29 Managing Roles and Permissions for a Portal
This chapter describes the out-of-the-box WebCenter Portal roles for working with portals, and how to establish security on a portal by modifying permissions on these roles, or creating and managing custom roles.
This chapter includes the following topics:
Permissions:
To perform the tasks in this chapter, you need the portal-level permissionManage Membership. Users with this permission can manage portal members and their role assignments. A portal moderator has this permission by default.
For more information about permissions, see Section 29.1, "About Roles and Permissions for a Portal."
29.1 About Roles and Permissions for a Portal
Out-of-the-box, WebCenter Portal includes default roles and permissions:
-
Application-level roles are
Administrator,Application Specialist,Authenticated-User, andPublic-User. These roles are managed by the system administrator, as discussed in "About Application Roles and Permissions" in Administering Oracle WebCenter Portal. -
Portal-level roles are
Moderator,Viewer, andParticipant. These roles are managed by the portal moderator, and are discussed in this chapter.A portal moderator can modify the permissions of the default portal-level roles, create new custom roles to control what members can do in the portal, manage permission assignments for existing roles, and delete roles that are no longer required. Additionally, a portal moderator can grant the
Authenticated-User(assigned to any user logged into WebCenter Portal) andPublic-Userroles permissions in the portal.
29.1.1 Understanding the Default Roles for a Portal
Table 29-1 describes the default roles in a portal.
Note:
These default roles are always available for portals based on out-of-the-box portal templates. Portals based on user-defined templates may offer a different set of default roles. The default (or standard) permissions assigned to the default roles are shown in Table 29-2.Table 29-1 Default Roles for Portals
| Portal Role | Description | Modify Permissions | Delete Role |
|---|---|---|---|
|
|
The The portal moderator or anyone with the portal |
Yes (except for |
No |
|
|
The |
Yes |
Yes |
|
|
The |
Yes |
Yes |
|
|
The To grant access to a portal, additional permissions must be granted by the portal moderator or anyone with portal |
Yes |
No |
|
|
Any user with access to WebCenter Portal who is not logged in assumes the |
Yes |
No |
29.1.2 Understanding Permissions and Permission Models in a Portal
Members can perform actions within a portal as specified by the permissions assigned to their role.
When assigning permissions to roles, moderators can choose to assign standard permissions, or switch to advanced permissions:
-
Standard permissions:
-
Administration permissions allow a moderator to assign the
Manage Security and Configuration,Manage Configuration, orManage Membershippermission to a selected role. -
Basic Services permissions collectively control access to pages, lists, events, links and notes. With additional permissions granted on specific tools or services (such as Announcements, Discussions, or Documents in standard permissions), or others through advanced permissions (see Table 29-3), also create, edit, and delete associated task flows and portlets on a page in the portal. For example, working with documents in a portal requires Documents permissions.
-
Announcements, Discussions, and Documents permissions allow a moderator to control access to announcements, discussions, and documents in the portal when these tools are enabled (see Section 39.2, "Enabling and Disabling Tools and Services Available to a Portal").
-
Assets permissions collectively control access to all assets, including page templates, navigations, skins, resource catalogs, and so on.
See Table 29-2 for detailed information about standard permissions.
-
-
Advanced permissions:
Advanced Permissions provide a more granular set of permissions by replacing the collective set of Basic Services permissions with individual tools, services, and assets permissions.
-
Administration permissions allow a moderator to assign the
Manage Security and Configuration,Manage Configuration, orManage Membershippermission to a selected role. -
Separate categories allow a moderator to control the levels of access (for example, have full access by granting
Create, Edit, and Deletepermissions or some access by granting one or more of the following permissions:Create,Edit,Delete, orView) to the individual tools, services, and assets listed in Table 29-3.
While advanced permissions give you more flexibility over role assignments, they can become complex to manage and maintain.
See Table 29-3 for detailed information about advanced permissions.
-
It is the portal template that determines the default permission model for a portal. Portals that are based on out-of-the-box portal templates adopt the standard permissions by default, but moderators can switch to advanced permissions if required. However, if you switch to using advanced permissions for a portal, you cannot revert to standard permissions. For more information, see Section 29.4, "Using Advanced Permissions."
Note:
Permissions do not inherit the privileges of "lesser" permissions. Therefore, be careful to assign the appropriate set of permissions to allow users to perform required actions. For example, whenever you assign theCreate permission, select the View permission too.Table 29-2 lists the permission categories and permissions that are available with standard permissions.
