49 Managing Security Across Portals

This chapter describes the tasks available on the Security page in WebCenter Portal Builder Administration. The system administrator can modify the default settings to suit the needs of the organization.

This chapter contains the following sections:

• Section 49.1, "About Portal Security"

• Section 49.2, "About Users"

• Section 49.3, "About Application Roles and Permissions"

• Section 49.4, "About Roles and Permissions within a Portal"

• Section 49.5, "Managing Users"

• Section 49.6, "Managing Application Roles and Permissions"

• Section 49.7, "Troubleshooting Issues with Users and Roles"

Permissions:

To perform the tasks in this chapter, you must have the WebCenter Portal Administrator role or a custom role that grants the following permission:

• Portal Server-Manage Configuration

Additionally, you need permissions to create and manage portals (Portals-Create and/or Portals-Manage All). For more information about permissions, see Section 49.3, "About Application Roles and Permissions."

49.1 About Portal Security

WebCenter Portal provides a comprehensive security model that enables you to control what users can see and change in WebCenter Portal. Using the Security page in WebCenter Portal Builder Administration (Figure 49-1), you can control which users (and groups) have access to individual portals and the Home portal and you can also control exactly what users and groups can see and do by enabling and disabling various permissions.

Figure 49-1 Portal Builder Administration: Security Page

Description of "Figure 49-1 Portal Builder Administration: Security Page"

Within a particular portal you can restrict user and group access to individual pages, page content (such as task flows, portlets, documents, and folders), and resources (such as page templates, page styles, skins, resource catalogs, and so on).

Figure 49-2 WebCenter Portal Security

Description of "Figure 49-2 WebCenter Portal Security"

User and Groups

A user is a single person in the identity store, and a group contains multiple users. In WebCenter Portal you can grant permissions to individual users and to groups of users.

Unregistered Users and Self-Registration

Self-registration allows unregistered users to create their own login and password for WebCenter Portal. A user who self-registers is immediately and automatically granted access to WebCenter Portal and a new user account is created in WebCenter Portal's identity store.

Application Roles and Portal Roles

Application roles determine what a user (or group) can see and do in the Home portal which, for some administrative functions, can impact all of WebCenter Portal. Portal roles control actions within a particular portal.

Portals and Portal Hierarchies

Portals support the formation and collaboration of project teams and communities of interest by providing a dedicated and readily accessible area for relevant services, pages, and content and by supporting the inclusion of specified members.

A portal hierarchy consists of a parent portal with one or more subportals. Subportals can inherit the security (members, roles, and permissions) of their parent.

Home Portal

The Home portal is a shared portal that, by default, is accessible to everyone who is logged in. Application roles apply while a user is working within the Home portal. In most applications, the Home portal focuses on social networking and personal content.

Resources

Various portal resources help define the overall structure, look and feel, and content in portals, and these include page templates, page styles, skins, navigation models, resource catalogs, content presenter display templates, task flow styles, data controls, and task flows. Users with appropriate privileges can build and customize resources for the entire application, a single portal, or a portal hierarchy.

Pages

Anyone authorized to edit a page can grant access and permissions to other users and groups. For example, you might grant view-only permission to everyone in the sales group, edit permission to sales managers, and manage permission to a single user. Alternatively, you can specify that the page inherits its access from the application.

Page Content, Files, and Folders

Some pages might contain content that you want only a select set of users, or even only one other user, to see. For example, a page aimed at sales people might include two Announcement task flows; one aimed at all sales people and the other at only sales managers. By restricting access to the second Announcement task flow, you can hide management-level announcements from anyone who is not a sales manager.

49.2 About Users

A WebCenter Portal user has a login account for WebCenter Portal—provisioned directly from an existing identity store. See also, Section 31.3, "Adding Users to the Embedded LDAP Identity Store."

All users in the identity store are assigned minimal privileges in WebCenter Portal through the Authenticated-User role. The only exception is the system administrator (weblogic by default); out-of-the-box, the system administrator is the only user assigned full administrative privileges through the Administrator role. For more information, read the next section Section 49.3.1.1, "Default Application Roles."

It is the system administrator's job to assign each user an appropriate application role. Alternatively, the system administrator may choose to assign the Administrator role to another user and delegate this responsibility.

Table 49-1 Default Administrator in WebCenter Portal

User	Description
System Administrator (weblogic)	Administrator for the entire application server, sometimes referred to as the super administrator or Fusion Middleware administrator. This user can manage any application on the server, including WebCenter Portal.

49.3 About Application Roles and Permissions

Application roles control the level of access a user has to information and services in WebCenter Portal. Specifically, application roles and their permissions determine what a user can see and do in their Home portal.

