| Oracle® Fusion Middleware User Management Guide for Oracle WebLogic Portal 10g Release 3 (10.3.4) Part Number E14254-02 |
|
|
View PDF |
| Oracle® Fusion Middleware User Management Guide for Oracle WebLogic Portal 10g Release 3 (10.3.4) Part Number E14254-02 |
|
|
View PDF |
Portal administrators can use the WebLogic Portal Administration Console to add other administrators and portal end-users. Developers might prefer to perform these tasks with JSP tags and controls in Oracle Enterprise Pack for Eclipse if the portal will have a large number of users. See Chapter 4 for instructions on adding users with JSP tags and controls. You should set up groups before you add users.
Note:
See the Oracle Fusion Middleware Interaction Management Guide for Oracle WebLogic Portal for instructions on setting up personalization. See the Oracle Fusion Middleware Security Guide for Oracle WebLogic Portal for instructions on setting up delegated administration and visitor entitlement.Administrators with full user management rights can use the following tools to create and manage a small number of users:
WebLogic Portal Administration Console – Add and edit portal administrators and small numbers of users here if you work primarily in the Administration Console.
WebLogic Server Administration Console – Add and edit portal administrators and small numbers of users here if you work primarily in the Server Administration Console. See the Oracle Fusion Middleware Securing Resources Using Roles and Policies for Oracle WebLogic Server for instructions.
External user store – Add a user to an external user database (such as Netscape's iPlanet) and then configure that repository to be writable. You can access more than one user store to select users and groups. See Section 9.2, "Accessing Users in an External User Store" and for more information.
Developers can use the following tools to create and manage a large number of users:
JSP tag – Add a new user with the createUser JSP tag or create a new JSP tag in Oracle Enterprise Pack for Eclipse. You can also use this tag to create the ability for visitors to your portal to register themselves. Other JSP tags let you let you place users in groups, change passwords, and delete users.
Control – Add a new user with the createUser action in the User Provider control in Oracle Enterprise Pack for Eclipse. You can also use the User Provider control to create the ability for visitors to your portal to register themselves. Other controls let you place users in groups, change passwords, and delete users.
Java – Work directly with the com.bea.p13n.security.management.authentication.AtnManagerProxy Java class to add users, change passwords, and delete users. When you use the API to create a user, a user profile is not automatically created. For more information, see the Oracle Fusion Middleware Java API Reference for Oracle WebLogic Portal.
Adding a user with any of these methods (except the Java API) adds the user to the user store and creates a basic user profile that contains the user's identity (name and password). The Java API does not automatically create a user profile when you add a user. You can use other user properties (such as address, phone number, e-mail, and so on) to set up personalization and define rules for delegated administration and visitor entitlement.
This chapter includes the following sections:
This section contains the following topic:
You can add users to WebLogic Portal through internal or external user stores. The default SQLAuthenticator authentication provider and RDBMS user store is included when you install WebLogic Server. You can also access other user stores, such as OpenLDAP, that already contain your users.
If you have a large number of users stored in a user store, you might want to use the WebLogic Scripting Tool to retrieve those users. You can also use Oracle Enterprise Pack for Eclipse to programmatically get access to the users. Use the Administration Console if you want to add a small number of administrators with special privileges to manage portal content and users.
Tip:
You can use WebLogic Portal's internal RDBMS user store for large numbers of users and groups. The internal LDAP is sufficient for storing policies for roles and entitlement.The WebLogic Portal Administration Console lets you access more than one user store, so you can select users and groups from multiple user stores. The Administration Console contains a list of available user stores. For instructions on adding a new external user store, see the Oracle Fusion Middleware Security Guide for Oracle WebLogic Portal.
To create a new user:
In the Administration Console, choose Users, Groups, & Roles > User Management.
Select an authentication provider from the drop-down list above the User tree.
If you are storing users, passwords, and groups in a user store outside of WebLogic Server (such as an OpenLDAP server or Novell NDS), you can connect that provider to WebLogic Server (assuming it is a supported type), and the users in that external provider can log into your portal. In addition to the default RDBMS user store, you can use multiple external user stores in WebLogic Server and WebLogic Portal.
