Oracle® Fusion Middleware Security Guide for Oracle WebLogic Portal 10g Release 3 (10.3.4) Part Number E14251-05 |
|
|
View PDF |
This chapter provides an overview of visitor entitlements. Visitor entitlements allow you to define who can access the resources in a portal application and what they can do with those resources. This access is based on the role assigned to a portal visitor, allowing for flexible management of the resources. Use the WebLogic Portal Administration Console to configure visitor entitlements.
Visitor entitlement roles dynamically determine what access privileges a portal visitor has based on user name, group membership, user profile properties, session and request attributes, and date and time functions. For example, the Gold Member
role could be assigned to certain visitors because they are part of the frequent flyer program and have flown more than 50,000 miles in the previous year. This role is dynamically assigned to visitors when they log in to the site.
As another example, if you have an Employee Review portlet, you can create a visitor entitlement role called Managers
and assign only managers to this role. Only logged in portal visitors who are assigned that role can view the Employee Review portlet.
Note:
If no visitor entitlement roles exist, the default behavior is to allow access to the portal and portal resources to all visitors. Content management entitlements are an exception to this policy. If there are no entitlements set on content management components, then those components are not accessible to visitors.This chapter includes the following sections:
Section 8.2, "Adding Users, Groups, and Conditions in Visitor Entitlement Roles"
Section 8.3, "Removing Users, Groups, and Conditions from Visitor Entitlement Roles"
Section 8.4, "Modifying Conditions in Visitor Entitlement Roles"
Section 8.11, "Setting Visitor Entitlements on Portal Resources in the Library"
Section 8.12, "Setting Visitor Entitlements on Portal Resources in the Desktop"
Section 8.13, "Removing and Editing Visitor Entitlements on Portal Resources"
Section 8.16, "Setting Visitor Entitlements on Content Management Resources"
Section 8.17, "Removing and Editing Visitor Entitlements on Content Management Resources"
Section 8.18, "Designing Visitor Entitlements for Performance"
Visitor entitlement roles dynamically determine what access privileges a portal visitor has based on user name, group membership, user profile properties, session and request attributes, and date and time functions.
Perform the following steps to create a new visitor entitlement role:
Choose Users, Groups, & Roles > Visitor Entitlements.
In the Visitor Roles tree, select Visitor Roles.
Note:
You can also change the scope of the role, or set the scope to enterprise level, as described in Section 8.10, "Using Web-Application or Enterprise-Application Scoped Roles for Entitlements on Portal Resources."From the Browse Roles tab, click Create New Role.
In the dialog box that appears, enter the name of the new visitor role, and optionally, a description, and click Create.
The new visitor entitlement role appears in the resource tree.
You can now define the role by adding users to the role, adding groups to the role, or using expressions. For more information, see Section 8.2, "Adding Users, Groups, and Conditions in Visitor Entitlement Roles."
After you define the visitor entitlement role, you can set entitlements on portal resources, content management resources, and groups.
Once you create visitor roles in the WebLogic Portal Administration Console, you can add users and groups to them. You can also create conditions, based on user profile properties, session and request attributes, dates, and times, that determine who is assigned a visitor entitlement role.
When you add a user to a visitor role, you grant that visitor access to the resources in a portal application and determine what they can do with those resources. This section describes how to add one or more users to a visitor role.
For optimal performance, if you have a large number of users you want to add to a role, either:
Add the users to groups and then create roles with those groups, as described in Section 8.2.2, "Adding Groups to Visitor Roles"
Create roles with expressions, as described in Section 8.2.3, "Adding Conditions to Visitor Roles with Expressions"
Perform the following steps to add one or more users to a visitor entitlement role:
Choose Users, Groups, & Roles > Visitor Entitlements.
In the Visitor Roles tree, select the role for which you want to add users.
Select the Users in Role tab.
Click Add Users To Role.
If necessary, find the users you want to add to the role using the Search feature. Users appear in the Search Results section.
Tip:
If you are using an SQL authentication provider, be aware that user names are case sensitive. For example, user Bob is different than user bob.Select the check box next to each user you want to add, and click Add. Selected users now appear in the Users to Add section.
Click Save.
Any users you have added now appear in Users in Role section in the Details and Users in Role tabs.
When you add a group to a role, you grant the members (users) in that group—and users in any sub-groups of that group—access to all of the visitor entitlements attributed to that role.