This section includes:

About Application Roles

About Application Permissions

49.3.1 About Application Roles

Application role assignment is the responsibility of the WebCenter Portal administrator. Administrators can assign users a default application role or create additional, custom roles specific to their WebCenter Portal deployment. For more detail, see:

• Default Application Roles

• Custom Application Roles

Application roles apply when users are working within their Home portals. A different set of roles and permissions apply when a user is working within a particular portal. It is the portal moderator's responsibility to determine suitable role assignments for each of its members. See also, Section 49.6, "Managing Application Roles and Permissions," and the "Administering Security in a Portal" chapter in Oracle Fusion Middleware Building Portals with Oracle WebCenter Portal.

Note:

Application roles and permissions defined within WebCenter Portal are stored in its policy store and, consequently, apply to this WebCenter Portal only. Enterprise roles are different; enterprise roles are stored within the application's identity store and do not imply any permissions within WebCenter Portal. See Section 30.2.2, "Application Roles and Enterprise Roles."

49.3.1.1 Default Application Roles

WebCenter Portal provides several default application roles (Table 49-2). You cannot delete default application roles but you can modify the default permission assignments for each role. For more information, see Section 49.6.2, "Modifying Application Role Permissions."

Table 49-2 Default Application Roles for WebCenter Portal

Application Role	Description	Modify?
Administrator	Users with the Administrator role can set application-wide properties for WebCenter Portal, create business role pages, configure defaults for discussion forums, mail, and people connection services, register producers and external applications, as well as perform other administrative duties such as editing the login page and the self-registration page. Administrators can also manage users and roles for the WebCenter Portal, delegate or revoke privileges to/from other users, manage portals and portal templates, and also import and export portal information. Out-of-the-box, the system administrator is the only user assigned full administrative privileges for the WebCenter Portal through the Administrator role.	Yes* *Except for Application permissions which are read-only
Application Specialist	Users with the Application Specialist role can create portals; manage portal templates; create, edit, and delete pages, page styles, page templates, Content Presenter templates, data controls, navigations, pagelets, resource catalogs, skins, task flow styles, and task flows; update People Connections data, and connect with people.	Yes
Authenticated-User	Authenticated users of WebCenter Portal are granted the Authenticated-User role. Users who login are assigned with this role and, by default, have access to their own Home portal, pages that they create, and public pages. These users can also view public portals, create portals, and create portal templates. This role inherits permissions from the Public-User role. In the WebCenter Portal, the Authenticated-User role is equivalent to authenticated-role—a standard OPSS (Oracle Platform Security Services) role.	Yes
Public-User	Anyone with access to the WebCenter Portal who is not logged in, is granted the Public-User role. Such users are anonymous, unidentified, and can see public content only. In the WebCenter Portal, the Public-User role is equivalent to anonymous-role—a standard OPSS (Oracle Platform Security Services) role.	Yes

49.3.1.2 Custom Application Roles

Custom application roles (sometimes known as user-defined roles) are specific to your WebCenter Portal. When setting up WebCenter Portal, it is the WebCenter Portal administrator's job to identify which application roles are required, select suitable role names, and define the responsibilities of each role.

For example, an education environment might require roles such as Teacher, Student, and Guest. While roles such as Finance, Sales, Human Resources, and Support would be more appropriate for a corporate environment.

In WebCenter Portal, custom application roles inherit permissions from the Authenticated-User role.

To learn how to set up application roles for WebCenter Portal users, see

49.3.2 About Application Permissions

Every application role has specific, defined capabilities known as permissions. These permissions allow individuals to perform specific actions in the Home portal. Permissions are categorized as follows and listed individually in the subsequent tables:

• Portal Server

• Portals

• Portal Templates

• Pages

• Content Presenter Templates

• Data Controls

• Discussions

• Links

• Navigations

• Page Styles

• Page Templates

• Pagelets

• People Connections

• Resource Catalogs

• Skins

• Task Flow Styles

• Task Flows

No permission, except for Manage All, inherits privileges from other permissions.

