Skip Headers
Oracle® Fusion Middleware User's Guide for Oracle WebCenter Spaces
11g Release 1 (11.1.1.4.0)
E10149-06
  Go To Table Of Contents
Contents
Go To Index
Index

Previous
Previous
 
Next
Next
 

21 Managing Users, Roles, and Permissions

Application roles control the level of access a user has to information and services in WebCenter Spaces. Specifically, application roles and their permissions determine what a user can see and do in their Home Space. This chapter describes how to define and grant application roles to WebCenter users. It contains the following sections:

When a WebCenter user becomes a member of a Space, a different set of roles and responsibilities apply. For details, see Section 52, "Managing Space Members and Roles."

Audience

The content of this chapter is intended for WebCenter Spaces administrators with the Application-Manage All permission.

21.1 Managing Users

Administrators must ensure that all WebCenter users have appropriate permissions. To get permissions, users must be assigned to an appropriate application role.

This section tells you how to assign roles and contains the following subsections:

21.1.1 What You Need to Know About Managing Users

From the Users and Groups page (Figure 21-1), administrators can manage application roles for all the users who have access to WebCenter Spaces, that is, all users defined in the identity store. From here, you can change user role assignments, grant administrative privileges, and revoke user permissions.

Only users granted special (nondefault) application privileges appear in this table. Initially, all users in the WebCenter Spaces identity store are assigned minimal privileges through the Authenticated-User role. Users with the default Authenticated-User role are not listed here. See also, Section 20.3.1.1, "Default Application Roles".

Figure 21-1 WebCenter Administration - Users and Groups Page

WebCenter Administration - Users Tab

21.1.2 Assigning Users (and Groups) to Roles

Initially, all users in the WebCenter Spaces identity store are assigned minimal privileges through the Authenticated-User role. You can assign individual users (or multiple users in the same enterprise group) to a different application role through WebCenter Spaces Administration.

Updates in your back-end identity store, such as new users or someone leaving an enterprise group, are automatically reflected in WebCenter Spaces. Initially, when you assign an enterprise group to a WebCenter Spaces role, everyone in the enterprise group is granted that role. If someone moves out of the group, the role is revoked. If someone joins the group, they are granted the role.


Note:

For WebCenter Spaces to properly maintain enterprise group-to-role mappings, back-end servers, such as the discussions server and content server, must support enterprise groups too. When back-end servers do not support enterprise groups, users belonging to enterprise groups are individually added to WebCenter Spaces roles and subsequent group updates in the identity store are not reflected in WebCenter Spaces. This can quickly become a maintenance issue, especially when enterprise groups contain a large number of users. Both versions of Oracle WebCenter Discussion Server and Oracle Universal Content Management provided with Oracle WebCenter Spaces 11.1.1.2.0 and later support enterprise groups but previous versions may not.

To assign a user (or a group of users) to a different application role:

  1. Open WebCenter Spaces Administration.

    For details, see Chapter 4, "Accessing WebCenter Spaces Administration Pages.".

  2. Click Security, then Users and Groups (Figure 21-1).

    This page lists WebCenter users to which additional roles are defined.

  3. Choose User or Group from the drop down.

    Select User to grant permissions to one or more users defined in the identity store. Select Group to grant permissions to groups of users.

  4. If you know the exact name of the user or group, enter the name in the box provided, separating multiple names with a comma.

    If you are not sure of the name you can search your identity store:

    1. Click the Find icon (Figure 21-2).

      Figure 21-2 Find Icon

      Grant Roles to Users in the Identity Store

      The Find User (or Find Group) dialog box opens (Figure 21-3).

      Figure 21-3 Finding Users and Groups in the Identity Store

      Choosing a User From Your Identity Store
    2. Enter one or more characters that appear in the name you are looking for and then click the Search icon.

      Users (or groups) matching your search criteria display in the Select User dialog box. The First Name, Last Name, Mail Address, and CN fields are included in the search.


      Tip:

      • Use * as a wildcard, for example *sales.

      • Leave the search field blank to list all users (or groups) in the identity store.

      • Enter a space between two search terms to search First Name and Last Name, for example jo sm, searches for jo in First Name and sm in Last Name.


    3. Select one or more names from the list.

      To assign roles to multiple users or groups, multi-select all the names required. Ctrl-Click rows to select multiple names.