Perform the following steps to add a group to a visitor role:
Choose Users, Groups, & Roles > Visitor Entitlements.
In the Visitor Roles tree, select the role for which you want to add groups.
Select the Groups in Role tab.
Click Add Groups To Role.
If necessary, find the groups you want to add to the role using the Search feature. Groups appear in the Search Results section.
Tip:
If you are using an SQL authentication provider, be aware that group names are case sensitive. For example, group Managers is different than group managers.Select the check box next to each group you want to add, and click Add. Selected groups now appear in the Groups to Add section.
Tip:
Roles can sometimes be mapped directly to groups. The difference between groups and roles is that group membership is statically assigned by a server administrator, while role membership is dynamically determined based on information including the user name, group membership, user profile properties, session and request attributes, and date and time functions. Roles can also be scoped to specific WebLogic resources within a single application in a WebLogic Server domain, while groups are always scoped to an entire WebLogic Server domain.Note:
If a list of groups is not displayed, make sure you have built a group hierarchy tree for the authentication provider. If you do not see a list of groups after building a group hierarchy tree, the authentication provider might not allow read access. To see if your authentication provider allows read access, view the authentication provider details, as described in Section 6.3, "Viewing Authentication Provider Details."You can activate a text field for group name entry for authentication providers that do not allow read access.
Click Save.
Any groups you have added now appear in the Groups in Role section in the Details and Groups in Role tabs.
You can use expressions to set conditions, in addition to user name and group membership, that dynamically determine membership in a visitor entitlement role. Conditions specify the values of user profile properties, session and request attributes, dates, and times.
For example, you can define a role with the following expression: If a logged-in user has the administrator
property set to true
and the time is between 9 a.m. and 5 p.m. PST, the user is a role member.
Perform the following steps to add conditions to a visitor role:
Choose Users, Groups, & Roles > Visitor Entitlements.
In the Visitor Roles tree, select the role to which you want to add conditions.
Select the Role Expression tab.
In the top left corner of the window, ANY or ALL is underlined. By selecting, you can toggle between these values.
For each expression you want to create, click Add Condition. When you select a condition, it expands to let you specify the value. You can create an expression from a drop-down list containing the following options:
The date is:
Specify a date using the calendar.
It is after a given date:
Specify a date using the calendar.
It is after a given date and time:
Specify a date and time using the calendar.
It is between two times:
Specify a time range using the calendars.
It is between two dates:
Specify a date range using the calendars.
It is between two date/times:
Specify a range of dates and times using the calendars.
The visitor, visitor's HTTP request, or visitor's HTTP session has characteristics:
To set characteristics, you must specify a Property Set, a Property from the property set, a Value for the property, and the ANY or ALL comparator. Specify a property value from the pull-down menu. You can click Add Another Value to add multiple properties and corresponding values.
The consumer's registration has these values:
Specify WSRP registration properties. For more information, see the Oracle Fusion Middleware Federated Portals Guide for Oracle WebLogic Portal.
Tip:
User profile properties, HTTP session and request properties, and WSRP registration properties are created by developers in Oracle Enterprise Pack for Eclipse.Click Save to apply the conditions.
Note:
If you define roles with expressions whose evaluation changes during the processing of a request, you may need to adjust your portal application cache settings to ensure that the correct role definition is retrieved instead of a cached role.You can change who is assigned a role by removing users, groups, and conditions from visitor entitlement roles.
If you want to revoke visitor access to the resources in a portal application associated with a role, you can remove a user from the role.
Perform the following steps to remove one or more users from a visitor entitlement role:
Choose Users, Groups, & Roles > Visitor Entitlements.
In the Visitor Roles tree, select the role from which you want to remove users.
Select the Users in Role tab.
In the Users in Role section, select the check box in the Remove column next to each user you want to remove. By selecting the check box in the header above the user names, you can remove all users from the role.
Click Remove.
Users you have removed no longer appear in the Users in Role tab or the Users in Role section of the Details tab.
If you want to revoke visitor access to the resources in a portal application associated with a role, you can remove a group from the role.
Perform the following steps to remove one or more groups from a visitor entitlement role:
Choose Users, Groups, & Roles > Visitor Entitlements.
In the Visitor Roles tree, select the role from which you want to remove groups.
Select the Groups in Role tab.
In the Groups in Role section, select the check box in the Remove column next to each group you want to remove. By selecting the check box in the header above the group names, you can remove all groups from the role.
