17.9 Securing Items

Oracle Portal provides two powerful features for securing items: item level security and approvals. Item level security enables you to shield an item from unprivileged users or to grant higher access privileges on an item than might otherwise be granted on the page or tab that contains the item. Approvals enable you to structure an approval process through which new and revised content must pass before it can be published to your portal.

This section describes item level security and approvals and provides pointers on how to use these features. Additionally, it provides a table that outlines item URL access rules for items in various states, such as Draft, Pending, Unpublished, and so on. It contains the following subsections:

Note:

To enable item level security, you must have at least the page or tab privilege Manage on the page or tab that contains the item.

17.9.1 Using Item Level Security

Item level security provides a means of:

  • Preventing unprivileged users from seeing an item

    For example, when item level security is enabled and a user has the page privilege View but no item privileges, the user can view the page but not its items.

  • Granting a higher level of privilege on the item than is granted on the page

    For example, if a user has the page privilege View on a page, but the item privilege Manage on an item on the page, the user can enter page edit mode and perform content management tasks on that specific item. Such a user cannot perform any other editing tasks on the page.

Item level security can be applied to items placed on pages, tabs, and pages that are based on a Portal Template; though it cannot be applied (successfully) to items that are part of the template itself—even when item level security is turned on for the template and the user has privileges on the item.

The following sections further define item level security and describe how to enable it on a page or a tab. It includes the following subsections:

17.9.1.1 Understanding Item Level Security

By default, items inherit the access settings that apply to the page or tab that contains the item. Only users or groups who are authorized to access a given page or tab can access its items. When you enable item level security for a page or tab, items initially use the same security settings that are applied to the page or tab. But, using item level security capabilities, you can now grant a higher level of access on individual items.

When item level security is enabled, users with no privileges on the item cannot see the item.

The page privileges Manage and Manage Content override item level security privileges. This means that if you grant the item privilege View to a user who also has the page privilege Manage Content, the user can do anything to the item, more than just viewing it. However, item level security takes precedence over other page-level privileges.

For example, if a user has the page privilege Manage Style on a page, and the item privilege Manage on an item, the user can delete the item from the page, and is not limited to merely changing the page's style.

Item level security can be enabled only on Standard pages and custom pages that are based on the Standard page type.

Note:

There is no relationship between item level security and item versioning. Item level security has to do with who can access an item, and item versioning has to do with how older versions of an item are handled as newer versions are uploaded. For more information on item versioning, see Section 14.12, "Using Item Version Control".

Changes to the access settings of a Portal Template affect all pages that are based on the template, unless the template specifically allows the pages that are based on it to use different access settings. The option to allow pages based on templates to define their own access is located on the Access tab of Portal Template properties.

17.9.1.2 Enabling Item Level Security on a Page

To enable item level security on a page:

  1. Log in to Oracle Portal.

  2. Click the Build tab to bring it forward.

  3. From the Page Group portlet's Work In drop-down list, select the page group that owns the page on which to enable item level security.

    In a typical installation, the Page Groups portlet is located on the Build tab of the Portal Builder.

  4. Under the Pages heading in the Layout & Appearance section, click the page on which to enable item level security.

    This opens the page in Edit mode.

  5. Click the Access link in the page toolbar.

  6. On the resulting page, go to the Access Properties section and select Enable Item Level Security.

  7. Click OK to return to the page.

This enables item creators to set access controls for individual items on the page. Item creators have the choice of inheriting access controls from the page or setting specific access controls for individual items.

17.9.1.3 Enabling Item Level Security on a Tab

To enable item level security on a tab:

  1. Log in to Oracle Portal.

  2. Click the Build tab to bring it forward.

  3. From the Page Group portlet's Work In drop-down list, select the page group that owns the tab on which to enable item level security.

    In a typical installation, the Page Groups portlet is located on the Build tab of the Portal Builder.

  4. Under the Pages heading in the Layout & Appearance section, click the page that contains the relevant tab.

    This opens the page in Edit mode.

  5. Go to the tab on which to enable item level security.

  6. Click the Edit Tab icon (Figure 17-5).

    Figure 17-5 The Edit Tab Icon

    Edit Tab icon

    Be sure to click the Edit Tab icon on the tab flap and not the one beside the tab.