Note:
WebLogic Portal does not support multiple RDBMS authenticators under a single Security realm.In the User tree, select Everyone. You can now create a user without assigning the user to a group or you can select a group to which you want to add the user.
Note:
If you do not see a list of groups, verify that you built a group hierarchy tree for the user store. If you built a group hierarchy tree and still do not see a list of groups, the user store probably does not allow read access. You can enable read access to the user store by following the instructions in the Oracle Fusion Middleware Security Guide for Oracle WebLogic Portal.Click Create New User.
In the Create New User dialog, enter the new user's Name, Password, and a Description. The name cannot contain special characters, such as \, <>, #, |, &, ~, ?, (), {}, %, or *. The password must be at least eight characters and is encrypted later. See Figure 9-1.
Figure 9-1 Complete the Fields in the Create New User Dialog Box
Click Create User.
After you create a new user, you can create a user profile to capture more information about the user. See Chapter 10 for more information.
If you decide to use multiple user stores (not the default RDBMS user store built into WebLogic Server), most of the effort is setting up and configuring those providers and then connecting WebLogic Server to those providers. You can configure that repository to be writable in the WebLogic Server Administration Console. See the Oracle Fusion Middleware Security Guide for Oracle WebLogic Portal for instructions on setting up a single user store or multiple user stores.
After your external user stores are connected to WebLogic Server, you can view its existing groups by building a group hierarchy tree in WebLogic Portal. A tree view of groups provides a convenient visual way to change profile values, find users in groups, and add users and groups to rules for delegated administration and visitor entitlement. See Section 8.1.2, "Building a Group Hierarchy Tree." After you build the group hierarchy tree, you should see the provider's users and groups in WebLogic Portal.
This section contains two topics that explain how to add additional users to an external user store (such as OpenLDAP):
Section 9.2.1, "Adding a User Directly to an External User Store"
Section 9.2.2, "Adding a User to an External User Store with an Outside Tool"
See the Oracle Fusion Middleware Security Guide for Oracle WebLogic Portal for instructions on setting up a user store and connecting it to WebLogic Server. The default configuration for supported external user stores is read-only access to users and groups from the WebLogic Server Administration Console. If the provider does not allow write access, you must add users in the user store itself.
To add a user directly to the external user store:
Open the WebLogic Server Administration Console.
In the left navigation pane, select Security Realms.
Click the name of the security realm.
Select the Providers tab and then select the Authentication tab.
Select the user store and select the Provider Specific tab.
Review the settings in the Create User field for the user store. If the Create User field does not appear or it is set to No, you cannot use WebLogic Portal to create a user in this user store. You must create the user or group directly in that provider. (If the User Provider field is set to Yes, you can use WebLogic Portal to create a user.)
Add the user to the user store itself. You might need to contact your development team to determine the best way to do this.
If your external user store contains additional properties for users and groups (for example, e-mail and phone), accessing those properties involves separate development steps for creating a UUP. See Chapter 6 for instructions.
See the Oracle Fusion Middleware Security Guide for Oracle WebLogic Portal for instructions on setting up a user store and connecting it to WebLogic Server. The default configuration for supported external user stores is read-only access to users and groups from the Administration Console. If the provider allows write access, you can add additional users to an external user store (such as RDBMS) by adding users in the user store itself.
To use an outside tool to add a user to an external user store:
To verify that your user store supports using an outside tool to add users, open the WebLogic Server Administration Console.
In the left navigation pane, select Security Realms.
Click the name of the security realm.
Select the Providers tab and then select the Authentication tab.
Select the user store and then select the Provider Specific tab.
Review the settings in the User Editor field for the user store. If the User Editor field appears and is set to Yes, you can use WebLogic Server or WebLogic Portal to create a user in this user store. If you need to make the user store writable, follow the instructions in the Oracle Fusion Middleware Security Guide for Oracle WebLogic Portal. (If the User Editor field does not appear or is set to No, you cannot use WebLogic Portal to create a user.)
In the Administration Console, create the new user. Follow the instructions in Section 9.1.1, "Adding a User."
Do not store identical user names or group names in more than one user store.
If your external user store contains additional properties for users and groups (for example, e-mail and phone), accessing those properties involves separate development steps for creating a UUP. See Chapter 6 for instructions.