    4. Click OK.

      The names that you select are display on the User and Groups tab.

  5. To assign a role, select a Role from the drop down (Figure 21-4).

    Figure 21-4 Assigning a User Role

    Change Membership Icon

    Select an appropriate role for the selected users (or groups). Only choose Administrator to assign full, administrative privileges for WebCenter Spaces.

    If the role you want is not listed, create a new role that meets your requirements (see Section 21.2.2, "Defining Application Roles").

    When no role is selected, the user assumes the Authenticated-User role. See Section 20.3.1.1, "Default Application Roles".

  6. Click Grant Access.

User's names and new role assignment display in the table.

21.1.3 Assigning a User to a Different Role

From time to time, a user's role in WebCenter Spaces may change. For example, a user may move out of sales into the finance department and in this instance, the user's role assignment may change from Sales to Finance.


Note:

You cannot modify your own role or the Fusion Middleware Administrator's role. See Section 20.3.1, "Understanding Application Roles".

To assign a user to a different role:

  1. Open WebCenter Spaces Administration.

    For details, see Chapter 4, "Accessing WebCenter Spaces Administration Pages.".

  2. Click Security, then Users and Groups (Figure 21-1).

  3. In the Manage Existing Grants table, scroll down to the user you want.

    Only users with nondefault role assignments are listed in the table. If the user you want is not listed, grant the role required as described in Section 21.1.2, "Assigning Users (and Groups) to Roles."

  4. Click the Actions icon, then choose Change Role from the drop down list.

    The Change Role dialog box opens (Figure 21-5).

    Figure 21-5 Changing a User's Application Role

    Changing Your Group Space Role
  5. Select roles as follows:

    • Select Administrator to assign full, administrative privileges for WebCenter Spaces.

    • Select select one or more roles from the list available.

      If the role you want is not listed, create a new role that meets your requirements (see Section 21.2.2, "Defining Application Roles").

      At least one role must be selected. To revoke all role assignments, reverting user permissions to the default Authenticated-User role, see Section 21.1.5, "Revoking Application Roles".

  6. Click OK.

New role assignments display in the table.

21.1.4 Giving a User Administrative Privileges

It is easy to give a user full, administrative privileges for WebCenter Spaces through the Administrator role. Administrators have the highest privilege level and can view and modify anything in WebCenter Spaces so take care when assigning the Administrator role.

Some administrative tasks are exclusive to the Administrator role and cannot be performed by granting the Application-Manage All permission. These tasks include editing the login page, the self-registration page, and profile gallery pages. See also, Section 20.3.1.1, "Default Application Roles".

To give a user administrative privileges:

  1. Open WebCenter Spaces Administration.

    For details, see Chapter 4, "Accessing WebCenter Spaces Administration Pages.".

  2. Click Security, then Users and Groups (Figure 21-1).

    The Role column indicates which users already have full administrative privileges through the Administrator role.

  3. Click the Users and Groups tab.

  4. In the Manage Existing Grants table, scroll down to the user you want.

    Only users with nondefault role assignments are listed in the table. If the user you want is not listed, follow steps in Section 21.1.2, "Assigning Users (and Groups) to Roles" to grant the Administrator role.

  5. Click the Actions icon, then choose Change Role from the drop down list.

    The Change Role dialog box opens (Figure 21-6).

    Figure 21-6 Changing a User's Application Role

    Changing Your Group Space Role
  6. Select Administrator to assign full, administrative privileges for WebCenter Spaces.

  7. Select OK.

The new role assignment displays in the table.

21.1.5 Revoking Application Roles

It is easy to revoke application role assignments that no longer apply. You can revoke roles individually or revoke all application roles assigned to a particular user at once.

Revoking all a user's application roles does not remove that user from the identity store and the user still has access to WebCenter Spaces through the default Authenticated-User role.


Note:

You cannot revoke your own role assignments or the Fusion Middleware Administrator's role. See Section 20.3.1, "Understanding Application Roles".

To revoke application roles:

  1. Open WebCenter Spaces Administration.

    For details, see Chapter 4, "Accessing WebCenter Spaces Administration Pages.".

  2. Click Security, then Users and Groups (Figure 21-1).

    This page lists WebCenter users to which additional roles are defined.

