and Delete |
✔ |
||
Create |
|||
Edit |
|||
Page Styles |
|||
Create, Edit and Delete |
✔ |
||
Create |
|||
Edit |
|||
Page Templates |
|||
Create, Edit and Delete |
✔ |
||
Create |
|||
Edit |
|||
People Connections |
|||
Manage |
✔ |
||
Update |
✔ |
||
Connect |
✔ |
||
Resource Catalogs |
|||
Create, Edit and Delete |
✔ |
||
Create |
|||
Edit |
|||
Skins |
|||
Create, Edit and Delete |
✔ |
||
Create |
|||
Edit |
|||
Task Flows |
|||
Create, Edit and Delete |
✔ |
||
Create |
|||
Edit |
Some WebCenter services that need access to "remote" (back-end) resources also require role-mapping based authorization, that is, the WebCenter roles that allow users to work with the Discussions service in WebCenter Spaces, must be mapped to corresponding roles on the Oracle WebCenter Discussions Server.
WebCenter Spaces uses application roles to manage user permissions in the Home Space and Space roles to manage user permissions within a Space. On the Oracle WebCenter Discussions server, a different set of roles and permissions apply.
Users who are working with discussions and announcements in WebCenter Spaces automatically map to the appropriate Oracle WebCenter Discussions server role, shown in Table 20-5 and Table 20-6.
Table 20-5 Discussions Server Roles and Permissions - Application
Discussion Server Role | Discussion Server Permissions | WebCenter Spaces Equivalent Application Permission |
---|---|---|
Administrator |
Category Admin |
Create, read, update and delete sub categories, forums and topics inside the category for which permissions are granted. |
Table 20-6 Discussions Server Roles and Permissions - For a Space
Discussion Server Role | Discussion Server Permissions | WebCenter Spaces Equivalent Permissions in a Space |
---|---|---|
Moderator |
Category Admin Forum Admin |
|
Read Forum Create Message Create Announcement |
|
|
Read Forum Create Thread |
|
|
Read Forum |
|
Any user assigned the Application-Discussions-Create Edit Delete
permission in WebCenter Spaces is automatically added to Oracle WebCenter Discussions and assigned the Administrator
role with the Category Admin
permission. Out-of-the box, WebCenter Spaces assigns the Application-Discussions-Create Edit Delete
permission to the Administrator
role only, as shown in Figure 20-2.
Similarly, in a Space, any member assigned discussion and announcement permissions is granted the corresponding permissions on the Oracle WebCenter Discussions server. Figure 20-3 shows out-of-the box discussion and announcement permissions for the default roles Moderator
, Participant
, and Viewer
.
In WebCenter Spaces you can assign individual users or multiple users in the same enterprise group to WebCenter roles. Subsequent enterprise group updates in the back-end identity store are automatically reflected in WebCenter Spaces. Initially, when you assign an enterprise group to a WebCenter Spaces role, everyone in the enterprise group is granted that role. If someone moves out of the group, the role is revoked. If someone joins the group, they are granted the role
For WebCenter Spaces to properly maintain enterprise group-to-role mappings, back-end servers, such as the discussions server and content server, must support enterprise groups too. When back-end servers do not support enterprise groups, users belonging to enterprise groups are individually added to WebCenter Spaces roles and subsequent group updates in the identity store are not reflected in WebCenter Spaces. This can quickly become a maintenance issue, especially when enterprise groups contain a large number of users. Both versions of Oracle WebCenter Discussion Server and Oracle Universal Content Management provided with Oracle WebCenter Spaces 11.1.1.2.0 and later support enterprise groups but previous versions may not.
When a WebCenter user becomes a member of a Space, a different set of roles and responsibilities apply. For details, see Section 52.2, "Managing Roles and Permissions for a Space".
WebCenter Spaces administrators can enable self-registration for the application. Through self-registration, invited and uninvited users can create their own login and password for WebCenter Spaces. A user who self registers is immediately and automatically granted access to WebCenter Spaces and a new user account is created in the identity store. See also, Chapter 22, "Enabling Self-Registration".