38 Managing Security Across Portals
Note:
Oracle WebCenter Portal has deprecated the support for Jive features (announcements and discussions). If you have upgraded from a prior release to Release 12c (12.2.1.4.0), Jive features remain available in your upgraded instance but Oracle support is not provided for these features. In the next release, Jive features will not be available even in the upgraded instances
Permissions:
To perform the tasks in this chapter, you must have the WebCenter Portal Administrator
role or a custom role that grants the following permission:
-
Portal Server: Manage All
38.1 About WebCenter Portal Security
WebCenter Portal provides a comprehensive security model that enables you to control what users can see and change in WebCenter Portal. Using the Security page in WebCenter Portal Administration (Figure 38-1), you can control which users (and groups) have access to individual portals and the Home portal and you can also control exactly what users and groups can see and do by enabling and disabling various permissions.
Figure 38-1 WebCenter Portal Administration: Security Page
Description of "Figure 38-1 WebCenter Portal Administration: Security Page"
Within a particular portal you can restrict user and group access to individual pages, page content (such as task flows, portlets, documents, and folders), and assets (such as page templates, page styles, skins, resource catalogs, and so on).
User and Groups
A user is a single person in the identity store, and a group contains multiple users. In WebCenter Portal you can grant permissions to individual users and to groups of users.
Unregistered Users and Self-Registration
Self-registration allows unregistered users to create their own login and password for WebCenter Portal. A user who self-registers is immediately and automatically granted access to WebCenter Portal and a new user account is created in WebCenter Portal's identity store.
Application Roles and Portal Roles
Application roles determine what a user (or group) can see and do in the Home portal which, for some administrative functions, can impact all of WebCenter Portal. Portal roles control actions within a particular portal.
Portals
Portals support the formation and collaboration of project teams and communities of interest by providing a dedicated and readily accessible area for relevant services, pages, and content and by supporting the inclusion of specified members.
Home Portal
The Home portal is a shared portal that, by default, is accessible to everyone who is logged in. Application roles apply while a user is working within the Home portal. In most applications, the Home portal focuses on social networking and personal content.
Assets
Various portal assets help define the overall structure, look and feel, and content in portals. These include page styles, page templates, skins, resource catalogs, Content Presenter display templates, task flow styles, data controls, and task flows. Users with appropriate privileges can build and customize assets for the entire application or individual portals.
Pages
Anyone authorized to edit a page can grant access and permissions to other users and groups. For example, you might grant view-only permission to everyone in the sales group, edit permission to sales managers, and manage permission to a single user. Alternatively, you can specify that the page inherits its access from the application.
Page Content, Files, and Folders
Some pages might contain content that you want only a select set of users, or even only one other user, to see. For example, a page aimed at sales people might include two Announcement task flows; one aimed at all sales people and the other at only sales managers. By restricting access to the second Announcement task flow, you can hide management-level announcements from anyone who is not a sales manager.
38.2 About Users
A WebCenter Portal user has a login account for WebCenter Portal—provisioned directly from an existing identity store. See Adding Users to the Embedded LDAP Identity Store.
All users in the identity store are assigned minimal privileges in WebCenter Portal through the Authenticated-User
role. The only exception is the system administrator (weblogic
by default); out-of-the-box, the system administrator is the only user assigned full administrative privileges through the Administrator
role. For more information, read the next section Default Application Roles.
It is the system administrator's job to assign each user an appropriate application role. Alternatively, the system administrator may choose to assign the Administrator
role to another user and delegate this responsibility.
Table 38-1 Default User in WebCenter Portal
User | Description |
---|---|
System Administrator ( |
Administrator for the entire application server, sometimes referred to as the super administrator or Fusion Middleware administrator. This user can manage any application on the server, including WebCenter Portal. |
38.3 About Application Roles and Permissions
Application roles control the level of access a user has to information and services in WebCenter Portal. Application role assignment is the responsibility of the system administrator. Administrators can assign users a default application role or create additional, custom roles specific to their application deployment. Every application role has specific, defined capabilities known as permissions. These permissions allow users to perform specific actions in the Home portal.