Click Remove.
Groups you have removed no longer appear in the Groups in Role tab or the Groups in Role section of the Details tab.
Perform the following steps to remove one or more conditions from a role:
Choose Users, Groups, & Roles > Visitor Entitlements.
In the Visitor Roles tree, select the role from which you want to remove conditions.
Select the Expressions in Role tab.
In the list of conditions, select the check box in the Delete column next to each one you want to remove. By selecting the check box in the header above the conditions, you can remove all conditions from the role.
Click Delete.
Conditions you have removed no longer appear in the Role Expressions tab or in the Expressions in Role section of the Details tab.
You can modify an existing expression in a visitor entitlement role, as long as you do not want to change the type of condition. For example, if you created a condition based on a date range, you can change the dates.
You can also add a condition from this tab; see Section 8.2.3, "Adding Conditions to Visitor Roles with Expressions" for more information. To remove a condition, see Section 8.3.3, "Removing Conditions in Visitor Entitlement Roles."
Perform the following steps to modify a role condition:
Choose Users, Groups, & Roles > Visitor Entitlements.
In the Visitor Roles tree, select the role for which you want to modify a condition.
Select the Role Expressions tab.
Click Edit for the condition you want to modify.
Specify the new value or values for the condition.
Click Save.
The modified condition appears in the list of conditions.
Once you have created a role, you can select it in the Visitor Roles tree to see a detailed description of the role.
Perform the following steps to view the details of a visitor entitlement role:
Choose Users, Groups, & Roles > Visitor Entitlements.
In the Visitor Roles tree, select the role for which you want to see detailed information.
Note:
To see roles scoped to the enterprise level, or roles in a different web application, set the scope as described in Section 8.1, "Creating Visitor Entitlement Roles."Figure 8-2 shows the Details tab for the Visitor_BasicAccess
role.
Figure 8-2 Visitor Entitlements Details Tab
You can view summary information about a visitor entitlement role to learn what security policies have been created for that role. This is useful because you cannot delete a visitor entitlement role until you remove its access to all resources.
Perform the following steps to view a visitor entitlement role's policy summary information:
Choose Users, Groups, & Roles > Visitor Entitlements.
In the Visitor Entitlement Resource Tree, select a role.
Select the Entitled Resources tab. There you can view the information for the role policies:
Title of the resource
Path to the resource
Tip:
From this tab, you can delete one or more role policies by selecting the check box in the Delete column and clicking Delete.Figure 8-3 shows the Entitled Resources tab.
You can change the name and description of existing visitor entitlement role if there are no policies associated with the role. For information about viewing the policies associated with a role, see Section 8.6, "Viewing the Entitled Resources."
Tip:
If there are policies associated with a role, it does not appear as editable in the Details tab.Perform the following steps to rename a visitor entitlement role:
Choose Users, Groups, & Roles > Visitor Entitlements.
In the Visitor Roles tree, select the role you want to rename.
From the Details tab, select Name & Description, or click the Edit icon next to it.
In the dialog box that appears, type the new name, and optionally, a new description, and click OK.
The new role name appears in the Visitor Roles tree and the tabs.
Perform the following steps to delete a visitor entitlement role:
Choose Users, Groups, & Roles > Visitor Entitlements.
In the Visitor Roles tree, select Visitor Roles.
In the Roles section, select the check box next to any roles you want to delete.
Click Delete.
If you receive a message that the role cannot be deleted while there are entitled resources associated with it, select the Entitled Resources tab for that role to view, and optionally delete, the resource dependencies. For more information, see Section 8.6, "Viewing the Entitled Resources."
You can set visitor entitlements in the resource library or the desktop. Within the library, you can entitle specific books, pages, and portlets, or all resources in each of these categories. Within a given desktop you can entitle specific resources, such as a page, book, or portlet in that desktop. You can also entitle an entire desktop.
Visitor entitlements in the portal resource library apply to all instances of the resource in portal applications. However, they do not bar you from setting more local policies in the desktop. If you set a security policy for a resource in a desktop but not in the resource library, it applies only to that instance of the resource. Therefore, if you do not secure a resource within the resource library, you must secure each instance of the resource, wherever it appears in the hierarchy of books and pages in the desktop.
To protect all instances of a specific book, page, or portlet, or all books, pages, or portlets, set the security policies for the resource or resource type in the portal resource library. The library contains the master versions of all portal resources, and the security policies set in the library apply to a resource wherever it appears in the desktop (Portals node).