Tip:
If you make changes to any user store configuration setting in the WebLogic Server Administration Console, restart the server. Restarting the server prevents exceptions in the WebLogic Portal Administration Console.If you remove a user store in the WebLogic Server Administration Console, you must also remove the provider from the WebLogic Portal Administration Console.
To remove a user store from the Administration Console:
In the Administration Console, choose Configuration & Monitoring > Service Administration.
In the Resource Tree, select Security.
In the Browse tab, click Authentication Hierarchy Service, as shown in Figure 9-2.
Figure 9-2 Click Authentication Hierarchy Service to Change Its Settings
Click Configuration Settings for: Authentication Hierarchy Service.
In the Authentication Providers to Build field, select the check box next to name of the provider you want to remove and click Remove Selected.
Click Update.
You can add a user to one or more groups. If your user store does not allow write access to users and groups, you will not be able to add users to groups with the Administration Console. You must add users to groups in the user store directly. See Chapter 2 for more information on planning users and groups.
This section contains the following topics:
To add a user to a group:
In the Administration Console, choose Users, Groups, & Roles > Group Management.
Select an authentication provider from the drop-down list above the Group tree. The provider should contain the users you want to add.
Select the group to which you want to add the user.
Select the Users In Group tab.
Click Add Users to Group.
Select the check box next to the user you want to add, and click Add. The user you selected now appears in the Add Users To list, as shown in Figure 9-3.
Figure 9-3 Select the User You Want to Add to the Group and Click Add
Click Save. After you add the user to the group, the user will inherit any delegated administration or visitor entitlement rights that the group already has.
To add a user to more than one group:
In the Administration Console, choose Users, Groups, & Roles > User Management.
Select an authentication provider from the drop-down list above the User tree. The provider should contain the user you want to add.
Select the user you want to add (see Section 9.4.1.1, "Finding a Single User" for instructions).
Select the Group Membership tab. The groups to which the user belongs are listed.
Click Add Groups.
In the Search Results list, select the check box next to each group to which this user should belong and click Add. The groups you chose appear in the Groups To Add list. See Figure 9-4.
Figure 9-4 Add a User to More Than One Group
To remove a group from the Group to Add list, select the check box next to the group and click Remove Selected.
Click Save.
A user can belong to more than one group. If you are using an RDBMS user store, be aware of case sensitivity when looking up users and groups. For example, Bob is different than bob.
To see a list of groups to which a user belongs:
In the Administration Console, choose Users, Groups, & Roles > User Management.
Select an authentication provider from the drop-down list above the User tree. The authentication provider's user store should contain the user.
Find the user you want to view (see Section 9.4.1.1, "Finding a Single User" for instructions).
Select the user's name. The groups to which the user belongs are listed.
Note:
If a list of groups is not displayed, verify that you built a group hierarchy tree for the user store. If you still do not see a list of groups, the user store probably does not allow read access. See the Oracle Fusion Middleware Security Guide for Oracle WebLogic Portal for instructions.A group does not own a user, so you can add and remove users from groups without affecting the user's properties. Removing a user from a group removes the user from any delegated administration or visitor entitlement roles based on that group. For example, if you remove a user from the Administrators group, that user might no longer have full administrative access to the Administration Console.
Removing a user from a group does not delete the user from the system or change the user's profile properties. You can remove multiple users from one group, or remove a single user from multiple groups.
To remove multiple users from a single group:
In the Administration Console, choose Users, Groups, & Roles > Group Management.
Select an authentication provider from the drop-down list above the Group tree. The provider's user store should contain the users you want to manage.
Select the group that contains the users you want to remove.
Select the Users In Group tab.
Select the check box next to each user you want to remove from the group, as shown in Figure 9-5. (If you do not see the user listed, type the user's name and click Search.)
Click Remove.
To remove a single user from multiple groups:
In the Administration Console, choose Users, Groups, & Roles > User Management.
Select an authentication provider from the drop-down list above the User tree. The provider's user store should contain the user you want to manage.
Find the user you want to remove from the groups and select that user. See Section 9.4.1.1, "Finding a Single User" for instructions. Groups to which the user belongs are listed.
Select the Group Membership tab.
Select the check box for each group to which the user should not belong.
Click Remove to remove the user from these groups.