Table 49-3 Application Permissions in WebCenter Portal

Category	Application Permissions
Portal Server	Manage All - Enables access to all WebCenter Portal Administration pages: Portals, Administration, Shared Assets, Attributes, Portal Templates, and Preferences. Through these pages, users can manage application security (users/roles), configure application-wide properties and services, manage resources, create business role pages, manage everyone's personal pages, customize system pages, view portals accessible to them, as well as export/import portals and portal templates. Some administrative tasks are exclusive to the out-of-the-box Administrator role and cannot be performed by granting the Application-Manage All permission. These tasks include editing the login page, the self-registration page, and profile gallery pages, as well as the ability to manage all portals, all portal templates, external applications, and portlet producers. Manage Configuration - Same as the Application-Manage All permission but excludes security privileges. Users with this permission cannot access the Administration - Security page. View - Enables users to view WebCenter Portal, and gives user access to the Home portal. See also Section 49.6.3, "Granting Permissions to the Public-User," and Section 49.6.4, "Granting Permissions to the Authenticated-User."
Portals	Manage All - Enables access to all portal administration pages (Overview, Settings, Pages, Assets, Attributes, Security, Tools and Services, Subportals, System Pages). Through these pages users can manage portal membership, assign permissions and roles, manage, delete, and export portals and resources, set portal properties, and manage service availability. Manage Configuration - Same as the Manage All permission but excludes security privileges. Users with this permission cannot access the Security pages unless they are a portal moderator. Manage Membership - Enables users to manage portal membership through Security pages. Create Portals - Enables users to create portals.
Portal Templates	Manage All - Enables users to manage any portal template (through the Portal Templates page) and delete templates accessible to them. See also, the "Managing All Portal Templates" section in Oracle Fusion Middleware Building Portals with Oracle WebCenter Portal. Create Portal Templates - Enables users to create portal templates.
Pages	Create, Edit, and Delete Pages - Enables users to create, edit and delete pages in their Home portal. Delete Pages - Enables users to delete pages in their Home portal. Edit Pages -Enables users to add or edit personal page content, rearrange content, and set page parameters and properties. Customize Pages - Enables users to customize their view of pages in the Home portal by adding, editing, or removing content. View Pages - Enables users to view pages in the Home portal. Create Pages - Enables users to create or design a new page for their Home portal. These permissions only apply to the Home portal. The permissions do not apply to pages that are created within a portal. Page permissions within a portal are granted on a per-portal basis by the portal moderator. See the "Managing Roles and Permissions for a Portal" chapter in Oracle Fusion Middleware Building Portals with Oracle WebCenter Portal.
Content Presenter Templates	Create, Edit, and Delete Content Presenter Templates - Enables users to create, edit and delete content display templates for the application through Portal Builder. Create Content Presenter Templates - Enables users to create content display templates for the application. Edit Content Presenter Templates - Enables users to edit application-level content display templates. See also, the "Publishing Content Using Content Presenter" chapter in Oracle Fusion Middleware Building Portals with Oracle WebCenter Portal.
Data Controls	Create, Edit, and Delete Data Controls - Enables users to create, edit and delete data controls for the application through Portal Builder. Create Data Controls - Enables users to create data controls for the application. Edit Data Controls - Enables users to edit application-level data controls. See also, the "Working with Data Controls" chapter in Oracle Fusion Middleware Building Portals with Oracle WebCenter Portal.
Discussions	Create, Edit, and Delete Discussions - Enables users to manage categories, forums, and topics on the back-end discussions server and set discussion forum properties for all portals. See also, "Understanding Discussion Server Role Mapping"
Links	Create and Delete Links - Enables users to create and delete links between objects, and manage link permissions. Create Links - Enables users to create links between objects, and delete links that they create. Delete Links - Enables users to delete a link between two objects.
Navigations	Create, Edit, and Delete Navigations - Enables users to create, edit, and delete navigations for the application through Portal Builder. Create Navigations - Enables users to create navigations for the application. Edit Navigations - Enables users to edit application-level navigations. See also, the "Working with Portal Navigation" chapter in Oracle Fusion Middleware Building Portals with Oracle WebCenter Portal.
Page Styles	Create, Edit, and Delete Page Styles - Enables users to create, edit, and delete page styles through Portal Builder. Create Page Styles - Enables users to create page styles for the application. Edit Page Styles - Enables users to edit application-level page styles. See also, the "Working with Page Styles" chapter in Oracle Fusion Middleware Building Portals with Oracle WebCenter Portal.
Page Templates	Create, Edit, and Delete Page Templates - Enables users to create, edit, and delete page templates through Portal Builder. Create Page Templates - Enables users to create page templates for the application. Edit Page Templates - Enables users to edit application-level page templates. See also, the "Working with Page Templates" chapter in Oracle Fusion Middleware Building Portals with Oracle WebCenter Portal.
Pagelets	Create, Edit, and Delete Pagelets - Enables users to create, edit, and delete pagelets through Portal Builder. Create Pagelets - Enables users to create pagelets for the application. Edit Pagelets - Enables users to edit application-level pagelets. See also, the "Working with Pagelets" chapter in Oracle Fusion Middleware Building Portals with Oracle WebCenter Portal.
People Connections	Manage People Connections - Enables users to manage application-wide settings for People Connection services. Update People Connections Data - Enables users to edit content associated with People Connection services. Connect with People - Enables users to share content associated with People Connection services with others.
Resource Catalogs	Create, Edit, and Delete Resource Catalogs - Enables users to create, edit and delete resource catalogs for the application through Portal Builder. Create Resource Catalogs - Enables users to create resource catalogs for the application. Edit Resource Catalogs - Enables users to edit application-level resource catalogs. See also, the "Working with Resource Catalogs" chapter in Oracle Fusion Middleware Building Portals with Oracle WebCenter Portal.
Skins	Create, Edit, and Delete Skins - Enables users to create, edit, and delete skins through Portal Builder. Create Skins - Enables users to create skins for the application. Edit Skins - Enables users to edit application-level skins. See also, the "Working with Skins" chapter in Oracle Fusion Middleware Building Portals with Oracle WebCenter Portal.
Task Flow Styles	Create, Edit, and Delete Task Flow Styles - Enables users to create, edit, and delete content display templates for the application through Portal Builder. Create Task Flow Styles - Enables users to create content display templates for the application. Edit Task Flow Styles - Enables users to edit application-level content display templates. See also, the "Publishing Content Using Content Presenter" chapter in Oracle Fusion Middleware Building Portals with Oracle WebCenter Portal.
Task Flows	Create, Edit, and Delete Task Flows - Enables users to create, edit, and delete task flows based on a task flow style through Portal Builder. Create Task Flows - Enables users to create task flows for the application. Edit Task Flows - Enables users to edit application-level task flows. See also, the "Working with Task Flows" chapter in Oracle Fusion Middleware Building Portals with Oracle WebCenter Portal.