  7. On the resulting page, click the Access tab to bring it forward.

  8. Go to the Access Settings section, and select Specify Access Settings.

  9. In the Access Properties section, select Enable Item Level Security.

This enables item creators and item owners to grant access privileges on individual items on the tab. Item creators have the choice of inheriting access controls from the tab or granting access privileges on each item on the tab.

17.9.1.4 Enabling Item Level Security on a Portal Template

To enable item level security on a Portal Template:

  1. Log in to Oracle Portal.

  2. Click the Build tab to bring it forward.

  3. From the Page Group portlet's Work In drop-down list, select the page group that owns the Portal Template on which to enable item level security.

    In a typical installation, the Page Groups portlet is located on the Build tab of the Portal Builder.

  4. Under the Portal Templates heading in the Layout & Appearance section, click the template on which to enable item level security.

    This opens the page in Edit mode.

  5. Click the Access link in the toolbar at the top of the template.

  6. On the resulting page, go to the Access Properties section and select Enable Item Level Security.

  7. Click OK to return to the page.

17.9.1.5 Changing Item Access

As a content contributor, you can decide if you want to grant additional access to an item to selected users or groups.You can grant access on one item or on multiple items simultaneously. This section provides information on both actions. It includes the following subsections:

Note:

To grant access privileges on an item, you must have at least the item privilege Manage on the item.

17.9.1.5.1 Changing Access on One Item

To grant access privileges on one item:

  1. Log in to Oracle Portal.

  2. Click the Build tab to bring it forward.

  3. From the Page Group portlet's Work In drop-down list, select the page group that owns the page that contains the item on which to grant access privileges.

    In a typical installation, the Page Groups portlet is located on the Build tab of the Portal Builder.

  4. Under the Pages heading in the Layout & Appearance section, click the page that contains the item on which to grant access privileges.

    This opens the page in Edit mode.

  5. Locate the relevant item, and click the Actions icon beside the item (Figure 17-6).

    Figure 17-6 The Actions Icon

    Actions icon

    Note:

    For Page Link items, even if users have item level privileges on the item, they will not see the item if they do not have access to the target page.

  6. On the resulting page, click the Access link.

  7. In the Item Level Security section, select Define Item Level Access Privileges.

    Two additional sections display: Grant Access and Change Access. For some older versions of browsers, such as Netscape 4.x browsers, you may have to click Apply to make the additional sections display.

    Note:

    If you select Inherit Parent Page Access Privileges, the item has the same access privilege as was set for the parent page.

    If the item has multiple versions, the access setting is applied to all versions of the item, not just the one that you are editing.

  8. In the Grant Access section, enter the name of the user or group to whom to assign privileges.

    Click the Browse Users icon to display a list of existing users or the Browse Groups icon to display a list of existing groups.

    Note:

    Adding a group saves time when you want to grant the same access privilege to multiple users.

  9. From the privilege drop-down list, select an item level privilege to grant to the specified user or group.

    Note:

    For a list and description of item-level privileges, see Appendix B, "Page Group Object Privileges".

  10. Click Add.

    Grantees and their privilege levels display in the Change Access section. In this section, you can choose a different item-level privilege, or revoke item privileges from users or groups.

  11. Repeat steps 8 through 10 for each relevant user or group.

  12. When you are done, click OK.

    Note:

    Oracle Portal uses the Oracle Internet Directory for identity management. The Oracle Internet Directory serves as the repository for users and groups. In the Oracle Internet Directory, groups are uniquely identified by their distinguished name (DN). Each group has a unique DN, though many groups can share a common name, in the same way that two people can share a common name, yet have completely different lineage (such as John Smith and John Doe). When working within the portal, groups created from within that portal are displayed simply with their common names. However, when the portal references a group from some other location in the Oracle Internet Directory—such as a group from some other portal associated with the same Identity Management Infrastructure—the DN of the group is displayed to distinguish it from the portal's locally defined groups.

    Item level security cannot be disabled for items in the Portlet Repository page group.

If a user is a member of two different groups with different privileges on the same item, the user is not limited by the lesser privilege. For example, if one group has the item privilege Edit, and another group has the item privilege Manage, and you belong to both groups, you can both view and manage the item.

