17.1 Page and Object Security in Oracle Portal

Oracle Portal provides privilege levels to allow increasing degrees of protection for your data. To determine a user or group's access to an object, Oracle Portal synthesizes the answers to the following questions:

This section explores the underlying meaning of these questions.

Is the object public, or is it restricted to certain users?

All objects in Oracle Portal are either public or restricted. Restrictions are controlled by an access list. Anyone can see a public object—even users who do not log on. When an object is restricted by an access list, only users on the list can see the object. The access list states the extent to which specified users and groups can interact with the object. The list is created through the granting of privileges to users and groups.

You can explicitly make pages and tabs available to public users (on the Access tab of page or tab properties). By extension, a public page or tab's content is also public.

Has the user or group been granted an explicit privilege on the object?

If an object is not public, it is controlled by an access list. The object's creator—or a user with the Manage privilege on the object—uses this list to explicitly grant privileges to other users and groups.

Different levels of privilege allow for greater or lesser levels of access. For example, one group might be able to see the object, but not change it. Another group might be able to add, edit, hide, or delete the object.

When an access privilege on an object is granted to a group, all group members have the same level of access to the object. That is, you cannot grant access to most members of a group, excluding one or two members.

You can grant a greater level of privilege to a user who is also a member of a group. For example, the group Accounting has the View privilege on a page. The user Jane Doe, who is also a member of the Accounting group, can be granted additional privileges (as an individual user), such as Manage Content.

Has the user or group been granted a global privilege on the object type?

A global privilege applies to all objects of a given type. For example, if you have the global privilege Manage on the object type All Styles, you can create, edit, or delete any style in Oracle Portal, no matter which page group owns the style. Apply global privileges to both users and groups.

Use global privileges as a means of implicitly granting access to an object. Compare this to the object's access list, through which privileges are explicitly granted.

Does the user or group belong to a special group created by Oracle Portal?

When your user account is created, the portal administrator decides if you are allowed to log on. If you can log on, you are an authenticated user. If you cannot log on, you are a public user. Users who can log on belong to the Authenticated Users group, one of the default groups provided with Oracle Portal out of the box. The Authenticated Users group has the Create global privilege on the object types All Pages and All Styles.

Users with the global privilege Create on the object type All Pages can create sub-pages in any page group provided they also have the page privilege Manage on the parent page under which sub-pages will be created.

Users with the global privilege Create on the object type All Styles can create styles in any page group on which they also have the page group privilege Manage Styles.

Each of the default groups provided by Oracle Portal is granted its own set of global privileges. For more information, see Oracle Fusion Middleware Administrator's Guide for Oracle Portal.