49.3.2.1 Understanding the Default Permissions

Table 49-4 shows the default permissions assigned to out-of-the-box application roles.

✔ - Shows an explicitly granted permission or action.

✙ - Shows an implied permission because of an explicitly granted permission.

Table 49-4 Default Application Roles and Permissions in WebCenter Portal

	Default Application Roles
Permissions	Administrator	Application Specialist	Authenticated-User	Public-User
Portal Server
Manage All	✔
Manage Configuration	✙
View	✙	✔	✔	✔
Portals
Manage All	✔
Manage Configuration
Manage Membership
Create Portals		✔	✔
Portal Templates
Manage All	✔	✔
Create Portal Templates			✔
Pages
Create, Edit, and Delete	✔	✔
Delete
Edit
Customize
View
Create			✔
Content Presenter Templates
Create, Edit, and Delete	✔	✔
Create
Edit
Data Controls
Create, Edit, and Delete	✔	✔
Create
Edit
Discussions
Create, Edit, and Delete	✔
Links
Create and Delete	✔
Create
Delete
Task Flow Styles
Create, Edit, and Delete	✔	✔
Create
Edit
Navigations
Create, Edit, and Delete	✔	✔
Create
Edit
Page Styles
Create, Edit, and Delete	✔	✔
Create
Edit
Page Templates
Create, Edit, and Delete	✔	✔
Create
Edit
Pagelets
Create, Edit, and Delete	✔	✔
Create
Edit
People Connections
Manage People Connections	✔
Update People Connections Data		✔	✔
Connect with People		✔	✔
Resource Catalogs
Create, Edit, and Delete	✔	✔
Create
Edit
Skins
Create, Edit, and Delete	✔	✔
Create
Edit
Task Flows
Create, Edit, and Delete	✔	✔
Create
Edit

49.3.2.2 Understanding Discussion Server Role Mapping

Some WebCenter Portal services that need access to remote (back-end) resources also require role-mapping based authorization, that is, the WebCenter Portal roles that allow users to work with the Discussions service in WebCenter Portal, must be mapped to corresponding roles on WebCenter Portal's discussions server.

WebCenter Portal uses application roles to manage user permissions in the Home portal and portal roles to manage user permissions within a particular portal. On WebCenter Portal's discussions server, a different set of roles and permissions apply.

Users who are working with discussions and announcements in WebCenter Portal automatically map to the appropriate discussions server role, shown in Table 49-5 and Table 49-6.

Table 49-5 Discussions Server Roles and Permissions - Application

Discussion Server Role	Discussion Server Permissions	WebCenter Portal Equivalent Application Permission
Administrator	Category Admin	Discussions-Create, Edit, and Delete Create, read, update and delete sub categories, forums, and topics inside the category for which permissions are granted.

Table 49-6 Discussions Server Roles and Permissions - For a Portal

Discussion Server Role	Discussion Server Permissions	WebCenter Portal Equivalent Permissions in a Portal
Moderator	Category Admin Forum Admin	Discussions-Create, Edit, and Delete Create, read, update and delete forums and topics. Announcements-Create, Edit, and Delete Create, read, update and delete announcements.
	Create Message Create Announcement	Discussions-Create and Edit Create and edit topics. Announcements-Create and Edit Create and edit announcements.
	Read Forum Create Thread	Discussions-Reply To Reply to discussion topics.
	Read Forum	Discussions-View View forums and topics. Announcements-View View announcements.