This section includes:
38.3.1 About Application Roles
Application role assignment is the responsibility of the system administrator. Administrators can assign users a default application role or create additional, custom roles specific to their application deployment. For more details, see:
Application roles apply when users are working in the Home portal or on application-level tasks. A different set of roles and permissions apply when a user is working within a particular portal. It is the portal manager's responsibility to determine suitable role assignments for each of its members. See also Managing Application Roles and Permissions, and Administering Security in a Portal in Building Portals with Oracle WebCenter Portal.
Note:
Application roles and permissions defined within WebCenter Portal are stored in its policy store and, consequently, apply to this WebCenter Portal only. Enterprise roles are different; enterprise roles are stored within the application's identity store and do not imply any permissions within WebCenter Portal. See Application Roles and Enterprise Roles.
38.3.1.1 Default Application Roles
WebCenter Portal provides several default application roles (Table 38-2). You cannot delete the default application roles of Administrator
, Public-User
, and Authenticated-User
, but you can modify the default permission assignments for each role. For more information, see Modifying Application Role Permissions.
Table 38-2 Default Application Roles for WebCenter Portal
Application Role | Description | Modify? |
---|---|---|
Administrator |
Users with the Administrators can also manage users and roles for the WebCenter Portal, delegate or revoke privileges to/from other users, manage portals and portal templates, and also import and export portal as well as deploy and propagate portal. Out-of-the-box, the system administrator is the only user assigned full administrative privileges for the WebCenter Portal through the
Administrator role.
Note: TheAdministrator role allows administration permissions on a private portal (such as managing membership), but does not allow access to a private portal’s page contents.
|
Yes* *Except for Application permissions which are read-only |
AppConnectionManager |
Users with this role can manage (create, update, and delete) portlet producers and external applications through corresponding task flows. Initially, only users with the In order to manage membership of
AppConnectionManager role, use the following options:
Note: You cannot view |
No |
AppConnectionViewer |
Users with this role can view portlet producers and external applications through corresponding task flows. Initially, any user who is logged in (that is, has authenticated-role) is a member of the In order to manage membership of
Note: You cannot view |
No |
Application Specialist |
Users with the |
Yes |
Portal Creator |
Users with the Upon creating a portal, the |
Yes |
Authenticated-User |
Authenticated users of WebCenter Portal are granted the By default, the
The This role inherits permissions from the All custom application roles inherit permissions from the In the WebCenter Portal, the |
Yes |
Public-User |
Anyone with access to the WebCenter Portal who is not logged in, is granted the By default, the In the WebCenter Portal, the Caution: Take care when granting permissions to the If you do not want unauthenticated users to see WebCenter Portal content that is marked 'public', do not grant the |
Yes |
38.3.1.2 Custom Application Roles
Custom application roles (sometimes known as user-defined roles) are specific to your WebCenter Portal. When setting up WebCenter Portal, it is the WebCenter Portal administrator's job to identify which application roles are required, select suitable role names, and define the responsibilities of each role.
For example, an education environment might require roles such as Teacher, Student, and Guest. While roles such as Finance, Sales, Human Resources, and Support would be more appropriate for a corporate environment.
In WebCenter Portal, custom application roles inherit permissions from the Authenticated-User
role.
To learn how to set up application roles for WebCenter Portal users, see Defining Application Roles.
38.3.2 About Application Permissions
Every application role has specific, defined capabilities known as permissions. These permissions allow users to perform specific actions in the Home portal. Permissions are categorized are listed individually in the subsequent tables:
-
Table 38-3 lists the available application permissions in WebCenter Portal.
-
Table 38-4 lists the application roles and default permissions assigned to these roles in WebCenter Portal.
No permission, except for Manage All
, inherits privileges from other permissions.
38.3.2.1 Understanding Application Permissions
Table 38-3 lists the application-level permissions available in WebCenter Portal.