You can use web-application scoped roles or enterprise-application scoped when setting entitlements on portal resources. If each web application has different requirements for constraints on visitor access, you should typically use web-application scoped roles. However, if you want to use the same roles in multiple web applications within an enterprise application, you can use enterprise-application scoped roles.
Perform the following steps to change the scope of a role:
Choose Users, Groups, & Roles > Visitor Entitlements.
In the section just above the Visitor Roles tree, following the text Browse Roles from, click Update.
Select one of the following radio buttons:
Enterprise Application Scope
Search for Web Application — All web applications are displayed in the Search Results list. You can find a specific web application using the Search feature.
Figure 8-4 shows the Update Role Scope dialog.
Tip:
When you assign a visitor role to a portal resource, you can choose from global WebLogic Server roles as well as enterprise-application and web-application scoped roles.Click Update.
The text following Browse Roles from in the section above the Visitor Roles tree is updated.
Security policies determine what capabilities a visitor entitlement role has for a given portal resource. You can set visitor entitlements in the resource library or in the desktop (Portals node). Within the library, you can entitle specific books, pages, and portlets, or all resources in each of these categories.
Note:
To protect all instances of a specific book, page, or portlet, or all books, pages, or portlets, set the security policies for the resource or resource type in the portal resource library. The library contains the master versions of all portal resources, and the security policies set in the library apply to a resource wherever it appears in the desktop.You can create entitlements to control visitor access to the following types of portal resources in the library:
Library
Portlets
Portlet categories
Books
Look and feels
Pages
Each has visitor capabilities that are based on the type of resource, as shown in Table 8-1.
Table 8-1 Visitor Capabilities According to Portal Resource Type in the Library
Resource Type | View | Minimize | Maximize | Edit | Remove | Offered |
---|---|---|---|---|---|---|
Library |
Yes |
No |
No |
No |
No |
No |
Portlet |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Portlet Category |
Yes |
No |
No |
No |
No |
No |
Book |
Yes |
Yes |
Yes |
Yes |
Yes |
No |
Look and Feel |
Yes |
No |
No |
No |
No |
No |
Page |
Yes |
No |
No |
Yes |
Yes |
No |
Table 8-2 describes each visitor capability.
Table 8-2 Descriptions of Visitor Capabilities for Portal Resources in the Library
Action | Description |
---|---|
View |
Determines whether the portal visitor can see the resources in the portal desktop or within the Visitor Tools. |
Minimize/Maximize |
Determines whether the user is able to minimize or maximize the portlet or book. This applies to books within a page, not to the primary book. |
Edit |
Determines whether the user can rename the resource or modify its properties by either clicking the Edit icon within the portal desktop or the Change Theme or Rename icons within the Visitor Tools. |
Remove |
Determines whether the user can delete the resource by clicking the Remove icon within the portal desktop or Visitor Tools. |
Offered |
Determines whether the portlet will be offered (shown to a consumer) from the Web application's WSRP producer for that role. This feature allows producers to control which portlets are offered to specific consumers. For more information on consumer entitlement, see "Consumer Entitlement" in the Oracle Fusion Middleware Federated Portals Guide for Oracle WebLogic Portal. |
Note:
If you create visitor entitlements on a portal resource, these can prevent a portal visitor from seeing a resource they would normally see according to personalization rules.Perform the following steps to set visitor entitlements on a portal resource (or resource category) in the library:
Choose Portal Management > Portal.
From the Library node in the Portal Resources tree, navigate to and then select the portal resource (or resource category) for which you want to set visitor entitlements.
Select the Entitlements tab.
Click Add Role.
Optionally, search for the role you want to add by role name, or select the radio button to switch between enterprise-application scoped roles and web-application scoped roles.
In the list of roles in the Search Results section, select the check box next to any roles you want to add and click Add. The selected roles are added to the Roles to Add section.
You can remove a role from the Roles to Add section by selecting the check box next to the role and clicking Remove Selected.
Click Save.
In the Entitle Capabilities to Resource dialog, select the check boxes for the capabilities you want each role to have (see Table 8-2). By selecting the check box in the header above the role names, you enable that capability for all roles.
Click Save.
The roles you have added are listed in the Browse Roles Entitled to this Resource section, as shown in Figure 8-5.