Any user assigned the Application-Discussions-Create Edit Delete permission in WebCenter Portal is automatically added to WebCenter Portal's discussions server and assigned the Administrator role with the Category Admin permission. Out-of-the box, WebCenter Portal assigns the Application-Discussions-Create Edit Delete permission to the Administrator role only.

Similarly, in a given portal, any member assigned discussion and announcement permissions is granted the corresponding permissions on the discussions server.

49.3.2.3 Understanding Enterprise Group Role Mapping

In WebCenter Portal you can assign individual users or multiple users in the same enterprise group to WebCenter Portal roles. Subsequent enterprise group updates in the back-end identity store are automatically reflected in WebCenter Portal. Initially, when you assign an enterprise group to a WebCenter Portal role, everyone in the enterprise group is granted that role. If someone moves out of the group, the role is revoked. If someone joins the group, they are granted the role

For WebCenter Portal to properly maintain enterprise group-to-role mappings, back-end servers, such as the discussions server and content server, must support enterprise groups too. WebCenter Portal's Discussion Server and WebCenter Content's Content Server versions provided with this release both support enterprise groups but previous versions may not. See also, Section 49.7, "Troubleshooting Issues with Users and Roles."

49.4 About Roles and Permissions within a Portal

When a user becomes a member of a particular portal, a different set of roles and responsibilities apply. For details, see the "Administering Security in a Portal" chapter in Oracle Fusion Middleware Building Portals with Oracle WebCenter Portal.

49.5 Managing Users

Administrators must ensure that all WebCenter Portal users have appropriate permissions. To get permissions, users must be assigned to an appropriate application role.

From the Users and Groups page (Figure 49-3), administrators can manage application roles for all the users who have access to WebCenter Portal, that is, all users defined in the identity store. From here, you can change user role assignments, grant administrative privileges, and revoke user permissions. To access the Users and Groups page, open Portal Administration and then click the Security page. For details, see the "Accessing Portal Administration" section in Oracle Fusion Middleware Building Portals with Oracle WebCenter Portal.

Only users granted special (non-default) application privileges appear in this table. Initially, all users in the WebCenter Portal identity store are assigned minimal privileges through the Authenticated-User role. Users with the default Authenticated-User role are not listed here. See also Section 49.3.1.1, "Default Application Roles."

Figure 49-3 WebCenter Portal Administration - Users and Groups Page

Description of "Figure 49-3 WebCenter Portal Administration - Users and Groups Page"

This section tells you how to assign roles and contains the following subsections:

• Section 49.5.1, "Assigning Users (and Groups) to Roles"

• Section 49.5.2, "Assigning a User to a Different Role"

• Section 49.5.3, "Giving a User Administrative Privileges"

• Section 49.5.4, "Revoking Application Roles"

• Section 49.5.5, "Adding or Removing Users"

49.5.1 Assigning Users (and Groups) to Roles

Initially, all users in the WebCenter Portal identity store are assigned minimal privileges through the Authenticated-User role. You can assign individual users (or multiple users in the same enterprise group) to a different application role through WebCenter Portal Administration.

Updates in your back-end identity store, such as new users or someone leaving an enterprise group, are automatically reflected in WebCenter Portal. Initially, when you assign an enterprise group to a WebCenter Portal role, everyone in the enterprise group is granted that role. If someone moves out of the group, the role is revoked. If someone joins the group, they are granted the role.

Note:

For WebCenter Portal to properly maintain enterprise group-to-role mappings, back-end servers, such as the discussions server and content server, must support enterprise groups too. When back-end servers do not support enterprise groups, the message "Group [name] not found in the Identity Store" displays. See also Section 49.7, "Troubleshooting Issues with Users and Roles."

To assign a user (or a group of users) to a different application role:

1. Open WebCenter Portal Administration.

   For details, see Section 47.2, "Accessing the Portal Builder Administration Page."

2. Click Security, then Users and Groups (Figure 49-3).

   This page lists users to which additional roles are defined.

3. Choose User or Group from the drop-down list.

   Select User to grant permissions to one or more users defined in the identity store. Select Group to grant permissions to groups of users.

4. If you know the exact name of the user or group, enter the name in the text box, separating multiple names with commas.

   If you are not sure of the name you can search your identity store:

   1. Click the Find icon ().

      The Find User (or Find Group) dialog box opens (Figure 49-4).

      Figure 49-4 Finding Users and Groups in the Identity Store

      
      Description of "Figure 49-4 Finding Users and Groups in the Identity Store"
      
      

   2. Enter a search term for a user or group, then click the Search icon.

      For tips on searching for a user or group in the identity store, see the "Searching for a User or Group in the Identity Store" section in Oracle Fusion Middleware Building Portals with Oracle WebCenter Portal.

      Users (or groups) matching your search criteria display in the Select User dialog box. For more details on which fields are searched, see the "Searching for a User or Group in the Identity Store" section in Oracle Fusion Middleware Building Portals with Oracle WebCenter Portal

      Tip:

      • Use * as a wildcard, for example *sales.