Table 38-3 Application Permissions
Category | Application Permissions |
---|---|
Portal Server |
Manage All - Enables access to all WebCenter Portal Administration pages: Settings, Portals, Shared Assets, Attributes, andPortal Templates. Through these pages, users can manage application security (users/roles), configure application-wide properties and services, manage resources, create business role pages, manage everyone's personal pages, customize system pages, view portals accessible to them, as well as export/import portals and portal templates. Some administrative tasks are exclusive to the out-of-the-box Manage Configuration - Same as the View - Enables users to view WebCenter Portal, and gives them access to the Home portal. See Table 38-2. Deploy - Enables users to deploy and propagate a portal. For more information, see Deploying Portals, Templates, Assets, and Extensions. |
Portals |
Manage Security and Configuration - Enables access to all portal administration pages (Overview, Settings, Attributes, Security, Tools and Services), except Assets. Through these pages users can manage portal membership, assign permissions and roles, manage, delete, and deploy and export portals and resources, set portal properties, and manage service availability.
Includes Manage Configuration - Same as the
Users with this permission must be allowed to view the portal. Manage Membership - Enables access to the Roles and Members pages in the portal administration settings. On these pages, users can create, edit, and delete members and roles for the portal. Create Portals - Enables users to create portals. See Managing Roles and Permissions for a Portal in Building Portals with Oracle WebCenter Portal. |
Portal Templates |
Manage All - Enables users to manage any portal template (through the Portal Templates page) and delete templates accessible to them. See Managing All Portal Templates in Building Portals with Oracle WebCenter Portal. Create Portal Templates - Enables users to create portal templates. |
Pages |
Create, Edit, and Delete Pages - Enables users to create, edit and delete pages in the Home portal. Delete Pages - Enables users to delete pages in the Home portal. Edit Pages -Enables users to add or edit personal page content, rearrange content, and set page parameters and properties. Customize Pages - Enables users to customize their view of pages in the Home portal by adding, editing, or removing content. View Pages - Enables users to view pages in the Home portal. Create Pages - Enables users to create a new personal page in the Home portal. Contribute Page Content - These permissions apply to pages in the Home portal. The permissions do not apply to pages that are created within a portal. Page permissions within a portal are granted by the portal manager. See Managing Roles and Permissions for a Portal in Building Portals with Oracle WebCenter Portal. |
Application Integration Visualization Templates |
Create, Edit, and Delete Visualization Templates - Enables users to create, edit and delete visualization templates through WebCenter Portal. Create Visualization Templates - Enables users to create visualization templates for the application. Edit Visualization Templates - Enables users to edit application-level visualization templates. See Working with Visualization Templates in Building Portals with Oracle WebCenter Portal. |
Content Presenter Templates |
Create, Edit, and Delete Content Presenter Templates - Enables users to upload, edit and delete content display templates through WebCenter Portal. Create Content Presenter Templates - Enables users to upload content display templates for the application. Edit Content Presenter Templates - Enables users to edit application-level content display templates. See Publishing Content Using Content Presenter in Building Portals with Oracle WebCenter Portal. |
Data Controls |
Create, Edit, and Delete Data Controls - Enables users to create, edit and delete data controls through WebCenter Portal. Create Data Controls - Enables users to create data controls for the application. Edit Data Controls - Enables users to edit application-level data controls. See Working with Web Service Data Controls in Building Portals with Oracle WebCenter Portal. |
Discussions |
Create, Edit, and Delete Discussions - Enables users to manage categories, forums, and topics on the back-end discussions server and set discussion forum properties for all portals. |
