Manage Users, Groups, and Access

5 Manage Users, Groups, and Access

Securing your system is an ongoing process as people join or leave your company and as needs change and your system grows.

Note:

The groups discussed in this chapter are created in Oracle Cloud Infrastructure (OCI) or imported into OCI from your identity provider. Your users can also create groups in Oracle Content Management that can be used for sharing and collaboration.

Oracle is in the process of updating Oracle Cloud Infrastructure (OCI) regions to switch from Identity Cloud Service (IDCS) to Identity and Access Management (IAM) identity domains. All new Oracle Cloud accounts will automatically use IAM identity domains. Depending on whether your region uses IAM identity domains or not, you'll use different documentation to complete your deployment.

If your region has been updated, follow the steps in Manage Users, Groups, and Access in a Region with Identity Domains. In other topics, follow the steps marked IAM.
If your region hasn't been updated, follow the steps in Manage Users, Groups, and Access in a Region without Identity Domains. In other topics, follow the steps marked IDCS.

All remaining topics apply to both scenarios.

Does My Region Use IAM Identity Domains?

Depending on whether your region uses IAM identity domains or not, you'll use different documentation to manage users, groups, and access. To see if your region includes IAM identity domains, sign in to your Oracle Cloud account as a cloud account administrator. In the navigation menu, click Identity & Security. Under Identity, check for Domains. If you see Domains, your cloud account has been updated.

IAM (updated)	IDCS (not updated)
Region with identity domains	Region without identity domains
If your region has been updated, use the following documentation: Deploy OCM in a Region with Identity Domains Manage Users, Groups, and Access in a Region with Identity Domains In other topics, follow the steps marked IAM. If your region has been updated recently, here's what to expect post update: OCI IAM Identity Domains: What Oracle IDCS customers need to know	If your region hasn't been updated, use the following documentation: Deploy OCM in a Region without Identity Domains Manage Users, Groups, and Access in a Region without Identity Domains In other topics, follow the steps marked IDCS.

IAM (updated)

IDCS (not updated)

Region with identity domains
Oracle Cloud Console showing Identity and Security with Domains menu option

Region without identity domains
Oracle Cloud Console showing Identity and Security with no Domains menu option

If your region has been updated, use the following documentation:

Deploy OCM in a Region with Identity Domains
Manage Users, Groups, and Access in a Region with Identity Domains
In other topics, follow the steps marked IAM.

If your region has been updated recently, here's what to expect post update: OCI IAM Identity Domains: What Oracle IDCS customers need to know

If your region hasn't been updated, use the following documentation:

Deploy OCM in a Region without Identity Domains
Manage Users, Groups, and Access in a Region without Identity Domains
In other topics, follow the steps marked IDCS.

External Users

External users may be people outside of your organization that can collaborate on objects to which they're given access, but they can't be assigned the manager role. This safely limits their ability to create and remove content, similar to how visitors can sign in and use specified secure sites. This allows you to work with outside contributors such as translators and partners.

Note:

External users aren't supported in private instances.

There are just a few steps needed to take advantage of external users in your system:

Enable external users in your system.

Note:
Once external users are enabled in your system, they can be added to folders, standard sites, and stand-alone conversations. If you want to prevent external users from being added to a particular folder or standard site, you can disable external user access and membership on the Members page for that object. This option isn't available for conversations.
Invite new external users simply by adding them as members to folders, standard sites, or conversations by entering their email addresses. If there isn't already a user with that email address, you'll be asked for additional information, such as their name and location, then you can invite them, and Oracle Content Management will automatically provision a new external user.

Alternatively, administrators can add external users just as you would add any other user, and assign them the External User application role.
Give them access to the appropriate files, folders, and other objects in Oracle Content Management. When adding an external user as a member of an object, you must enter their full email address.

External users can:

Access the Oracle Content Management web client.
Work with files, folders, conversations, and sites to which they've been given access. Just like any other user, an external user must be a Contributor to be able to edit an item.
Create new files in folders they have Contributor access to and delete files they created.
Perform the following actions on sites to which they have Contributor access:
- Delete and restore sites.
- Copy and export templates.
- Export components and layouts.
- View the site’s vanity domain.
- Utilize all Site Builder functionality.
Be added to membership based groups (not public groups).
Receive regular sharing and contribution email notifications.
Work with the Document Manager component, linked to a specific folder.
Access the APIs with the same privileges they get using the web client.

Varying levels of access can be provided to any user but if a user has only the standard external user role, they can't:

Access the desktop client or mobile apps.
Create new folders (except in a folder they've been given access to), conversations, sites, nor themes.
Delete other users' files.
Be assigned Manager role for any object.
Be on a governance site creation approval list.
Be part of public groups.
Create their own groups, modify existing group membership, or remove themselves from member groups.
Browse translations or localization policies.
Change a site's vanity domain.

Set the Default Resource Role for New Folder Members

Users in your organization can share folders with other users and assign them a resource role within the shared folder. The following roles are available:

Viewer: Viewers can look at files and folders, but can't change things.
Downloader: Downloaders can also download files and save them to their own computers.
Contributor: Contributors can also modify files, update files, upload new files, and delete files.
Manager: Managers have all the privileges of the other roles and can add or remove other people as members.

To change the default resource role:

After you sign in to the Oracle Content Management web application as a service administrator, click System in the Administration area of the navigation menu.
In the System menu, click Users.
Under Members, in the Default role for new members added to folders list, select the resource role users will be assigned by default when added to a folder.