Figure 8-5 Browse Roles Entitled to this Resource
Security policies determine what capabilities a visitor entitlement role has for a given portal resource. You can set visitor entitlements on portal resources in the library or the desktop (Portals node). Within a given desktop you can entitle specific resources, such as a page, book, or portlet in that desktop. You can also entitle an entire desktop or community.
Note:
To protect all instances of a specific book, page, or portlet, or all books, pages, or portlets, set the security policies for the resource or resource type in the portal resource library. The library contains the master versions of all portal resources, and the security policies set in the library apply to a resource wherever it appears in the desktop.You can create entitlements to control visitor access to the following types of portal resources in the desktop:
Portals
Templates
Desktops
Communities
Books
Pages
Portlets
Each has visitor capabilities that are based on the type of resource, as shown in Table 8-3.
Table 8-3 Visitor Capabilities According to Portal Resource Type in the Desktop
Resource Type | View | Minimize | Maximize | Edit | Remove | Create Community | Create, Read, Update, Delete Desktop |
---|---|---|---|---|---|---|---|
Portal |
No |
No |
No |
No |
No |
Yes |
Yes |
Template (Community and Desktop) |
Yes |
No |
No |
No |
No |
No |
No |
Desktop |
Yes |
No |
No |
No |
No |
No |
No |
Community |
Yes |
No |
No |
No |
No |
No |
No |
Book |
Yes |
Yes |
Yes |
Yes |
Yes |
No |
No |
Page |
Yes |
No |
No |
Yes |
Yes |
No |
No |
Portlet |
Yes |
Yes |
Yes |
Yes |
Yes |
No |
No |
Table 8-4 describes each visitor capability.
Table 8-4 Descriptions of Visitor Capabilities for Portal Resources in the Desktop
Action | Description |
---|---|
View |
Determines whether the portal visitor can see the resources in the portal desktop or within the Visitor Tools. |
Minimize/Maximize |
Determines whether the user is able to minimize or maximize the portlet or book. This applies to books within a page, not to the primary book. |
Edit |
Determines whether the user can rename the resource or modify its properties by either clicking the Edit icon within the portal desktop or the Change Theme or Rename icons within the Visitor Tools. |
Remove |
Determines whether the user can delete the resource by clicking the Remove icon within the portal desktop or Visitor Tools. |
Create Community |
Determines whether the visitor can create a community within that portal. |
Create, Read, Update, Delete Desktop |
Determines whether the visitor can create, read, update, or delete desktops. These settings are designed to allow administrators to control desktop creation through the REST APIs. See the Oracle Fusion Middleware Client-Side Developer's Guide for Oracle WebLogic Portal for information on these APIs. |
Note:
If you create visitor entitlements on a portal resource, these can prevent a portal visitor from seeing a resource they would normally see according to personalization rules.Perform the following steps to set visitor entitlements on a portal resource in the desktop:
Choose Portal Management > Portal.
From the Portals node in the Portal Resources tree, navigate to and then select the resource instance for which you want to set visitor entitlements.
Select the Entitlements tab.
Click Add Role.
Optionally, search for the role you want to add by role name, or select the radio button to switch between enterprise-application scoped roles and web-application scoped roles.
In the list of roles in the Search Results section, select the check box next to any roles you want to add and click Add. The selected roles are added to the Roles to Add section.
You can remove a role from the Roles to Add section by selecting the check box next to the role and clicking Remove Selected.
Click Save.
In the Entitle Capabilities to Resource dialog, select the check boxes for the capabilities you want each role to have (see Table 8-4). By selecting the check box in the header above the role names, you enable that capability for all roles.
Click Save.
The roles you have added are listed in the Browse Roles Entitled to this Resource section.
If you no longer want a visitor role to be assigned to a particular portal resource, you can remove the resource from the visitor entitlement role. You can also change the capabilities of a visitor entitlement role on a portal resource, which is also described in this procedure.
Tip:
You can also remove a visitor role from a resource from the Entitled Resources tab for that role. From this tab, you can delete a security policy by selecting the check box in the Delete column and clicking Delete.Perform the following steps to remove a visitor role from a portal resource or category of portal resource:
Choose Portal Management > Portal.
From the Library or Portals node in the Portal Resources tree, navigate to the resource, resource instance, or resource category from which you want to remove the visitor entitlements role.
Select the Entitlements tab.