Links |
Create and Delete Links - Enables users to create and delete links between objects, and manage link permissions. Create Links - Enables users to create links between objects, and delete links that they create. Delete Links - Enables users to delete a link between two objects. |
Page Styles |
Create, Edit, and Delete Page Styles - Enables users to create, edit, and delete page styles through WebCenter Portal. Create Page Styles - Enables users to create page styles for the application. Edit Page Styles - Enables users to edit application-level page styles. See Working with Page Styles in Building Portals with Oracle WebCenter Portal. |
Page Templates |
Create, Edit, and Delete Page Templates - Enables users to create, edit, and delete page templates through WebCenter Portal. Create Page Templates - Enables users to create page templates for the application. Edit Page Templates - Enables users to edit application-level page templates. See Working with Page Templates in Building Portals with Oracle WebCenter Portal. |
People Connections |
Manage People Connections - Enables users to manage application-wide settings for People Connection services. Update People Connections Data - Enables users to edit content associated with People Connection services. Connect with People - Enables users to share content associated with People Connection services with others. |
Resource Catalogs |
Create, Edit, and Delete Resource Catalogs - Enables users to create, edit and delete resource catalogs through WebCenter Portal. Create Resource Catalogs - Enables users to create resource catalogs for the application. Edit Resource Catalogs - Enables users to edit application-level resource catalogs. See Working with Resource Catalogs in Building Portals with Oracle WebCenter Portal. |
Skins |
Create, Edit, and Delete Skins - Enables users to create, edit, and delete skins through WebCenter Portal. Create Skins - Enables users to create skins for the application. Edit Skins - Enables users to edit application-level skins. See Working with Skins in Building Portals with Oracle WebCenter Portal. |
Task Flow Styles |
Create, Edit, and Delete Task Flow Styles - Enables users to create, edit, and delete content display templates through WebCenter Portal. Create Task Flow Styles - Enables users to create content display templates for the application. Edit Task Flow Styles - Enables users to edit application-level content display templates. See Publishing Content Using Content Presenter in Building Portals with Oracle WebCenter Portal. |
Task Flows |
Create, Edit, and Delete Task Flows - Enables users to create, edit, and delete task flows based on a task flow style through WebCenter Portal. Create Task Flows - Enables users to create task flows for the application. Edit Task Flows - Enables users to edit application-level task flows. See Working with Task Flows in Building Portals with Oracle WebCenter Portal. |
38.3.2.2 Default Application Permissions Assignments to Application Roles
Table 38-4 shows the default permissions assigned to built-in application roles.
✔ - Shows an explicitly granted permission or action.
✙ - Shows an implied permission because of an explicitly granted permission.
Table 38-4 Default Application Roles and Permissions in WebCenter Portal
Permissions | Administrator | Application Specialist | Portal Creator | Public-User | Authenticated-User |
---|---|---|---|---|---|
Portal Server Manage All |
✔ |
||||
Manage Configuration |
✙ |
||||
View |
✙ |
✔ |
✔ |
✔ |
✔ |
Deploy |
✙ |
||||
Portals Manage Security and Configuration |
✔ |
✔ |
|||
Manage Configuration |
|||||
Manage Membership |
|||||
Create Portals |
✔ |
✔ |
✔ |
||
Portal Templates Manage All |
✔ |
✔ |
|||
Create Portal Templates |
✔ |
||||
Pages Create, Edit, and Delete Pages and Contribute Content |
✔ |
✔ |
|||
Delete Pages |
|||||
Edit Pages |
|||||
Customize Pages |
|||||
View Pages |
|||||
Create Pages |
✔ |
||||
Application Integration Visualization Manage Application Integration Visualization |
✔ |
||||
Content Presenter Templates Create Content Presenter Templates |
|||||
Create, Edit, and Delete Content Presenter Templates |
✔ |
✔ |
|||
Edit Content Presenter Templates |
|||||
Data Controls Create Data Controls |
|||||
Create, Edit, and Delete Data Controls |
✔ |
✔ |
|||
Edit Data Controls |
|||||