      • Leave the search field blank to list all users (or groups) in the identity store.

      • Enter a space between two search terms to search First Name and Last Name, for example jo sm, searches for jo in First Name and sm in Last Name.

   3. Select one or more names from the list.

      To assign roles to multiple users or groups, multi-select all the names required. Ctrl-Click rows to select multiple names.

   4. Click OK.

      The names that you select appear on the User and Groups tab.

5. To assign a role, select a Role from the drop-down list.

   Select an appropriate role for the selected users (or groups). Only choose Administrator to assign full, administrative privileges for WebCenter Portal.

   If the role you want is not listed, create a new role that meets your requirements (see Section 49.6.1, "Defining Application Roles").

   When no role is selected, the user assumes the Authenticated-User role. See Section 49.3.1.1, "Default Application Roles."

6. Click Grant Access.

User/user group names and new role assignment appear in the table.

Note:

Group names are clickable, enabling you to drill down to see user names of the current group members.

A list of members does not display for a dynamic group based on Oracle Entitlements Server (OES) roles since OES roles are based on dynamic attributes and therefore do not have any static members. See also Section 31.8, "Configuring Dynamic Groups for WebCenter Portal."

49.5.2 Assigning a User to a Different Role

From time to time, a user's role in WebCenter Portal may change. For example, a user may move out of sales into the finance department and in this instance, the user's role assignment may change from Sales to Finance.

Note:

You cannot modify your own role or the system administrator's role. See Section 49.3.1, "About Application Roles."

To assign a user to a different role:

1. Open WebCenter Portal Administration.

   For details, see Section 47.2, "Accessing the Portal Builder Administration Page."

2. Click Security, then Users and Groups (Figure 49-3).

3. In the Manage Existing Grants table, scroll down to the user you want.

   Only users with non-default role assignments are listed in the table. If the user you want is not listed, grant the role required as described in Section 49.5.1, "Assigning Users (and Groups) to Roles."

4. Click the Actions icon, then choose Change Role from the drop-down list.

   The Change Role dialog box opens (Figure 49-5).

   Figure 49-5 Changing a User's Application Role

   
   Description of "Figure 49-5 Changing a User's Application Role"
   
   

5. Select roles as follows:

   • Select Administrator to assign full, administrative privileges for WebCenter Portal.

   • Select one or more roles from the list available.

     If the role you want is not listed, create a new role that meets your requirements (see Section 49.6.1, "Defining Application Roles").

     At least one role must be selected. To revoke all role assignments, reverting user permissions to the default Authenticated-User role, see Section 49.5.4, "Revoking Application Roles".

6. Click OK.

New role assignments display in the table.

49.5.3 Giving a User Administrative Privileges

It is easy to give a user full, administrative privileges for WebCenter Portal through the Administrator role. Administrators have the highest privilege level and can view and modify anything in WebCenter Portal so take care when assigning the Administrator role.

Some administrative tasks are exclusive to the Administrator role and cannot be performed by granting the Application-Manage All permission. These tasks include editing the login page, the self-registration page, and profile gallery pages. See also Section 49.3.1.1, "Default Application Roles."

To give a user administrative privileges:

1. Open WebCenter Portal Administration.

   For details, see Section 47.2, "Accessing the Portal Builder Administration Page."

2. Click Security, then Users and Groups (Figure 49-3).

   The Role column indicates which users already have full administrative privileges through the Administrator role.

3. In the Manage Existing Grants table, scroll down to the user you want.

   Only users with non-default role assignments are listed in the table. If the user you want is not listed, follow steps in Section 49.5.1, "Assigning Users (and Groups) to Roles" to grant the Administrator role.

4. Click the Actions icon, then choose Change Role from the drop down list.

   The Change Role dialog box opens (Figure 49-5).

5. Select Administrator to assign full, administrative privileges for WebCenter Portal.

6. Click OK.

The new role assignment displays in the table.

49.5.4 Revoking Application Roles

It is easy to revoke application role assignments that no longer apply. You can revoke roles individually or revoke all application roles assigned to a particular user at once.

Revoking all of a user's application roles does not remove that user from the identity store and the user still has access to WebCenter Portal through the default Authenticated-User role.

Note:

You cannot revoke your own role assignments or the system administrator's role. See Section 49.3.1, "About Application Roles."

To revoke application roles:

1. Open WebCenter Portal Administration.

   For details, see Section 47.2, "Accessing the Portal Builder Administration Page."

2. Click Security, then Users and Groups (Figure 49-3).

   This page lists users to which additional roles are defined.

3. In the Manage Existing Grants table, scroll down to the user you want.

4. Click the Actions icon:

   • Choose Change Role icon to revoke one or more, specific application roles. See also Section 49.5.2, "Assigning a User to a Different Role".