From the Browse Roles Entitled to this Resource section:
To remove the visitor entitlement role from the portal resource:
Select the check box in the Remove Role column for each role you want to remove. By selecting the check box in the header above the role names, you can remove administration capabilities from all roles.
Click Remove.
To edit the capabilities of the visitor entitlement role on the portal resource:
Select the check box in the Edit Capabilities column for each role you want to change capability for.
Click Edit.
In the Entitle Capabilities to Resource dialog, select the check boxes for the capabilities you want each role to have (see Table 8-4 and Table 8-5). By selecting the check box in the header above the role names, you enable that capability for all roles.
Click Save.
The changes you make are reflected in the Browse Roles Entitled to this Resource section.
Community creators and owners can invite others to join the Community. Visitor entitlements determine whether a creator or owner can view potential members using the Browse options when selecting who to invite. For more information on Communities, see the Oracle Fusion Middleware Communities Guide for Oracle WebLogic Portal
The only visitor capability for groups is View access to the group, which determines whether the community owner or creator can see the group and the users in the group.
Perform the following steps to set visitor entitlements on a group:
Choose Users, Groups, & Roles > Group Management.
In the Groups tree, select the group for which you want to set visitor entitlements.
Select the Entitlements tab.
Click Add Role.
You can select from enterprise-application scoped roles (not web-application scoped roles).
In the list of roles in the Search Results section, select the check box next to any roles you want to add and click Add. The selected roles are added to the Roles to Add section.
You can remove a role from the Roles to Add section by selecting the check box next to the role and clicking Remove Selected.
Click Save.
In the Entitle Capabilities to Resource dialog, select the check box for the View capability. By selecting the check box in the header above the role names, you enable View capability for all roles.
Click Save.
The roles you have added are listed in the Browse Roles Entitled to this Resource section.
If you no longer want visitors assigned to a role to be able to view a particular group, you can remove the visitor entitlement role from the group.
Tip:
You can also remove a visitor role from a group from the Visitor Entitlements tree. In the Browse Policies section of the Entitled Resources tab for that role, select the check box in the Delete column for that policy and click Delete.Perform the following steps to remove a visitor role from a group:
Choose Users, Groups, & Roles > Group Management.
In the Groups tree, select the group from which you want to remove the role.
Select the Entitlements tab.
In the Browse Roles Entitled to this Resource section, select the check box in the Remove Role column for each role you want to remove. By selecting the check box in the header above the role names, you can remove the all visitor roles from that group.
Click Remove.
The changes you make are reflected in the Browse Roles Entitled to this Resource section.
Create security policies to determine what capabilities a visitor entitlement role has for a given content management resource.
Note:
If no visitor entitlement roles exist, the default behavior is to allow access to the portal and portal resources to all visitors. Content management entitlements are an exception to this policy. If there are no entitlements set on content management components, then those components are not accessible to visitors.You can create entitlements to control access to the following types of content management resources:
Repositories
Content
Content types
Workflows
Each has visitor capabilities that are based on the type of resource, as shown in Table 8-5.
Table 8-5 Visitor Capabilities According to Content Management Resource Type
Resource Type | Create | View | Update | Delete | Publish | Instan-tiate | Assign Workflow | Manage |
---|---|---|---|---|---|---|---|---|
Content |
Yes |
Yes |
Yes |
Yes |
Yes |
No |
Yes |
No |
Content Type |
Yes |
Yes |
Yes |
Yes |
No |
Yes |
Yes |
No |
Workflow |
Yes |
Yes |
Yes |
Yes |
No |
No |
Yes |
No |
Repository |
No |
No |
No |
No |
No |
No |
No |
Yes |
Tip:
The capabilities you assign to a visitor entitlement role determine how the visitor participates in the content workflow. For example, a role that is not granted Publish capabilities cannot transition content to the Published or Retired status.The capabilities that can be specified for content are described in Table 8-6.
Table 8-6 Descriptions of Visitor Capabilities for Content
Action | Description |
---|---|
Create |
Determines whether visitors can create content. |
View |
Determines whether visitors can view the content and any properties associated with it. |
Update |
Determines whether visitors can update the properties and change the content workflow status of the content. |
Delete |
Determines whether visitors can delete the content. |
Assign Workflow |
Determines whether visitors can assign a workflow with the content. |
Publish |
Determines whether visitors can approve the content by checking it in with a status other than draft or ready. |
The capabilities that can be specified for content types are described in Table 8-7.