Table 29-2 Portal Permissions - Standard Permissions
| Permission Category | Permissions | Roles Granted Permission By Default |
|---|---|---|
|
Administration |
Manage Security and Configuration - Enable access to all portal Administration pages, except Pages and Assets.
Includes |
Moderator |
|
Manage Configuration - Same as the
Users with this permission must be allowed to view the portal. |
||
|
Manage Membership - Enables access to the Roles and Members pages in the portal administration settings. On these pages, users can create, edit, and delete members and roles for the portal. |
||
|
Basic Services (Lists, Events, Links, and Notes) |
Edit Page Access, Structure, and Content - Manage page access and edit page properties. Create, edit, and delete pages in the portal. Creating and deleting pages also requires This permission includes delegated administration to override the page security and grant other users permissions to create subpages, edit the page, and so on, overriding any permission limits of user roles. Create, edit, and delete list data, events, links, and notes. Specifically, users with this permission can perform the following operations on a portal page:
With permissions on specific tools or services, also create, edit, and delete associated task flows and portlets. For example, working with documents in a portal requires |
Moderator |
|
Edit Page Access and Structure - Manage page access and edit properties of pages in the portal. With permissions on specific tools or services (Table 29-3), also create, edit, and delete associated task flows and portlets. Create, edit, and delete list data, events, links, and notes. |
Moderator |
|
|
Customize Pages and Edit Content - Customize personal view of pages in the portal. Add and remove list data, events, links, and notes. |
Moderator Participant |
|
|
View Pages and Content - View pages, lists, events, and notes. With permissions on specific tools or services (Table 29-3), view associated task flows and portlets. |
Moderator Participant Viewer Public-User (in public portals) |
|
|
Announcements (available when the Announcements tool is enabled) |
Create, Edit, and Delete Announcements - Perform any operation on announcements associated with the portal. |
Moderator |
|
Create and Edit Announcements - Create announcements. Edit and delete announcements that you create. Users with this permission must be allowed to view announcements. |
|
|
|
View Announcements - View announcements in the portal. |
|
|
|
Assets |
Create, Edit, and Delete Assets - Create, edit, and delete assets owned by the portal, such as page templates, navigations, resource catalogs, skins, page styles, Content Presenter templates, task flow styles, task flows, and data controls. |
Moderator |
|
Create Assets - Create new assets for the portal. |
|
|
|
Edit Assets - Edit assets owned by the portal. Required to create and delete pages, as adding and deleting pages changes the portal navigation, which is a portal asset. |
||
|
Discussions (available when the Discussions tool is enabled) |
Create, Edit, and Delete Discussions - Perform any operation on discussions associated with the portal; create topics and replies. Edit and delete any topic or reply. |
Moderator |
|
Create and Edit Discussions - Create topics and replies. Edit topics and replies that you create. Users with this permission must be allowed to view discussions. |
|
|
|
Reply To Discussions - Reply to existing topics and edit replies that you create. Users with this permission must be allowed to view discussions. |
|
|
|
View Discussions - View discussions. |
|
|
|
Documents (available when the Documents tool is enabled) See also Section 34.6.1, "Document Permissions Not Working in a Portal" |
Administration - Configure document workflows and access control settings. For more information, see Chapter 34, "Working with Document Task Flows and Document Components." |
Moderator |
|
Delete Documents - Delete any folder and any file in the portal. Users with this permission can also move folder and files.Users with this permission must be allowed to create and view folders and files. |
Moderator |
|
|
Create and Edit Documents - Create files and folders, and upload files. Edit and delete files and folders that you create, if Content Server configuration has Users with this permission must be allowed to view folders and files. |
Moderator |
|
|
View Documents - Browse files, folders, wikis, and blogs. Note: In a subportal, when you grant the |
Moderator |
Table 29-3 lists the permission categories and permissions that are available with advanced permissions.
Table 29-3 Portal Permissions - Advanced Permissions
| Permission Category | Permissions | Roles Granted Permission By Default |
|---|---|---|
|
Administration |
Manage Security and Configuration - Enable access to all portal Administration pages, except Pages and Assets.