   • Choose Delete Role Assignments to revoke all roles assigned to that user, and then click Delete when asked for confirmation.

   Access for that user is revoked immediately.

When you delete all the roles assigned to a particular user, the user is no longer listed on the Users and Groups page. The user remains in the identity store and still has access to WebCenter Portal through the Authenticated-User role. See Section 49.3.1.1, "Default Application Roles."

49.5.5 Adding or Removing Users

WebCenter Portal administrators cannot add new user data directly to the WebCenter Portal identity store or remove user credentials. Identity store management is the responsibility of the systems administrator and takes place through the WLS Administration Console or directly into embedded LDAP identity stores using LDAP commands. See also Section 31.3.1, "Adding Users to the Identity Store Using the WLS Administration Console."

WebCenter Portal administrators can, however, enable self-registration for the application. Through self-registration, invited and uninvited users can create their own login and password for WebCenter Portal. A user who self registers is immediately and automatically granted access to WebCenter Portal and a new user account is created in the identity store. See also Section 48.11, "Enabling Self-Registration."

49.6 Managing Application Roles and Permissions

WebCenter Portal uses application roles to manage permissions for users working in their Home portal. Administrators manage application roles and permissions on the Roles page (Figure 49-6).

Figure 49-6 WebCenter Portal Administration - Roles Page

Description of "Figure 49-6 WebCenter Portal Administration - Roles Page"

This section tells you how to manage application roles, and their permissions from WebCenter Portal Administration pages. It contains the following subsections:

• Section 49.6.1, "Defining Application Roles"

• Section 49.6.2, "Modifying Application Role Permissions"

• Section 49.6.3, "Granting Permissions to the Public-User"

• Section 49.6.4, "Granting Permissions to the Authenticated-User"

• Section 49.6.5, "Deleting Application Roles"

49.6.1 Defining Application Roles

Use roles to characterize groups of WebCenter Portal users and determine what they can see and do in their Home portals.

When defining application roles, use self-descriptive role names and try to keep the role policy as simple as possible. Choose as few roles as you can, while maintaining an effective policy.

Take care to assign appropriate access rights when assigning permissions for new roles. Do not allow users to perform more actions than are necessary for the role but at the same time, try not to inadvertently restrict them from activities they must perform. In some cases, users might fall into multiple roles.

To define a new application role:

1. Open WebCenter Portal Administration.

   For details, see Section 47.2, "Accessing the Portal Builder Administration Page."

2. Click Security, then Roles (Figure 49-6).

   Current application roles for WebCenter Portal display as columns in the table.

3. Click Create Role to define a new role for WebCenter Portal users.

   Figure 49-7 Creating a New Role

   
   Description of "Figure 49-7 Creating a New Role"
   
   

4. Enter a suitable name for the role.

   Ensure the role names are self-descriptive. Make it as obvious as possible which users should belong to which roles. Role names can contain alphanumeric characters, blank spaces, @, and underscores.

5. (Optional) Choose a Role Template.

   The new role inherits permissions from the role template. You can modify these permissions in the next step.

   Choose Administrator to create a role that inherits full, administrative privileges. Conversely, choose Public-User to create a role that typically provides minimal privileges. Alternatively, choose a custom application role to be your template.

6. Click OK.

   The new role appears as a column in the table. The permissions list shows which actions users with this role can perform.

7. To modify user permissions for the role, select or clear each permission check box.

8. Click Apply to save any changes that you make to the role's permissions.

49.6.2 Modifying Application Role Permissions

Administrators can modify the permissions associated with application roles at any time. Application permissions are described in Section 49.3.2, "About Application Permissions."

Application role permissions allow individuals to perform specific actions in their Home portal. No permission, except for Manage All, inherits privileges from other permissions.

Note:

Application permissions cannot be modified for the Administrator role. See also Section 49.3.1.1, "Default Application Roles."

To change the permissions assigned to a role:

1. Open WebCenter Portal Administration.

   For details, see Section 47.2, "Accessing the Portal Builder Administration Page."

2. Click Security, then Roles (Figure 49-6).

   Current application roles for WebCenter Portal display as columns in the table.

3. Select or deselect Permissions check boxes to enable or disable permissions for a role.

4. Click Apply to save.

The new permissions are effective immediately.

49.6.3 Granting Permissions to the Public-User

Anyone who is not logged in to WebCenter Portal assumes the Public-User role. Out-of-the-box, the Public-User role is granted minimal privileges, that is, only the View Application permission.

Caution:

Take care when granting permissions to the Public-User role. Avoid granting administrative permissions such as Application-Manage All, Application-Manage Configuration, or any permission that might be considered unnecessary. See also Section 49.3.2, "About Application Permissions."