Table 8-7 Descriptions of Visitor Capabilities for Content Types
Action | Description |
---|---|
Create |
Determines whether visitors can create a content type. |
View |
Determines whether visitors can view the content type and its properties. |
Update |
Determines whether visitors can modify a content type. |
Delete |
Determines whether visitors can delete a content type. |
Instantiate |
Determines whether visitors can create content based on this content type. |
Assign Workflow |
Determines whether visitors can assign a workflow to the content type. |
The capabilities that can be specified for content workflows are described in Table 8-8.
Table 8-8 Descriptions of Visitor Capabilities for Content Workflows
Action | Description |
---|---|
Create |
Determines whether visitors can create a content workflow. |
View |
Determines whether visitors can view the properties of a content workflow. |
Update |
Determines whether visitors can modify a content workflow. |
Delete |
Determines whether visitors can delete a content workflow from the repository. |
Assign Workflow |
Determines whether the workflow is available for selection when a user assigns a workflow to a content type or content. |
The only capability that can be specified for a repository is the Manage capability. This allows you to modify the properties of the repository.
Note:
If you create visitor entitlements on a content management resource, these can prevent a portal visitor from seeing content they would normally see according to personalization rules.Perform the following steps to set visitor entitlements on content:
Choose Content > Content Management.
In the Content tree, navigate to the resource on which you want to set entitlements:
To set entitlements on workflows, select Repositories, and navigate to the workflow.
To set entitlements on a content type. select Types, and navigate to the content type.
To set entitlements on content, select Content, and navigate to the content.
To set entitlements on a repository, select Repository and select the repository.
Select the Entitlements tab.
Click Add Role.
You can select from enterprise-application scoped roles (not web-application scoped roles).
In the list of roles in the Search Results section, select the check box next to any roles you want to add and click Add. The selected roles are added to the Roles to Add section.
You can remove a role from the Roles to Add section by selecting the check box next to the role and clicking Remove Selected.
Click Save.
In the Entitle Capabilities to Resource dialog, select the check boxes for the capabilities you want each role to have (see Table 8-6, Table 8-7, and Table 8-8 for capabilities on content, content types, and workflows, respectively). By selecting the check box in the header above the role names, you enable that capability for all roles.
Click Save.
The roles you have added are listed in the Browse Roles Entitled to this Resource section.
If you no longer want visitor capabilities to be available for content, a content type, or a workflow, you can remove visitor entitlements from it. You can also change the capabilities of the visitor entitlement role on the content management resource, which is also described in this procedure.
Tip:
You can also remove a visitor entitlement role from a content management resource from the Entitled Resources tab for that role. From this tab, you can delete a security policy by selecting the check box in the Delete column and clicking Delete.Perform the following steps to remove or edit visitor entitlements on a content management resource:
Choose Content > Content Management.
In the Content tree, navigate to the resource on which you want to remove or edit visitor entitlements.
Select the Entitlements tab.
From the Browse Roles Entitled to this Resource section:
To remove the visitor entitlement role from the content management resource:
Select the check box in the Remove Role column for each role you want to remove. By selecting the check box in the header above the role names, you can remove visitor capabilities from all roles.
Click Remove.
To edit the capabilities of the visitor entitlement role on the content management resource:
Select the check box in the Edit Capabilities column for each role you want to change capability for.
Click Edit.
In the Entitle Capabilities to Resource dialog, select the check boxes for the capabilities you want each role to have (see Table 8-6, Table 8-7, and Table 8-8 for capabilities on content, content types, and workflows, respectively). By selecting the check box in the header above the role names, you enable that capability for all roles.
Click Save.
The changes you make are reflected in the Browse Roles Entitled to this Resource section.
The entitlement engine is called for rules checking during the render phase of an operation, which represents additional system overhead. The entitlements engine is also responsible for managing administrative tasks, which increases that overhead.
The following are recommendations for limiting the performance impact of visitor entitlements:
Disable entitlements if a portal is not using any security policies.
If a portal is using security policies, set the value for the <control-resource-cache-size=nn> attribute to equal the number of desktops + number of books + number of pages + number of portlets + number of buttons (max, min, help, edit) used in a portal. Use the default value if you are concerned about available memory.
Limit your entitlement request to only one resource at a time. Bundling a larger number of resources (portlets, pages, books) with one entitlement request can cause a degradation in performance.
If your portal uses more than 5000 entitlements, customize the cache settings for WebLogic Entitlements Engine.