15 Understanding Security and User Access

This chapter provides introductory information on Oracle WebCenter Content security as it is integrated with other Oracle products, and its own internal security features and supplemental security options.

This chapter includes the following topics:

• Overview of Content Server Security

• Security within Content Server

• Additional Security Options

• Advanced Security Options

15.1 Overview of Content Server Security

A Content Server instance is deployed on a WebCenter Content domain, which is deployed on an Oracle WebLogic Server domain in Oracle Fusion Middleware. Security is supported at multiple levels including the Content Server instance, the WebCenter Content domain, the Oracle WebLogic Server domain, and Oracle Platform Security Services (OPSS).

Access to content in the Content Server repository requires a Content Server administrator to manage content, users, and groups, as well as roles, permissions, and accounts. An Oracle WebLogic Server administrator functions as the Content Server administrator. An Oracle WebLogic Server administrator must log in to the Content Server instance and set up the primary Content Server administrator account and password, if no such user was configured during deployment. After the Content Server administrator is configured, management tasks can be performed on the Content Server instance. See Installing the Oracle WebCenter Content Software in Installing and Configuring Oracle WebCenter Content.

Most user management tasks must be performed using the Oracle WebLogic Server Administration Console instead of the User Admin applet on the Content Server instance. By default, WebCenter Content uses the Oracle WebLogic Server user store to manage user names and passwords, and the credential store is leveraged to grant users access to the Content Server instance. For an enterprise-level system, Oracle Platform Security Services (OPSS) can be used instead of the default Oracle WebLogic Server user store to authenticate and authorize users. For more information on integrating WebCenter Content security with Oracle WebLogic Server and OPSS, see Configuring Fusion Middleware Security for Content Server.

Content Server offers several levels of security for repository content: security groups (which are required) and accounts (which are optional). Each content item is assigned to a security group, and if accounts are enabled then content items can also be assigned to an account. Users are assigned a certain level of permission (Read, Write, Delete, or Admin) for each security group and account, which enables them to work with a content item only to the extent that they have permissions to the item's security group and account. For more information on users, groups, and accounts internal to Content Server, see Managing User Types, Logins, and Aliases, Managing Security Groups, Roles, and Permissions, and Managing Accounts.

Access control lists (ACLs) can be configured for a Content Server instance to provide extended control of content access to users on an enterprise-level system. An access control list is a list of users, groups, or Enterprise roles with permission to access or interact with a content item. For more information, see Managing Access Control List Security.

15.2 Security within Content Server

The administrator sets up initial user and content security within Content Server by using the User Admin application to define user roles, permissions to groups, and accounts. Then the administrator uses the Oracle WebLogic Server Administration Console to create users and assign each user to one or more of the Content Server roles, which in turn are assigned specific permissions to security groups. If accounts are enabled in Content Server, the administrator can assign users specific permissions to certain accounts, which then limits the permissions the users might otherwise have through their assigned roles.

For information on users, see Managing User Types, Logins, and Aliases. For information on security groups, roles, and permissions, see Managing Security Groups, Roles, and Permissions. For information on accounts, see Managing Accounts.

The following components also can be used to provide additional internal Content Server security:

• Security can be customized for user access by using the ExtranetLook component, which is installed (disabled) with Content Server. For more information, see Login/Logout Customization.

  Note:

  The ExtranetLook component is not applicable when the Oracle WebLogic Server domain is used as the web server for the Content Server instance. Modification of the security implementation is controlled through direct customization of the Oracle WebLogic Server domain and administrative configuration.

• Security can be customized for user access and search results by using the NeedToKnow component. This component enables you to further configure user access restrictions, modify the display of search results, alter search behavior, and set up hit list roles. To use this component, you must install and enable it.

Be aware that Internet Explorer 7 supplies the following message to users logging in with basic authentication without a secure connection:

Warning: This server is requesting that your username and password be sent in an insecure manner

The behavior (sending user name and password in text) is not new for basic authentication and does not cause problems.

15.3 Additional Security Options

WebCenter Content can combine additional authentication methods. For example, you can define some users with the Oracle WebLogic Server Administration Console, allow some users to log in using their Microsoft domain identity, and grant other users access to the Content Server instance based on their external Lightweight Directory Access Protocol (LDAP) credentials. However, authentication is configured through Oracle WebLogic Server, so the combination of methods is limited. Users can authenticate against multiple authentication stores, but because of the Oracle Platform Security Services (OPSS) and Oracle WebLogic Server integration, only one of the configured user stores can be used to extract authorization (group) information.

Note:

As of 11g Release 1 (11.1.1.6.0) Oracle WebCenter Content supports use of the Oracle Virtual Directory library (libOVD) feature, which enables a site to use multiple providers for login and group membership information. For example, it would be possible to use both Oracle Internet Directory (OID) and Active Directory as sources of user and role information. For information on multi-LDAP configuration in Oracle WebLogic Server, see Configuring Single and Multiple LDAPs in Oracle Fusion Middleware Application Security Guide.

The following options can be used to provide additional security:

• Security can be customized to support encrypted socket communication and authentication by using the SecurityProviders component, which is installed (enabled) by default with WebCenter Content. This component enables a Secure Sockets Layer (SSL) provider, which can be configured to use certificates for socket or server authentication.