To revoke the user or group's access, click the Delete icon next to the Grantee Name under Change Access.

17.9.1.5.2 Changing Access on Multiple Items Simultaneously

Use the Actions list in List view of page Edit mode to change access settings on multiple items simultaneously. For these actions to be taken, item level security must first be enabled on the page, tab, or template where you will perform the action. For more information, see Section 17.9.1, "Using Item Level Security".

To change access settings on multiple items simultaneously:

  1. Log in to Oracle Portal.

  2. Click the Build tab to bring it forward.

  3. From the Page Group portlet's Work In drop-down list, select the page group that owns the page that contains the items on which to change access privileges.

    In a typical installation, the Page Groups portlet is located on the Build tab of the Portal Builder.

  4. Under the Pages heading in the Layout & Appearance section, click the page that contains the items on which to change access privileges.

    This opens the page in Edit mode.

  5. Click the List link in the toolbar at the top of the page.

    This displays the page in List view of page Edit mode.

  6. Select the check boxes next to the items to be changed.

  7. From the Actions drop-down list, select one of the following options, and click Go:

    • Modify Item Access Settings

      Select this option to modify the access settings of the checked items. Once you click Go, the Bulk Action: Modify Item Access Settings screen displays:

      • Use the Item Selections section to identify the items on which to modify item access settings.

        Select Specified Item Level Access, to act on items that have individually defined access settings. Click the Revoke All link to revoke all access privileges currently applied to these items.

        Select Items Inheriting From Parent Page, to act on items that inherit their access settings from the page on which they are placed.

      • Under Grant Access, assign privileges to the selected items as desired. For more information, see steps 8 through 12 of Section 17.9.1.5.1, "Changing Access on One Item".

      • Click Close when finished.

    • Do not Inherit Item Access Settings

      Select this option to specify that the specified items do not inherit their access settings from the page or tab on which they are placed. Click Go, then click OK in the resulting confirmation dialog.

    • Inherit Item Access Settings from Parent

      Select this option to specify that the specified items inherit their access settings from the page or tab on which they are placed. Click Go, then click OK in the resulting confirmation dialog.

17.9.2 Using Approvals to Pre-Screen Items

Approvals enable you to delegate the addition and revision of portal content without relinquishing control over what is actually displayed to your users. Approval-related features of particular interest are:

  • A defined approval process

  • The page privilege Manage Items With Approval (or the global privilege of the same name on the object type All Pages)

  • Item drafts

This section describes these features and points you to relevant information in other chapters in this guide.

For any of these features to be meaningful, you must first enable Approvals and Notifications on the Configure tab of page group properties (see Section 5.4.2, "Enabling Approvals and Notifications for a Page Group"). Once approvals are enabled, you can define an approval process, grant the page privilege Manage Items With Approval, and enable item drafts for a page group or (if allowed) a page.

Approval processes can reduce the costs of a paper-driven office in which hard-copy documents requiring approvals, such as expense reports and travel requests, create bottlenecks for your workers. When you define approval processes, you allow the appropriate people in your organization to receive notification of pending items requiring approval, to review the items, and to approve or reject the items, all from your company's portal.

By default, approval processes are defined at the page group level. If the page group is configured to allow pages to have their own approval processes, approval processes can be defined as well at the page level. Both page groups and pages provide a place to define an approval process on the Approval tab of their properties pages. For more information, see Chapter 20, "Setting Up an Approval Chain".

When a user with the page privilege Manage Items With Approval uploads or revises content, the content is submitted to a defined approval process where it can be reviewed and passed for publication or rejected. Keep in mind, however, if you have users with the page privilege Manage Items with Approval, and no approval process is defined, this privilege is equivalent to the page privilege Manage Content in relation to items. In other words, such users are able to publish items that have not been through an approval process. For information on granting privileges on pages, see Section 17.5.2, "Granting Privileges on a Page". For additional information on approvals, see Chapter 20, "Setting Up an Approval Chain".

You can also configure a page group to support item drafts. When the draft feature is enabled, content developers can upload items to the portal without exposing them until the content developers are ready to submit the items for approval. This is because draft items do not display to most users when a page is viewed. (To find out which users can view items in what state, see Section 17.9.3, "Item URL Security".) When the page is in Edit mode, users can see draft items in Pending Items Preview or List view, where such items are clearly labeled as drafts.