Includes |
Moderator |
|
Manage Configuration - Same as the
Users with this permission must be allowed to view the portal. |
|
|
|
Manage Membership -Enables access to the Roles and Members pages in the portal administration settings. Through these pages, users can create, edit and delete members and roles for the portal. |
|
|
|
Pages |
Create, Edit, and Delete Pages - Create, edit, and delete pages in the portal. Creating and deleting pages also requires |
Moderator |
|
Create Pages - With |
||
|
Edit Pages - Edit page properties and content for any page in the portal. |
Moderator |
|
|
Delete Pages - With |
||
|
Customize Pages - Customize personal view of pages in the portal. Add and remove list content, events, links, and notes. |
Moderator Participant |
|
|
View Pages - View pages, lists, events, and notes. With permissions on specific tools or services, view associated task flows and portlets. |
Moderator Participant Viewer Public-User (in public portals) |
|
|
Announcements (available when the Announcements tool is enabled) |
Create, Edit, and Delete Announcements - Perform any operation on announcements associated with the portal. |
Moderator |
|
Create and Edit Announcements - Create announcements. Edit and delete announcements that you create. Users with this permission must be allowed to view announcements. |
|
|
|
View Announcements - View announcements. |
|
|
|
Content Presenter Templates |
Create, Edit, and Delete Content Presenter Templates - Create, edit and delete Content Presenter display templates for the portal. |
|
|
Create Content Presenter Templates - Create Content Presenter display templates for the portal. |
||
|
Edit Content Presenter Templates - Edit portal-level Content Presenter display templates. For more information, see Chapter 28, "Working with Content Presenter Templates." |
||
|
Data Controls |
Create, Edit, and Delete Data Controls - Create, edit and delete data controls for the portal. |
|
|
Create Data Controls - Create data controls for the portal. |
||
|
Edit Data Controls - Edit portal-level data controls. For more information, see Section 27.2, "Working with Data Controls." |
||
|
Discussions (available when the Discussions tool is enabled) |
Create, Edit, and Delete Discussions - Perform any operation on discussions associated with the portal; create topics and replies. Edit and delete any topic or reply. |
Moderator |
|
Create and Edit Discussions - Create topics and replies. Edit topics and replies that you create. Users with this permission must be allowed to view discussions. |
|
|
|
Reply To Discussions - Reply to existing topics and edit replies that you create. Users with this permission must be allowed to view discussions. |
|
|
|
View Discussions - View discussions. |
|
|
|
Documents (available when the Documents tool is enabled) See also Section 34.6.1, "Document Permissions Not Working in a Portal" |
Administration - Configure document workflows and access control settings. For more information, see Chapter 34, "Working with Document Task Flows and Document Components." |
Moderator |
|
Delete Documents - Delete any folder and any file in the portal. Users with this permission can also move folder and files.Users with this permission must be allowed to create and view folders and files. |
Moderator |
|
|
Create and Edit Documents - Create files and folders, and upload files. Edit and delete files and folders that you create, if Content Server configuration has Users with this permission must be allowed to view folders and files. |
Moderator |
|
|
View Documents - Browse files, folders, wikis, and blogs. Note: In a subportal, when you grant the |
Moderator |
|
|
Events (available when the Events tool is enabled) |
Create, Edit, and Delete Events - Create, edit and delete events for the portal. Create Events - Create events. Edit Events - Edit any event. Delete Events - Delete any event. |
|
|
View Events - View events. |
Moderator Participant Viewer Public-User (in public portals) |
|
|
Links |
Create and Delete Links - Create and delete links between objects, and manage link permissions. Create Links - Create links between objects. Delete Links - Delete a link between two objects. |
|
|
Lists (available when the Lists tool is enabled) |
Create, Edit, and Delete Lists - Create, edit, and delete lists and list data. Create Lists - Create lists. Edit Lists - Edit list column definitions. Delete Lists - Delete any list. Edit List Data - Add, edit, and delete list data. |
|
|
View Lists - View lists and list data. |
Moderator Participant Viewer Public-User (in public portals) |
|
|
Task Flow Styles |
Create, Edit, and Delete Task Flow Styles - Create, edit and delete task flow styles for the portal. Create Task Flow Styles - Create task flow styles for the portal. Edit Task Flow Styles - Edit portal-level task flow styles. For more information, see Section 27.4, "Working with Task Flow Styles." |
|
|
Navigations |
Create, Edit, and Delete Navigations - Create, edit and delete navigations for the portal. |
|
|
Create Navigations - Create navigations for the portal. |
||
|
