1. WebCenter Sites Help
  2. REST Authorization

54 REST Authorization

back to WebCenter Sites Help

REST authorization grants privileges to perform REST operations on application resources which map to objects in WebCenter Sites. REST authorization uses the "deny everything by default" model. If a privilege is not explicitly granted to a particular group, that privilege is denied. General administrators are responsible for authorizing users after the application is deployed and registered with the WEM Framework.

The following topics provide information about REST authorization:

Privilege Resolution Algorithm

When configuring a security privilege, you can specify that the privilege applies to all objects of a certain type or a single object of a certain type. For example, granting the privilege to UPDATE (POST) any site allows users in the group to modify the details of all sites in the WEM Framework. Granting the privilege to UPDATE (POST) the avisports site allows users in the group to modify avisports site details in WEM.

The Asset object type requires you to specify the site to which the security setting applies, because assets are always accessed from a particular site. You can refine the AssetType object type by specifying a subtype. For example, if you set the DELETE privilege on asset type Content_C, you perform a DELETE request on the REST resource /types/Content_C (that is, to delete the Content_C asset type from the system).

Because you can grant privileges to groups only, the total privileges for a user are not obvious until they are computed across all of the groups to which the user belongs. The WEM Framework provides a privilege resolution algorithm. Its basic steps are listed below:

  1. REST finds the groups in which the user has membership.

  2. REST determines which groups can perform which REST operations on which REST resources. If site or subtype is specified, each is taken into account.

  3. REST compares the results of steps 1 and 2. If at least one group from step 1 is in the list of groups from step 2, then access is granted. Otherwise, access is denied.