Discussions Create, Edit, and Delete Discussions |
✔ |
||||
Links Create Links |
|||||
Create and Delete Links |
✔ |
||||
Edit Links |
|||||
Page Styles Create Page Styles |
|||||
Create, Edit, and Delete Page Styles |
✔ |
✔ |
|||
Edit Page Styles |
|||||
Page Templates Create Page Templates |
|||||
Create, Edit, and Delete Page Templates |
✔ |
✔ |
|||
Edit Page Templates |
|||||
People Connections Manage People Connections |
✔ |
||||
Update People Connections Data |
✔ |
✔ |
|||
Connect with People |
✔ |
✔ |
|||
Resource Catalogs Create Resource Catalogs |
|||||
Create, Edit, and Delete Resource Catalogs |
✔ |
✔ |
|||
Edit Resource Catalogs |
|||||
Skins Create Skins |
|||||
Create, Edit, and Delete Skins |
✔ |
✔ |
|||
Edit Skins |
|||||
Task Flow Styles Create Task Flow Styles |
|||||
Create, Edit, and Delete Task Flow Styles |
✔ |
✔ |
|||
Edit Task Flow Styles |
|||||
Task Flow Styles Create Task Flows |
|||||
Create, Edit, and Delete Task Flows |
✔ |
✔ |
|||
Edit Task Flows |
38.3.2.3 Understanding Discussion Server Role Mapping
Some WebCenter Portal services that need access to remote (back-end) resources also require role-mapping based authorization, that is, the WebCenter Portal roles that allow users to work with the Discussions service in WebCenter Portal, must be mapped to corresponding roles on WebCenter Portal's discussions server.
WebCenter Portal uses application roles to manage user permissions in the Home portal and portal roles to manage user permissions within a particular portal. On WebCenter Portal's discussions server, a different set of roles and permissions apply.
Users who are working with discussions and announcements in WebCenter Portal automatically map to the appropriate discussions server role, shown in Table 38-5 and Table 38-6.
Table 38-5 Discussions Server Roles and Permissions - Application
Discussion Server Role | Discussion Server Permissions | WebCenter Portal Equivalent Application Permission |
---|---|---|
Administrator |
Category Admin |
Create, read, update and delete sub categories, forums, and topics inside the category for which permissions are granted. |
Table 38-6 Discussions Server Roles and Permissions - For a Portal
Discussion Server Role | Discussion Server Permissions | WebCenter Portal Equivalent Permissions in a Portal |
---|---|---|
Portal Manager |
Category Admin Forum Admin |
|
Portal Manager |
Create Message Create Announcement |
|
Portal Manager |
Read Forum Create Thread |
|
Portal Manager |
Read Forum |
|
Any user assigned the Application-Discussions-Create Edit Delete
permission in WebCenter Portal is automatically added to WebCenter Portal's discussions server and assigned the Administrator
role with the Category Admin
permission. Out-of-the box, WebCenter Portal assigns the Application-Discussions-Create Edit Delete
permission to the Administrator
role only.
Similarly, in a given portal, any member assigned discussion and announcement permissions is granted the corresponding permissions on the discussions server.
38.3.2.4 Understanding Enterprise Group Role Mapping
In WebCenter Portal you can assign individual users or multiple users in the same enterprise group to WebCenter Portal roles. Subsequent enterprise group updates in the back-end identity store are automatically reflected in WebCenter Portal. Initially, when you assign an enterprise group to a WebCenter Portal role, everyone in the enterprise group is granted that role. If someone moves out of the group, the role is revoked. If someone joins the group, they are granted the role
For WebCenter Portal to properly maintain enterprise group-to-role mappings, back-end servers, such as the discussions server and content server, must support enterprise groups too. WebCenter Portal's Discussion Server and WebCenter Content's Content Server versions provided with this release both support enterprise groups but previous versions may not. See also, Troubleshooting Issues with Users and Roles.
38.4 About Roles and Permissions Within a Portal
When a user becomes a member of a particular portal, a different set of roles and responsibilities apply. For more information, see Administering Security in a Portal in Building Portals with Oracle WebCenter Portal.
38.5 Managing Users
System administrators must ensure that all WebCenter Portal users have appropriate permissions. To get permissions, users must be assigned to an appropriate application role.