Edit Navigations - Edit portal-level navigations. Required to create and delete pages, as adding and deleting pages changes the portal navigation. For more information, see Chapter 22, "Working with Navigation Models." |
Moderator |
|
|
Notes |
Create, Edit, and Delete Notes - Create, edit and delete notes for the portal. Create Notes - Create notes for the portal. Edit Notes - Edit portal-level notes. Delete Notes - Delete notes in the portal. |
|
|
View Notes - View notes in the portal. For more information, see Chapter 51, "Adding Personal Notes to a Portal." |
Moderator Participant Viewer Public-User (in public portals) |
|
|
Page Styles |
Create, Edit, and Delete Page Styles - Create, edit and delete page styles for the portal. Create Page Styles - Create page styles for the portal. Edit Page Styles - Edit portal-level page styles. For more information, see Chapter 25, "Working with Page Styles." |
|
|
Page Templates |
Create, Edit, and Delete Page Templates - Create, edit and delete page templates for the portal. Create Page Templates - Create page templates for the portal. Edit Page Templates - Edit portal-level page templates. For more information, see Chapter 21, "Working with Page Templates." |
|
|
Resource Catalogs |
Create, Edit, and Delete Resource Catalogs - Create, edit and delete resource catalogs for the portal. Create Resource Catalogs - Create resource catalogs for the portal. Edit Resource Catalogs - Edit portal-level resource catalogs. For more information, see Chapter 23, "Working with Resource Catalogs." |
|
|
Skins |
Create, Edit, and Delete Skins - Create, edit and delete skins for the portal. Create Skins - Create skins for the portal. Edit Skins - Edit portal-level skins. For more information, see Chapter 24, "Working with Skins." |
|
|
Task Flows |
Create, Edit, and Delete Task Flows - Create, edit and delete task flows based on a task flow style for the portal. Create Task Flows - Create task flows for the portal. Edit Task Flows - Edit portal-level task flows. For more information, see Section 27.3, "Working with Task Flows." |
29.1.3 Understanding Custom Roles in Portals
If the default roles do not meet the requirements of your portal, moderators can define custom roles that better suit portal members. See Section 29.2, "Defining Custom Roles for a Portal."
Alternatively, moderators can modify the permissions assigned to the default roles. See Section 29.3, "Viewing and Editing Permissions of a Portal Role."
29.2 Defining Custom Roles for a Portal
If the default roles provided by WebCenter Portal do not meet the needs of the portal, you can define custom roles to better suit the requirements of your members.
To create a new role for a portal:
-
In the portal administration (see Section 7.1, "Accessing Portal Administration"), click Security in the left navigation pane, then click the Roles subtab (Figure 29-1).
Tip:
You can also navigate to this page using the direct URL provided in Section A.7, "Pretty URLs for Pages in a Specified Portal."Figure 29-1 Portal Administration: Roles Page
Description of ''Figure 29-1 Portal Administration: Roles Page''
-
To define a new role for this portal, click Create Role.
The Create Role dialog opens (Figure 29-2).
Figure 29-2 Creating a New Role for a Portal
Description of ''Figure 29-2 Creating a New Role for a Portal''
-
Enter a suitable Role Name. Names can contain alphanumeric characters, blank spaces, @, and underscores. Ensure that role names are self-descriptive to make it as obvious as possible which member should belong to which roles.
-
Enter a Description for the role.
-
Optionally, select a Role Template.
The new role inherits permissions from the role template. You can modify these permissions in the next step. If you do not select a role template, the new role is created with no permissions.
-
Choose Moderator to create a role that inherits full administrative privileges for the portal.
-
Choose Viewer (if available) to create a role starting with minimal, view-only privileges.
-
Choose Public-User or Authenticated-User to create a role that inherits permissions inherent in these two roles. The authenticated user role inherits all permissions of the public user role in a portal.
Note:
-
The
Moderatorrole permissionManage Security and Configurationcannot be modified. Use caution in assigning this role to members because it contains full administrative privileges in the portal. -
The permissions inherent in the two seeded role templates allow users to view portal content. You can subsequently edit permissions for the user roles, as described in Section 29.3, "Viewing and Editing Permissions of a Portal Role."
-
-
Click OK.
The new role appears as a column in the table on the Roles page.
-
To modify permissions for the role, click Edit Permissions, and then select or deselect each permission check box. For details, see Section 29.3, "Viewing and Editing Permissions of a Portal Role".
Take care to assign appropriate access rights when assigning permissions for new roles. Do not allow users to perform more actions than are necessary for the role but at the same time, try not to restrict them from activities they must perform.