  3. In the Manage Existing Grants table, scroll down to the user you want.

  4. Click the Actions icon:

    Access for that user is revoked immediately.

When you delete all the roles assigned to a particular user, the user is no longer listed on the Users page. The user remains in the identity store and still has access to WebCenter Spaces through the Authenticated-User role. See Section 20.3.1.1, "Default Application Roles".

21.1.6 Adding or Removing Users

WebCenter Spaces administrators cannot add new user data directly to the WebCenter Spaces identity store or remove user credentials. Identity store management is the responsibility of the systems administrator and takes place through the WLS Administration Console or directly into embedded LDAP identity stores using LDAP commands. See also, "Adding Users to the Identity Store Using the WLS Administration Console" in Oracle Fusion Middleware Administrator's Guide for Oracle WebCenter.

WebCenter Spaces administrators can, however, enable self-registration for the application. Through self-registration, invited and uninvited users can create their own login and password for WebCenter Spaces. A user who self registers is immediately and automatically granted access to WebCenter Spaces and a new user account is created in the identity store. See also, Chapter 22, "Enabling Self-Registration".

21.2 Managing Application Roles and Permissions

WebCenter Spaces uses application roles to manage permissions for users working in their Home Space. This section tells you how to manage application roles, and their permissions from WebCenter Administration pages. It contains the following subsections:

21.2.1 What You Need to Know About Application Roles and Permissions

From the Roles page (Figure 21-7), administrators can manage application roles and permissions. From here, you can edit the permissions assigned to an application role, create new application roles, or delete unused roles.

Figure 21-7 WebCenter Administration - Roles Page

WebCenter Administration - Roles Tab

Application roles apply when a user is working within their Home Space. A different set of roles and permissions apply when a user is working within a particular Space. It is the Space moderator's responsibility to determine suitable role assignments for each of its members. See also, Section 21.2, "Managing Application Roles and Permissions".

WebCenter Spaces provides several default application roles. You cannot delete default application roles but you can modify the default permission assignments for each role. For more information, see Section 20.3, "Understanding Application Roles and Permissions".

21.2.2 Defining Application Roles

Use roles to characterize groups of WebCenter users and determine what they can see and do in their Home Spaces.

When defining application roles, use self-descriptive role names and try to keep the role policy as simple as possible. Choose as few roles as you can, while maintaining an effective policy.

Take care to assign appropriate access rights when assigning permissions for new roles. Do not allow users to perform more actions than are necessary for the role but at the same time, try not to inadvertently restrict them from activities they must perform. In some cases, users might fall into multiple roles.

To define a new application role:

  1. Open WebCenter Spaces Administration.

    For details, see Chapter 4, "Accessing WebCenter Spaces Administration Pages.".

  2. Click Security, then Roles (Figure 21-7).

    Current application roles for WebCenter Spaces display as columns in the table.

  3. Click Create Role to define a new role for WebCenter users.

    Figure 21-8 Creating a New Role

    Creting a new role
  4. Enter a suitable name for the role.

    Ensure the role names that are self-descriptive. Make it as obvious as possible which users should belong to which roles. Role names can contain alphanumeric characters, blank spaces, @, and underscores.

  5. (Optional) Choose a Template Role.

    The new role inherits permissions from the template role. You can modify these permissions in the next step.

    Choose Administrator to create a role that inherits full, administrative privileges. Conversely, choose Public-User to create a role that typically provides minimal privileges. Alternatively, choose a custom application role to be your template.

  6. Click OK.

    The new role appears as a column in the table. The permissions list shows which actions users with this role can perform.

  7. To modify user permissions for the role, select or clear each permission checkbox.

  8. Click Apply to save any changes that you make to the role's permissions.

21.2.3 Modifying Application Role Permissions

Administrators can modify the permissions associated with application roles at any time. Application permissions are described in Section 20.3.2, "Understanding Application Permissions".

Application role permissions allow individuals to perform specific actions in their Home Space. No permission, except for Manage All, inherits privileges from other permissions.


Note:

Application permissions cannot be modified for the Administrator role. See also Section 20.3.1.1, "Default Application Roles".

To change the permissions assigned to a role:

  1. Open WebCenter Spaces Administration.

    For details, see Chapter 4, "Accessing WebCenter Spaces Administration Pages.".