System administrators can manage application roles for all the users who have access to WebCenter Portal, that is, all users defined in the identity store. From the Users and Groups page, you can assign users and groups to roles, change user role assignments, and revoke roles.
To access the Users and Groups page, open WebCenter Portal Administration Settings and click Security. See Accessing the Settings Pages in WebCenter Portal Administration.
Only users granted special (non-default) application privileges appear in this table. Initially, all users in the WebCenter Portal identity store are assigned minimal privileges through the Authenticated-User
role. Users with the default Authenticated-User
role are not listed here. See also Default Application Roles.
Figure 38-3 WebCenter Portal Administration: Users and Groups Page
Description of "Figure 38-3 WebCenter Portal Administration: Users and Groups Page"
This section describes how to assign roles and contains the following subsections:
38.5.1 Adding and Removing Users
WebCenter Portal administrators cannot add new user data directly to the WebCenter Portal identity store or remove user credentials. Identity store management is the responsibility of the systems administrator and takes place through the WLS Administration Console or directly into embedded LDAP identity stores using LDAP commands. See also Adding Users to the Identity Store Using the WLS Administration Console.
WebCenter Portal administrators can, however, enable self-registration for the application. Through self-registration, public users can create their own login and password for WebCenter Portal. A user who self-registers is immediately and automatically granted access to WebCenter Portal and a new user account is created in the identity store. See also Enabling Self-Registration.
38.5.2 Assigning Users (and Groups) to Application Roles
Initially, all users in the WebCenter Portal identity store are assigned minimal privileges through the Authenticated-User
role. You can assign individual users (or multiple users in the same enterprise group) to a different application role through WebCenter Portal Administration.
Updates in your back-end identity store, such as new users or someone leaving an enterprise group, are automatically reflected in WebCenter Portal. Initially, when you assign an enterprise group to a WebCenter Portal role, everyone in the enterprise group is granted that role. If someone moves out of the group, the role is revoked. If someone joins the group, they are granted the role.
Note:
For WebCenter Portal to properly maintain enterprise group-to-role mappings, back-end servers, such as the discussions server and content server, must support enterprise groups too. When back-end servers do not support enterprise groups, the message "Group [name] not found in the Identity Store
" displays. See also Troubleshooting Issues with Users and Roles.
To assign a user (or a group of users) to a different application role:
-
On the Settings page (see Accessing the Settings Pages in WebCenter Portal Administration), click Security.
You can also enter the following URL in your browser to navigate directly to the Security page:
http://host:port/webcenter/portal/admin/settings/security
See Also:
WebCenter Portal Pretty URLs in Building Portals with Oracle WebCenter Portal.
-
Click Users and Groups (Figure 38-3).
This page lists users to whom additional roles are defined.
-
Choose User or Group from the drop-down list.
-
Select User to grant permissions to one or more users defined in the identity store.
-
Select Group to grant permissions to a group of users.
-
-
If you know the exact name of the user or group, enter the name in the text box, separating multiple names with commas.
If you are not sure of the name you can search your identity store:
-
Click the Find icon ().
The Find User (or Find Group) dialog box opens (Figure 38-4).
Figure 38-4 Finding Users and Groups in the Identity Store
Description of "Figure 38-4 Finding Users and Groups in the Identity Store" -
Enter a search term for a user or group, then click the Search icon.
For tips on searching for a user or group in the identity store, see Searching for a User or Group in the Identity Store in Building Portals with Oracle WebCenter Portal.
Users (or groups) matching your search criteria display in the Select User dialog box. For more details on which fields are searched, see Searching for a User or Group in the Identity Store in Building Portals with Oracle WebCenter Portal
Tips:
-
Use * as a wildcard, for example
*sales
. -
Leave the search field blank to list all users (or groups) in the identity store.
-
Enter a space between two search terms to search First Name and Last Name, for example
jo sm
, searches forjo
in First Name andsm
in Last Name.
-
-
Select one or more names from the list.