  If you use SSL and HTTPS to connect to WebCenter Content, and are unable to connect through WebDAV, try connecting to the Content Server instance through the browser using the same URL you used in your WebDAV connection string. This lets you see if there is a problem with the certificate, which is used to encrypt communications. If you get a dialog box stating a problem with the certificate, resolve the issue and then try to connect through WebDAV again.

• For users to access the Content Server instance using different web server front ends, when one server front end is HTTPS and the other is HTTP, you can customize the Content Server configuration using the BrowserUrlPath component. This component is installed (disabled) by default with WebCenter Content and supports a web server front end using HTTPS and a load balancer that forwards itself as the HTTP Host header. If you only use one access method (only HTTPS, or only HTTP), or you are not using a load balancer that blocks the "Host" parameter from the browser, then this component is unnecessary. For more information, see Browser URL Customization.

• Extended security attributes can be assigned to external users or to users for a specific application. The extended attributes are merged into pre-existing user attributes and enable additional flexibility in managing users. For more information, see Extended User Attributes.

In all environments, a comprehensive understanding of your organization's security needs and a thorough planning phase is crucial to a successful security integration.

15.4 Advanced Security Options

The advanced security options allow you to handle all the security configurations recommended for WebCenter Content. You can specify the advanced security options either by using APIs or the user interface.

Note:

If a user provides an invalid field name in the QueryText when the advanced security options are enabled, an error message is displayed.

Configuring Advanced Security by Using APIs

Use the following APIs to enable the advanced security options:

• ASC_GET_SECURITY_CONFIGURATIONS: Provides details about the existing security configurations in WebCenter Content.

• ASC_UPDATE_SECURITY_CONFIGURATIONS: Enables you to update the security configurations as well as the field or column names when a new table is added or deleted, by passing the respective input parameters.

  For more information on the APIs and parameters, see Core Content Server Services in Services Reference for Oracle WebCenter Content.

Configuring Advanced Security by Using the User Interface

You can specify the advanced security options in the Oracle Advanced Security Configurations page. However, this page is not available by default. You can enable or disable this page based on your requirement. For more information, see Enabling Oracle Advanced Security Configurations Page.

15.4.1 Enabling Oracle Advanced Security Configurations Page

By enabling the Oracle Advanced Security Configurations page, you can specify the security options for Core QueryText and FrameworkFolders QueryText.

To enable the Oracle Advanced Security Configurations Page:

1. Using a text editor, open the config.cfg file located in the IntradocDir/config/directory.
2. Add the following parameter:

   • IsAdvanceSecurityConfigUIEnabled=True

3. Save the config.cfg file.
4. Restart the Content Server instance.
   The Oracle Advanced Security Configurations option is available in the Administration menu.

   Note:

   You can also enable the Oracle Advanced Security Configurations page by selecting Administration, then Admin Server, and then General Configuration. In the Additional Configuration Variables area, you can add the parameter IsAdvanceSecurityConfigUIEnabled=True. However, you must restart the content server to see the Oracle Advanced Security Configurations option in the Administration menu.

   This section covers the following topics:

   • Specifying Advanced Security Options for Core QueryText

   • Specifying Advanced Security Options for FrameworkFolders QueryText

15.4.1.1 Specifying Advanced Security Options for Core QueryText

Specifying the advanced security options for Core QueryText executes the search function by matching the entered search criteria and returning the results accordingly.

To specify the advanced security options for Core QueryText:

1. Select Administration, then Oracle Advanced Security Configurations.
   The Oracle Advanced Security Configurations page appears.
2. Select the Core QueryText Security Config check box to edit and update this section.
   If you do not select the Core QueryText Security Config check box, the changes made to this section are not saved.
3. Select the Enable QueryText security validation check box to enable the custom query validations.
   If you do not select the Enable QueryText security validation check box, the Core QueryText validation is disabled.
4. Enter one or more table names in the Custom table names field to include these tables in the search criteria.
5. Enter one or more field names in the Custom field names field to include these fields in the search criteria.

   Note:

   The values entered in the fields Custom table names and Custom field names should be separated by a semicolon (;).
6. Click Update to save the entered details.

15.4.1.2 Specifying Advanced Security Options for FrameworkFolders QueryText

Specifying the advanced security options for FrameworkFolders QueryText executes the entered search criteria within the framework folders and returns the results accordingly.

To specify the advanced security options for FrameworkFolders QueryText:

1. Select Administration, then Oracle Advanced Security Configurations.
   The oracle Advanced Security Configurations page appears.
2. Select the FrameworkFolders QueryText Security Config check box to edit and update this section.
   If you do not select the FrameworkFolders QueryText Security Config check box, the changes made to this section are not saved.
3. Select the Enable QueryText security validation check box to enable the custom query validations.
   If you do not select the Enable QueryText security validation check box, the FrameworkFolders QueryText validation is disabled.
4. Enter one or more table names in the Custom table names field to include these tables in the search criteria.
5. Enter one or more field names in the Custom field names field to include these fields in the search criteria.

   Note:

   The values entered in the fields Custom table names and Custom field names should be separated by a semicolon (;).
6. Click Update to save the entered details.