  2. Click Security, then Roles (Figure 21-7).

    Current application roles for WebCenter Spaces display as columns in the table.

  3. Select or clear Permissions checkboxes to enable or disable permissions for a role.

  4. Click Apply to save.

The new permissions are effective immediately.

21.2.4 Granting Permissions to the Public-User

Anyone who is not logged in to WebCenter Spaces assumes the Public-User role. Out-of-the-box, the Public-User role is granted minimal privileges, that is, the View Application permissions only.


Caution:

Take care when granting permissions to the Public-User role. Avoid granting administrative permissions such as Application-Manage All, Application-Manage Configuration, or any permission that might be considered unnecessary. See also, Section 20.3.2, "Understanding Application Permissions".

Granting the Application-View Permission

The View Application permission allows unauthenticated users to see public WebCenter Spaces application pages, such as the welcome page, and also content that individual WebCenter users choose to make public.

When View Application permissions are granted to the Public-User role:

  • Ensure that your WebCenter users understand that any personal page or personal content they choose to make public will become accessible to unauthenticated users outside of the WebCenter Spaces community, that is, anyone with Web access.

  • Consider customizing the default welcome page that displays to public users before they login (WebCenter Welcome Page). See Section 7.3.2, "Customizing System Pages".

If you do not want unauthenticated users to see WebCenter Spaces content that is marked 'public', do not grant the View Application permission to the Public-User role. When public access is disabled, public content cannot be seen by unauthenticated users. Also, the welcome page for WebCenter Spaces is not displayed; public users are directed straight to a login page. Administrators may customize the default login page, if required. See Section 7.3, "Working with System Pages".

Granting Other Permissions

Be careful when assigning permissions to the Public-User role. For security reasons, Oracle recommend that you limit what anonymous users can see and do in WebCenter Spaces.

21.2.5 Granting Permissions to the Authenticated-User

Anyone who is logged in to WebCenter Spaces assumes the Authenticated-User role. Out-of-the-box, the Authenticated-User role is granted minimal privileges, through the following permissions: View Application, Spaces-Create, Space Templates-Create, Pages-Create, Update People Connections Data, and Connect with People.

Other important notes:

  • The Authenticated-User role always inherits permissions from the Public-User role.

  • Custom application roles all inherit permissions from the Authenticated-User role.

21.2.6 Deleting Application Roles

When an application role is no longer required you should remove it from WebCenter Spaces. This helps maintain a valid role list, and prevents inappropriate role assignment.

Application roles are deleted even when users are still assigned to the them. As you cannot delete any default roles, WebCenter users will always have the Authenticated-User role.


Note:

Default roles cannot be deleted (Administrator, Authenticated-User, Public-User). See Section 20.3.1.1, "Default Application Roles".

To delete an application role:

  1. Open WebCenter Spaces Administration.

    For details, see Chapter 4, "Accessing WebCenter Spaces Administration Pages.".

  2. Click Security, then Roles (Figure 21-7).

    Current application roles for WebCenter Spaces display as columns in the table.

  3. Select the Delete Role icon next to the role you want to delete (Figure 21-9).

    Figure 21-9 Deleting an Application Role

    Deleting a User Role
  4. Click OK to confirm that you want to delete the role.

    The role is removed from the table. Any users assigned to this role only, assume the default Authenticated-User role and do not display on the Users and Groups tab.

21.3 Troubleshooting Issues with Users and Roles

For WebCenter Spaces to properly maintain enterprise group-to-role mappings, the back-end discussions server and content server must support enterprise groups. Oracle WebCenter Discussion Server and Oracle Universal Content Management versions provided with Oracle WebCenter 11.1.1.2.0 and later support enterprise groups but previous versions may not.

If a back-end server does not support enterprise groups, users belonging to enterprise groups are individually added to WebCenter Spaces roles and subsequent group updates in the identity store are not reflected in WebCenter Spaces. This can quickly become a maintenance issue, especially when enterprise groups contain large number of users.

An error message displays if a new back-end server that does not support enterprise groups is enabled in WebCenter Spaces where enterprise group-to-role assignments exist. In this instance, delete all the enterprise group-to-role assignments and reassign roles to individual users instead.