You can search for a user or update a user's password in the Administration Console.
This section contains the following topics:
The Administration Console provides a way for you to locate users that are not already members of a selected group. If you need to perform administrative tasks, such as editing user profiles, removing users from a group, or deleting users from the system, you must first locate those users in the system.
The delegated administration and visitor entitlement features also provide tools for user lookup when adding users to roles.
WebLogic Portal support two ways to locate users by username:
WebLogic Portal Administration Console – If you need to perform administrative tasks, such as editing user profiles, removing users from a group, or deleting users from the system, you must first find those users in the system.
Oracle Enterprise Pack for Eclipse – Programmatically locate users with JSP tags and controls. See Section 4.3.5, "Removing a User from a Group with a JSP Tag" for more information.
To search for a user by username:
In the Administration Console, choose Users, Groups, & Roles > User Management.
Select an authentication provider from the drop-down list above the User tree. The provider's user store should contain the user you want to locate. If you know the group that contains the user, select the group. (If you do not see a list of groups, see the Note in Section 9.4.1.2, "Finding Multiple Users.")
Select the Everyone group.
Enter the user name and click Search, as shown in Figure 9-6.
Figure 9-6 Search for All User Names that Begin with John
The user appears in the Browse Users section. If you want to edit the user's properties or user profile, click the user's name.
To search for users by username:
In the Administration Console, choose Users, Groups, & Roles > User Management.
Select an authentication provider from the drop-down list above the User tree. The provider's user store should contain the users you want to locate. If you know the group that contains the users, select the group.
If a list of groups does not appear, verify that you built a group hierarchy tree for the user store. If you still do not see a list of groups, the user store probably does not allow read access.
Enter the username and click Search.
The user appears in the Browse Users section. Click the user's name, as shown in Figure 9-7.
Figure 9-7 Click the User's Name to Edit User Profile Properties
Tip:
If you are using an RDBMS user store, be aware of case sensitivity when looking up users and groups. For example, Bob is different than bob.You might need to reset a password if a user lost or cannot remember a password. If you have the appropriate delegated administration rights, you can change any user's password. See the Oracle Fusion Middleware Security Guide for Oracle WebLogic Portal for instructions on setting up delegated administration.
Ensure that your user knows the new password, because once the password is changed there is no way to find out what it is. If a user forgets a password, a portal administrator must change it again.
To change a user's password:
In the Administration Console, choose Users, Groups, & Roles > User Management.
Select an authentication provider from the drop-down list above the User tree. The provider's user store should contain the user whose password you want to change.
Find the user whose password you want to change. (See Section 9.4.1.1, "Finding a Single User" for instructions.)
Select the user's name.
Click Change Password.
Enter the new password in the Password and the Confirm Password fields, and click Update.
When you delete a user, you remove the user from the user store. The deleted user is no longer available in any other group or subgroup, and the user will not be able to log into your portal. To get the user back in the system, you must create the user again.
If you want to remove the user from a group without removing the user from the entire system, see Section 9.3.4, "Deleting a User From a Group."
If you are using an external user store to store users and groups (one that is not the default RDBMS user store built into WebLogic Server), and you want to remove a user from that provider, the provider might be configured to prevent user removal from an outside tool, such as the Administration Console. See the Oracle Fusion Middleware Security Guide for Oracle WebLogic Portal for instructions.
If the User Remover field for the user store is set to No, you cannot remove users from that provider with the Administration Console. You must remove users directly from that provider.
To delete a user from WebLogic Portal:
In the Administration Console, choose Users, Groups, & Roles > User Management.
Select an authentication provider from the drop-down list above the User tree. The provider's user store should contain the users you want to remove.
In the User tree, select the user you want to delete. (See Section 9.4.1.1, "Finding a Single User" for instructions.)
Click Delete.
Note:
You can also delete a user by selecting Everyone in the User tree, selecting the check box next to the user's name in the Browse Users tab, and clicking Delete.)If the user is explicitly listed in a delegated administration or visitor entitlement role, remove that user from the role definition on the Delegated Administration or Visitor Entitlement pages. See the Oracle Fusion Middleware Security Guide for Oracle WebLogic Portal for more information.
|
 Copyright © 2010, 2011, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|