Synchronize User Profile Data

You can replace a user's existing profile information with the information from your identity store:

After you sign in to the Oracle Content Management web application as a service administrator, click System in the Administration area of the navigation menu.
In the System menu, click Users.
Search for the user whose profile data you want to sync, click Edit next to the user’s name, and click Sync Profile Now on the user details page.

Display Conversation Membership Messages for Users

Configure whether to show the user conversation membership messages (when a person is added to a conversation and who added them) by default. A user can change this display setting for any stand-alone conversation.

After you sign in to the Oracle Content Management web application as a service administrator, click System in the Administration area of the navigation menu.
In the System menu, click Users.
On the Search tab find the user whose default you want to set. Enter part of the user name, display name, or email address in the text box and click Search.
Click Edit next to the user’s name.
Select the Show Conversation Membership Messages by Default check box and click Save.

Override Storage Quota for a User

You can set a default quota for the amount of storage space that a user is allocated. If you need to override the default for a particular user you can do so using the following steps.

After you sign in to the Oracle Content Management web application as a service administrator, click System in the Administration area of the navigation menu.
In the System menu, click Users.
Search for the user whose settings you want to override and click Edit next to the user’s name.
In the User Quota box, enter the quota amount in gigabytes, and then click Save.
You can see how much storage the user has used next to Storage consumed.

Transfer File Ownership

When people leave your organization or change roles, you might want to assign their files and folders to someone else and add their storage quota back to the total quota you have available for assignments. You can assign a person’s entire library of content to someone else. The content appears as a folder in the new user’s root folder. All of the sharing actions, such as members and public links, remain intact.

After you sign in to the Oracle Content Management web application as a service administrator, click System in the Administration area of the navigation menu.
In the System menu, click Users.
Find the user whose files you want to transfer using one of the following methods:
- To find an active user, on the Search tab enter part of the user name, display name, or email address in the text box and click Search. Open the user properties by clicking the user name or clicking Edit next to the user.
- To find a deprovisioned user, click the Deprovisioned Users tab. You see a list of all users who have been removed from your organization's system, sorted by name. This list is refreshed on a regular basis, but you can also update it manually by clicking Sync Profile Data.
To download a CSV file of all deleted users, click Export Deprovisioned Users.
Click Transfer Ownership. For active users, the button is at the bottom of the properties. For deprovisioned users, click the button next to the user you want.
Enter part of the user name, display name, or email address of the person who will receive the content and click Search.
Select the user you want to transfer the content to. A message shows that the content will increase the recipient's quota by the amount of content being transferred. It also shows you how much storage will be released back into the total quota you have available.
Click Transfer. The content is transferred and the list shows that the deprovisioned account is gone.

Alternatively, for deprovisioned users, you can delete the content. On the Deprovisioned Users tab, next to the user whose content you want to delete, click Delete Content.

Users can also transfer ownership of their own folders.

View and Resynchronize Groups Out of Sync

If you believe a group in Oracle Content Management is out of sync, you can see a report of the mismatches and manually resynchronize the group. For example, if a user can't access an item to which they should have access through group membership, the group may be out of sync.

To view group sync mismatches:

After you sign in to the Oracle Content Management web application as a service administrator, click System in the Administration area of the navigation menu.
In the System menu, click Users.
Click the Group Sync tab.
Search for the group you think is out of sync, then click Check Synchronization Status.
If the report shows that the group in Oracle Content Management is out of sync, click Synchronize.

Note:
Groups that are restricted from sharing and groups that include only site visitors can't be synchronized.

Override Temporary Quota for a User

By default the maximum upload and sync file size is 2GB (set on the Documents page). To ensure more than one 2GB file can be uploaded simultaneously, the default temp storage quota for users is 5GB. If your maximum file size is set higher, the temp storage quota for users is automatically increased to 2.5 times that amount (for example, if the maximum file size is set to 10GB, the temp storage quota for users is set to 25GB).

This temp storage quota setting should suffice for normal circumstances, but if you need a particular user to have a higher Temp Storage quota, you can override the setting.

After you sign in to the Oracle Content Management web application as a service administrator, click System in the Administration area of the navigation menu.
In the System menu, click Users.
Search for the user whose settings you want to override and click Edit next to the user’s name.
In the Temp Quota box, enter the quota amount in gigabytes, and then click Save.

Revoke Access to Linked Devices

Users can revoke access to one of their linked devices if they change devices or lose one, but there might be cases where you, as an administrator, need to perform this action. When you revoke access to a linked device, the user’s sign-in session is ended. If you or anyone else tries to access Oracle Content Management from the device, the account is signed out and all local content stored on the device for that account is deleted.

Revoking access for the device affects only one account, so if the person has multiple user accounts, you need to revoke access separately for each user account to block all access to Oracle Content Management and delete all local content stored on the device.

After you sign in to the Oracle Content Management web application as a service administrator, click System in the Administration area of the navigation menu.
In the System menu, click Users.
Search for the user whose device access you want to revoke and click Edit next to the user’s name.
Under Linked Devices, click Revoke next to the appropriate device.

Change Settings for Groups

You can change the sharing and notification settings for groups and resynchronize groups.

To change settings for groups:

After you sign in to the Oracle Content Management web application as a service administrator, click System in the Administration area of the navigation menu.
In the System menu, click Users.
Search for the group whose settings you want to change, then click Edit next to the group's name.
If you don't want the group to be used for sharing, so that users can't add the group to an object (such as a document or a site), select Cannot be used for sharing.
If you don't want this group to be sent notifications, select Will not be sent notifications.
To check if the group is in sync, click Check Synchronization Status. A message will show the status.
If you need to resynchronize the group information, click Synchronize.