29.3 Viewing and Editing Permissions of a Portal Role
If the permissions assigned to a user role do not meet the needs of the portal, or you want to change previously assigned permissions, you can modify the permissions to better suit your role requirements.
Note:
TheModerator role permission Manage Security and Configuration cannot be modified.To change the permissions assigned to a role:
-
In the portal administration (see Section 7.1, "Accessing Portal Administration"), click Security in the left navigation pane, then click the Roles subtab (Figure 29-3).
Tip:
You can also navigate to this page using the direct URL provided in Section A.7, "Pretty URLs for Pages in a Specified Portal."Figure 29-3 Portal Administration: Roles Page
Description of ''Figure 29-3 Portal Administration: Roles Page''
-
Select the role you want to change, then click Edit Permissions to open the Edit Permissions dialog for the selected role.
-
In the Edit Permissions dialog, select or deselect the check boxes to enable or disable permissions for a role (Figure 29-4). See Table 29-2, "Portal Permissions - Standard Permissions" for more information.
For more granular settings, see Section 29.4, "Using Advanced Permissions."
Note:
Take care to assign appropriate access rights when assigning permissions for new roles. Do not allow users to perform more actions than are necessary for the role but at the same time, try not to inadvertently restrict them from activities they need to perform.Figure 29-4 Modifying Permissions for a Portal (Standard Permissions)
Description of ''Figure 29-4 Modifying Permissions for a Portal (Standard Permissions)''
-
Click Save.
New permissions are effective immediately.
Note:
For information about granting access to individual pages in a portal, refer to Section 13.15, "Setting Page Security."29.4 Using Advanced Permissions
Advanced permissions are detailed permissions that give you more flexibility over role assignments, but can become complex to manage and maintain. For example, you can set create, edit, view, and delete permissions for individual tools and assets, rather than setting the same permission for all tools or all asset types.
If advanced permissions are specified in a portal and the portal is used to create a custom template, the selected advanced permissions will be included in portals built from the custom template (provided Members Info is selected during template creation). See Section 3.3, "Creating a New Portal Template."
If you switch to using advanced permissions, you cannot revert to standard permissions. For more information, see Section 29.1.2, "Understanding Permissions and Permission Models in a Portal."
To use advanced permissions:
-
In the portal administration (see Section 7.1, "Accessing Portal Administration"), click Security in the left navigation pane, then click the Roles subtab (Figure 29-5).
Tip:
You can also navigate to this page using the direct URL provided in Section A.7, "Pretty URLs for Pages in a Specified Portal."Figure 29-5 Portal Administration: Roles Page
Description of ''Figure 29-5 Portal Administration: Roles Page''
-
Click Advanced Permissions.
A warning message displays (Figure 29-6).
Figure 29-6 Switching to Advanced Permissions
Description of ''Figure 29-6 Switching to Advanced Permissions''
-
Click OK to continue.
-
In the Edit Permissions dialog, select or deselect the check boxes to enable or disable permissions for a role (Figure 29-7). See Table 29-3, "Portal Permissions - Advanced Permissions".
Note:
If you are working with a portal that was imported from a previous version of WebCenter Portal, you may see different permissions. Such permissions are only provided for migration purposes and do not apply to any new portals that you create with this release.Figure 29-7 Modifying Permissions for a Portal (Advanced Permissions)
Description of ''Figure 29-7 Modifying Permissions for a Portal (Advanced Permissions)''
-
Click Save.
New permissions are effective immediately.
Note:
For more detailed information about granting access permissions to a portal, and to individual pages within a portal, refer to Section 4.4, "Granting Users Access to a Portal".29.5 Deleting Roles in a Portal
When a role is no longer required, the portal moderator can remove it from the portal. This helps maintain a valid role list and prevents inappropriate role assignment.
To delete a role in a portal:
-
In the portal administration (see Section 7.1, "Accessing Portal Administration"), click Security in the left navigation pane, then click the Roles subtab (Figure 29-8).
Tip:
You can also navigate to this page using the direct URL provided in Section A.7, "Pretty URLs for Pages in a Specified Portal."Figure 29-8 Portal Administration: Roles Page
Description of ''Figure 29-8 Portal Administration: Roles Page''
-
Select the role you want to delete, then click Remove Role.
Note:
TheModerator,Public-User, andAuthenticated-Userroles cannot be deleted. -
In the Delete Role confirmation dialog, click Delete to confirm that you want to delete the role.