Content developers can upload draft content, placing it where they want it to display on the page, but preventing it from general display until they change its draft status. When the draft is finalized, the contributor can change its status, either to Active or to Pending, depending on whether an approval process is in place and the contributor is required to submit items for approval. Keep in mind that, once enabled, the Draft option cannot be disabled until all draft items are switched to active status or submitted for approval.

The option to enable drafts is located on the Approval tab of page or page group properties. Approvals must be enabled for the draft feature to be enabled, although drafts do not necessarily require approval. Approvals can be enabled without there being a defined approval process. This makes it possible to enable drafts for everyone without ultimately requiring that their finalized content be approved. For information on enabling item drafts, see Chapter 20, "Setting Up an Approval Chain".

17.9.3 Item URL Security

Table 17-2 outlines the access rules that apply to URLs for items in various states, such as Draft, Pending, Unpublished, and so on. Additionally, it discusses these states under three scenarios:

  • Access through the portal

  • Access through WebDAV

  • Access through a search

Note:

In addition to an item's status, and the avenue through which the item is accessed, caching options can affect item access. For more information, see Chapter 21, "Improving Page Performance".

References to content managers refer to anyone with the appropriate manage privilege when item level security is enabled. Manage privileges can mean:

  • The global privilege Manage All on the object type All Page Groups

  • The global privilege Manage on the object type All Pages

  • The global privilege Manage Content on the object type All Pages

  • The global privilege Manage Items With Approval on the object type All Pages

  • The page privilege Manage

  • The page privilege Manage Content

  • The page privilege Manage Items With Approval

  • The item privilege Manage

Table 17-2 Item URL Security

Item State Access Through Portal Access Through WebDAV Access Through Search

DRAFT

Content managers and draft creator can access/view the item.

Users with the page or global privilege Manage Items With Approval can see the item and work on it.

Users with the item privilege Manage can see the item with a size of 0 KB. Such users cannot update or view the item.

Users with the item privilege View do not see the item.

Draft items are not returned for any user. Even the Manage Item With Approval users who added the item in Draft mode.

PENDING

Content managers, item creator/updator, and approvers can access/view the item.

Users with the item privilege Manage can see the pending item with a size of 0 KB.

The user who submitted the item can see it with the actual size.

Users with the item privilege View can see the pending item with a size of 0 KB. This is to enable a view of the reserved name space.

Pending items are not returned for any user.

UNPUBLISHED

Content managers and users with the page or global privilege Manage Items With Approval can access/view the item.

If the item uses Item Level Security, users who have the item privilege Manage on the item can access/view the item.

The item is not visible to users with the item privilege View.

Content managers see the item if the option Display Unpublished, Expired, and Deleted Items In Edit Mode is selected in page group properties.

Unpublished items are not returned for any user.

NONCURRENT VERSION

If the item is Active, anyone with privilege to see the page can see the item.

If the page is Public, all users can access/view the item through the draft URL.

If the item uses Item Level Security, users who have the item privilege Manage on the item can access/view the item.

If the item is Expired or Deleted, only the content manager can access/view the noncurrent version.

The current version is always displayed.

The current version is always returned.

HIDDEN

The item is accessible through the item URL by anyone with sufficient privilege to see the page.

If the item uses Item Level Security, users who have the item privilege View on the item can access/view the item.

If the page is Public, anyone can view the item content.

The item is not visible to user with the item privilege View.

The item is visible to users with the page or global privilege Manage or Manage Items With Approval.

Hidden items are not returned for any user.

EXPIRED

Content managers can access/view the expired item.

If the item uses Item Level Security, users who have the item privilege Manage on the item can access/view the item.

The item is not visible to users with the item privilege View.

Content managers see the item if the option Display Unpublished, Expired, and Deleted Items In Edit Mode is selected in page group properties.

Expired items are not returned for any user.

DELETED

Content managers can access/view the deleted item.

If the item uses Item Level Security, users who have the item privilege Manage on the item can access/view the item.

The item is not visible to users with the item privilege View.

Content managers can see the item if the option Display Unpublished, Expired, and Deleted Items In Edit Mode is selected in page group properties.

Deleted items are not returned for any user.