To assign roles to multiple users or groups, multi-select all the names required. Ctrl + click rows to select multiple names.
-
Click OK.
The names that you select appear on the User and Groups tab.
-
-
To assign a role, select a Role from the drop-down list.
Select an appropriate role for the selected users (or groups).
Note:
Choose Administrator only if you want to assign full, administrative privileges for WebCenter Portal.
-
If the role you want is not listed, create a new role that meets your requirements (see Defining Application Roles).
-
When no role is selected, the user assumes the
Authenticated-User
role. See Default Application Roles.
-
-
Click Grant Access.
User/user group names and new role assignment appear in the table.
Note:
Group names are clickable, enabling you to drill down to see user names of the current group members.
38.5.3 Assigning a User to a Different Application Role
From time to time, a user's role in WebCenter Portal may change. For example, a user may move out of sales into the finance department and in this instance, the user's role assignment may change from Sales to Finance. You can also assign a user to more than one role.
Note:
You cannot modify your own role or the system administrator's role.
To assign a user to a different role:
-
On the Settings page, click Security.
You can also enter the following URL in your browser to navigate directly to the Security page:
http://host:port/webcenter/portal/admin/settings/security
See Also:
WebCenter Portal Pretty URLs in Building Portals with Oracle WebCenter Portal.
-
Click Users and Groups .
-
In the Manage Existing Grants table, scroll down to the user whose role assignment you want to modify. Only users with non-default role assignments are listed in the table.
-
Click the Actions icon, then select Change Role from the drop-down list to open the Change Role dialog.
Figure 38-5 Changing a User's Application Role
Description of "Figure 38-5 Changing a User's Application Role" -
Select roles as follows:
-
Select Administrator only to assign full, administrative privileges for WebCenter Portal.
Administrators have the highest privilege level and can view and modify anything in WebCenter Portal so take care when assigning the
Administrator
role.Some administrative tasks are exclusive to the
Administrator
role, such as editing the login page, the self-registration page, and profile gallery pages.See also Default Application Roles.
-
Select one or more roles from the list. At least one role must be selected.
If the role you want is not listed, create a new role that meets your requirements (see Defining Application Roles).
-
-
Click OK.
38.5.4 Revoking Application Roles
It is easy to revoke application role assignments that no longer apply. You can revoke roles individually or revoke all application roles assigned to a particular user at once.
Revoking all of a user's application roles does not remove that user from the identity store and the user still has access to WebCenter Portal through the default Authenticated-User
role.
Note:
You cannot revoke your own role assignments or the system administrator's role. See About Application Roles.
To revoke application roles:
-
On the Settings page (see Accessing the Settings Pages in WebCenter Portal Administration), click Security.
You can also enter the following URL in your browser to navigate directly to the Security page:
http://host:port/webcenter/portal/admin/settings/security
See Also:
WebCenter Portal Pretty URLs in Building Portals with Oracle WebCenter Portal.
-
Click Users and Groups.
This page lists users to which additional roles are defined.
-
In the Manage Existing Grants table, scroll down to the user from whom you want to revoke roles.
-
Click the Actions icon:
-
Select Change Role, and deselect the application roles to revoke.
-
Select Delete Role Assignments to revoke all roles assigned to that user, and then click Delete to confirm.
Access for that user is revoked immediately.
-
When you delete all the roles assigned to a particular user, the user is no longer listed on the Users and Groups page. The user remains in the identity store and still has access to WebCenter Portal through the Authenticated-User
role.
38.6 Managing Application Roles and Permissions
WebCenter Portal uses application roles to manage permissions for users working in the Home portal. Administrators manage application roles and permissions on the Roles page (Figure 38-6). See Table 38-4 for more information about built-in application roles and permissions.
Figure 38-6 WebCenter Portal Administration: Roles Page
Description of "Figure 38-6 WebCenter Portal Administration: Roles Page"
This section explains how to manage application roles and their permissions in WebCenter Portal Administration. It contains the following subsections:
38.6.1 Viewing Application Roles and Permissions
On the Roles page, use the Roles drop-down to select an application role and view its associated permissions.