Granting the Application-View Permission

The View Application permission allows unauthenticated users to see public WebCenter Portal pages, such as the Welcome page, and also content that individual users choose to make public.

When View Application permission is granted to the Public-User role:

• Ensure that users understand that any personal page or personal content they choose to make public will become accessible to unauthenticated users outside of the WebCenter Portal community, that is, anyone with Web access.

• Consider customizing the default Welcome page that displays to public users before they login (Welcome Page). See Chapter 50, "Customizing System Pages."

If you do not want unauthenticated users to see WebCenter Portal content that is marked 'public', do not grant the View Application permission to the Public-User role. When public access is disabled, public content cannot be seen by unauthenticated users. Also, the Welcome page for WebCenter Portal is not displayed; public users are directed straight to a login page. Administrators may customize the default login page, if required. See Section 50.2, "Customizing System Pages for All Portals."

Granting Other Permissions

Be careful when assigning permissions to the Public-User role. For security reasons, Oracle recommends that you limit what anonymous users can see and do in WebCenter Portal.

49.6.4 Granting Permissions to the Authenticated-User

Anyone who is logged in to WebCenter Portal assumes the Authenticated-User role. Out-of-the-box, the Authenticated-User role is granted minimal privileges, through the following permissions: View Application, Portals-Create, Portal Templates-Create, Pages-Create, Update People Connections Data, and Connect with People.

Other important notes:

• The Authenticated-User role always inherits permissions from the Public-User role.

• Custom application roles all inherit permissions from the Authenticated-User role.

49.6.5 Deleting Application Roles

When an application role is no longer required you should remove it from WebCenter Portal. This helps maintain a valid role list, and prevents inappropriate role assignment.

Application roles are deleted even when users are still assigned to the them. As you cannot delete any default roles, WebCenter Portal users will always have the Authenticated-User role.

Note:

Default roles cannot be deleted (Administrator, Authenticated-User, Public-User). See Section 49.3.1.1, "Default Application Roles."

To delete an application role:

1. Open WebCenter Portal Administration.

   For details, see Section 47.2, "Accessing the Portal Builder Administration Page."

2. Click Security, then Roles (Figure 49-6).

   Current application roles for WebCenter Portal display as columns in the table.

3. Select the Delete Role icon next to the role you want to delete (Figure 49-8).

   Figure 49-8 Deleting an Application Role

   
   Description of "Figure 49-8 Deleting an Application Role"
   
   

4. Click Delete to confirm that you want to delete the role.

   The role is removed from the table. Any users assigned to this role only, assume the default Authenticated-User role and do not appear on the Users and Groups tab.

49.7 Troubleshooting Issues with Users and Roles

For WebCenter Portal to properly maintain enterprise group-to-role mappings, the back-end discussions server and content server must support enterprise groups. The WebCenter Portal's Discussion Server and WebCenter Content's Content Server versions provided with Oracle WebCenter Portal 11.1.1.2.0 and later both support enterprise groups but previous versions may not.If a back-end server does not support enterprise groups, an error message similar to the following displays when you try to add a group.

Warning: Group [name] not found in Identity Store

Also, an error is logged containing more detailed information as shown here:

[2011-03-28T01:03:07.143-07:00] [WC_Spaces] [NOTIFICATION] [WCS-07855] 
oracle.webcenter.doclib.internal.spaces.AbstractDoclibRoleMapper] [tid: pool-1-daemon-thread-1] [userId: monty] 
[ecid: a4789a41d7e6bc9f:36de4556:12efb72d049:-8000-00000000000002c0,0:5] 
[APP: webcenter#11.1.1.4.0] Adding groups [oracle.webcenter.security.common.WCGroup@18b96a3] to documents service roles [Administration, Delete Documents, Create and Edit Documents, View Documents] for
 scope Scope[name=rbgs25mar01, guid=sbf125dd4_cd43_41cc_9d3d_467d06e84100][2011-03-28T01:03:09.122-07:00] [WC_Spaces] [ERROR] [WCS-44002] [oracle.webcenter.security.rolemapping.RoleManager] 
[tid: [ACTIVE].ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: monty] 
[ecid: a4789a41d7e6bc9f:36de4556:12efb72d049:-8000-00000000000002c0,0] 
[APP: webcenter#11.1.1.4.0] The Role Mapping provider encountered an exception while performing security role mapping for service oracle.webcenter.doclib.
[[oracle.webcenter.security.rolemapping.spi.RoleMappingSPIException: Cannot add role null and permissions, 15, to the account for the folder, rbgs25mar01 for the user/group Admin.        at
oracle.webcenter.doclib.internal.spaces.UCMSpacesUtils$2.newException(UCMSpacesUtils.java:2595)

Note:

In previous releases, if a back-end server did not support enterprise groups, users belonging to enterprise groups were individually added to WebCenter Portal roles; this behavior has changed.