To view permissions associated with a role:
38.6.2 Defining Application Roles
Use roles to characterize groups of WebCenter Portal users to determine what they can see and do in the Home portal and control access to WebCenter Portal administration pages.
When defining application roles, use self-descriptive role names and try to keep the role policy as simple as possible. Choose as few roles as you can, while maintaining an effective policy.
Take care to assign appropriate access rights when assigning permissions for new roles. Do not allow users to perform more actions than are necessary for the role but at the same time, try not to inadvertently restrict them from activities they must perform. In some cases, users may fall into multiple roles.
To define a new application role:
38.6.3 Modifying Application Role Permissions
Administrators can modify the permissions associated with application roles at any time. Application permissions are described in About Application Permissions.
Application role permissions allow individuals to perform specific actions in the Home portal. No permission, except for Manage All
, inherits privileges from other permissions.
Note:
Application permissions cannot be modified for the Administrator
role. See also Default Application Roles.
To change the permissions assigned to a role:
The new permissions are effective immediately.
38.6.3.1 Granting Permissions to the Public-User
Anyone who is not logged in to WebCenter Portal assumes the Public-User
role. By default, the Public-User
role is granted minimal privileges, that is, only the Portal Server: View
permission.
Caution:
Take care when granting permissions to the Public-User
role. Avoid granting administrative permissions such as Portal Server: Manage All
, Portal Server: Manage Configuration
, or any permission that might be considered unnecessary. See also About Application Permissions.
Granting the Portal Server-View Permission
The Portal Server: View
permission allows unauthenticated users to see public WebCenter Portal pages, such as the Welcome page, and also content that individual users choose to make public.
When Portal Server: View
permission is granted to the Public-User
role:
-
Make sure that users understand that any personal page or personal content they choose to make public will become accessible to unauthenticated users outside of the WebCenter Portal community, that is, anyone with Web access.
-
Consider customizing the default Welcome page that displays to public users before they log in. See Customizing System Pages.
If you do not want unauthenticated users to see WebCenter Portal content that is marked 'public', do not grant the Portal Server: View
permission to the Public-User
role. When public access is disabled, public content cannot be seen by unauthenticated users. Also, the Welcome page for WebCenter Portal is not displayed; public users are directed straight to a login page. Administrators may customize the default login page, if required. See Customizing System Pages for All Portals.
Granting Other Permissions
Be careful when assigning permissions to the Public-User
role. For security reasons, Oracle recommends that you limit what anonymous users can see and do in WebCenter Portal.
38.6.3.2 Granting Permissions to the Authenticated-User
Authenticated-User
role. By default, the Authenticated-User
role is granted minimal privileges, through the following permissions:
-
Portal Server: View
-
Portals: Create Portals
-
Portal Templates: Create Portal Templates
-
Pages: Create Pages
-
People Connections: Update People Connections Data
-
People Connections: Connect with People
Other important notes:
-
The
Authenticated-User
role always inherits permissions from thePublic-User
role. -
All custom application roles inherit permissions from the
Authenticated-User
role.
38.6.3.3 Granting Permissions to the Portal Creator
The Portal Creator
role is given to a logged in user for specifically creating portals.
Out-of-the-box, this role has minimal privileges, through the following permissions: Portal Server: View
and Portals: Create Portals
. After creating a portal, the Portal Creator
role assumes the permissions inherent in the Portal Manager
role.
38.6.4 Deleting Application Roles
When an application role is no longer required, it is recommended that you remove it. This helps maintain a valid and manageable role list, and prevents inappropriate role assignments.
Application roles can be deleted even when users are still assigned to the them. As you cannot delete any default roles, WebCenter Portal users will always have the Authenticated-User
role.
Note:
The default application roles of Administrator
, Public-User
, and Authenticated-User
cannot be deleted (the Application Specialist
and Portal Creator
roles can be deleted). See Default Application Roles.
To delete an application role: