40 Managing Security Across Portals

This chapter describes the tasks available on the Security page in WebCenter Portal Administration. The system administrator can modify the default settings to assign suitable permissions to the custom application user roles, assign users to these application roles, and also create new custom roles, if required by the organization.

This chapter includes the following topics:

• About WebCenter Portal Security

• About Users

• About Application Roles and Permissions

• About Roles and Permissions Within a Portal

• Managing Users

• Managing Application Roles and Permissions

Permissions

To perform the tasks in this chapter, you must have the WebCenter Portal Administrator role or a custom role that grants the following permission:

• Portal Server: Manage All

40.1 About WebCenter Portal Security

WebCenter Portal provides a comprehensive security model that enables you to control what users can see and change in WebCenter Portal. Using the Security page in WebCenter Portal Administration (Figure 40-1), you can control which users (and groups) have access to individual portals and the Home portal and you can also control exactly what users and groups can see and do by enabling and disabling various permissions.

Figure 40-1 WebCenter Portal Administration: Security Page

Description of "Figure 40-1 WebCenter Portal Administration: Security Page"

Within a particular portal you can restrict user and group access to individual pages, page content (such as task flows, portlets, documents, and folders), and assets (such as page templates, page styles, skins, resource catalogs, and so on).

Figure 40-2 WebCenter Portal Security

Description of "Figure 40-2 WebCenter Portal Security"

User and Groups

A user is a single person in the identity store, and a group contains multiple users. In WebCenter Portal you can grant permissions to individual users and to groups of users.

Unregistered Users and Self-Registration

Self-registration allows unregistered users to create their own login and password for WebCenter Portal. A user who self-registers is immediately and automatically granted access to WebCenter Portal and a new user account is created in WebCenter Portal's identity store.

Application Roles and Portal Roles

Application roles determine what a user (or group) can see and do in the Home portal which, for some administrative functions, can impact all of WebCenter Portal. Portal roles control actions within a particular portal.

Portals

Portals support the formation and collaboration of project teams and communities of interest by providing a dedicated and readily accessible area for relevant services, pages, and content and by supporting the inclusion of specified members.

Home Portal

The Home portal is a shared portal that, by default, is accessible to everyone who is logged in. Application roles apply while a user is working within the Home portal. In most applications, the Home portal focuses on social networking and personal content.

Assets

Various portal resources help define the overall structure, look and feel, and content in portals, and these include page templates, page styles, skins, resource catalogs, Content Presenter display templates, task flow styles, data controls, and task flows. Users with appropriate privileges can build and customize resources for the entire application or individual portals.

Pages

Anyone authorized to edit a page can grant access and permissions to other users and groups. For example, you might grant view-only permission to everyone in the sales group, edit permission to sales managers, and manage permission to a single user. Alternatively, you can specify that the page inherits its access from the application.

Page Content, Files, and Folders

Some pages might contain content that you want only a select set of users, or even only one other user, to see. For example, a page aimed at sales people might include two Announcement task flows; one aimed at all sales people and the other at only sales managers. By restricting access to the second Announcement task flow, you can hide management-level announcements from anyone who is not a sales manager.

40.2 About Users

A WebCenter Portal user has a login account for WebCenter Portal—provisioned directly from an existing identity store. See also, Adding Users to the Embedded LDAP Identity Store.

All users in the identity store are assigned minimal privileges in WebCenter Portal through the Authenticated-User role. The only exception is the system administrator (weblogic by default); out-of-the-box, the system administrator is the only user assigned full administrative privileges through the Administrator role. For more information, read the next section Default Application Roles.

It is the system administrator's job to assign each user an appropriate application role. Alternatively, the system administrator may choose to assign the Administrator role to another user and delegate this responsibility.

---

Table 40-1 Default Administrator in WebCenter Portal

User	Description
System Administrator (weblogic)	Administrator for the entire application server, sometimes referred to as the super administrator or Fusion Middleware administrator. This user can manage any application on the server, including WebCenter Portal.

---

40.3 About Application Roles and Permissions

Application roles control the level of access a user has to information and services in WebCenter Portal.

This section includes:

• About Application Roles

• About Application Permissions

40.3.1 About Application Roles

Application role assignment is the responsibility of the WebCenter Portal administrator. Administrators can assign users a default application role or create additional, custom roles specific to their application deployment. For more details, see:

• Default Application Roles

• Custom Application Roles

Application roles apply when users are working in the Home portal or on application-level tasks. A different set of roles and permissions apply when a user is working within a particular portal. It is the portal manager's responsibility to determine suitable role assignments for each of its members. See also Managing Application Roles and Permissions, and Administering Security in a Portal in Building Portals with Oracle WebCenter Portal.

Note:

Application roles and permissions defined within WebCenter Portal are stored in its policy store and, consequently, apply to this WebCenter Portal only. Enterprise roles are different; enterprise roles are stored within the application's identity store and do not imply any permissions within WebCenter Portal. See Application Roles and Enterprise Roles.

40.3.1.1 Default Application Roles

WebCenter Portal provides several default application roles (Table 40-2). You cannot delete the default application roles of Administrator, Public-User, and Authenticated-User, but you can modify the default permission assignments for each role. For more information, see Modifying Application Role Permissions.

Table 40-2 Default Application Roles for WebCenter Portal

Application Role	Description	Modify?
Administrator	Users with the Administrator role can set application-wide properties for WebCenter Portal, create business role pages, configure defaults for discussion forums, mail, and people connection services, register producers and external applications, as well as perform other administrative duties such as editing the login page and the self-registration page. Administrators can also manage users and roles for the WebCenter Portal, delegate or revoke privileges to/from other users, manage portals and portal templates, and also import and export portal as well as deploy and propagate portal. Out-of-the-box, the system administrator is the only user assigned full administrative privileges for the WebCenter Portal through the Administrator role. Note: The Administrator role allows administration permissions on a private portal (such as managing membership), but does not allow access to a private portal’s page contents.	Yes* *Except for Application permissions which are read-only
AppConnectionManager	Users with this role can manage (create, update, and delete) portlet producers and external applications through corresponding task flows. Initially, only users with the Administrator role is a member of the AppConnectionManager role. In order to manage membership of AppConnectionManager role, use the following options: WLST commands: grantAppRole: To add a user or role to the Connection Manager (For command syntax and examples, see grantAppRole in Infrastructure Security WLST Command Reference). revokeAppRole: To remove the member from the Connection Manager (For command syntax and examples, see revokeAppRole in Infrastructure Security WLST Command Reference). Enterprise Manager (see Managing Application Roles in Securing Applications with Oracle Platform Security Services. Note: You cannot view AppConnectionManager role in Oracle WebCenter Portal UI.	No
AppConnectionViewer	Users with this role can view portlet producers and external applications through corresponding task flows. Initially, any user who is logged in (that is, has authenticated-role) is a member of the AppConnectionViewer role. In order to manage membership of AppConnectionViewer role, use the following option: WLST commands: grantAppRole: To add a user or role to the Connection Manager (For command syntax and examples, see grantAppRole in Infrastructure Security WLST Command Reference). revokeAppRole: To remove the member from the Connection Manager (For command syntax and examples, see revokeAppRole in Infrastructure Security WLST Command Reference). Enterprise Manager (see Managing Application Roles in Securing Applications with Oracle Platform Security Services. Note: You cannot view AppConnectionViewer role in Oracle WebCenter Portal UI.	No
Application Specialist	Users with the Application Specialist role can create portals; manage portal templates; create, edit, and delete pages, page styles, page templates, Content Presenter templates, data controls, pagelets, resource catalogs, skins, task flow styles, and task flows; update People Connections data, and connect with people.	Yes
Portal Creator	Users with the Portal Creator role are assigned the Portals: Create Portals and Portal Server: View permission by default. Users in this role do not have the ability to manage or create portal templates. This role is provided to make sure that only a select few portal users have the ability to create portals. Upon creating a portal, the Portal Creator role inherits the permissions inherent in the portal-level Portal Manager role. Users in this role have the ability to import, export, and deploy portals (only if they are in a role that has the application level Portal Server: Deploy permission) that they are members of and those portals that they manage.	Yes
Authenticated-User	Authenticated users of WebCenter Portal are granted the Authenticated-User role. Users who log in are assigned this role and, by default, have access to the Home portal, pages that they create, and public pages. These users can also view public portals. By default, the Authenticated-User role is granted minimal privileges, through the following permissions: Portal Server: View Portals: Create Portals Portal Templates: Create Portal Templates Pages: Create Pages People Connections: Update People Connections Data People Connections: Connect with People The Authenticated-User role also has permissions to create portals and portal templates. This role inherits permissions from the Public-User role. All custom application roles inherit permissions from the Authenticated-User role. In the WebCenter Portal, the Authenticated-User role is equivalent to authenticated-role—a standard OPSS (Oracle Platform Security Services) role.	Yes
Public-User	Anyone with access to the WebCenter Portal who is not logged in, is granted the Public-User role. Such users are anonymous, unidentified, and can see public content only. By default, the Public-User role is granted minimal privileges, that is, only the Portal Server: View permission. In the WebCenter Portal, the Public-User role is equivalent to anonymous-role—a standard OPSS (Oracle Platform Security Services) role. Caution: Take care when granting permissions to the Public-User role. Avoid granting administrative permissions such as Portal Server: Manage All, Portal Server: Manage Configuration, or any permission that might be considered unnecessary. See also About Application Permissions. If you do not want unauthenticated users to see WebCenter Portal content that is marked 'public', do not grant the Portal Server: View permission to the Public-User role. When public access is disabled, public content cannot be seen by unauthenticated users. Also, the Welcome page for WebCenter Portal is not displayed; public users are directed straight to a login page. Administrators may customize the default login page, if required. See Customizing System Pages for All Portals.	Yes

40.3.1.2 Custom Application Roles

Custom application roles (sometimes known as user-defined roles) are specific to your WebCenter Portal. When setting up WebCenter Portal, it is the WebCenter Portal administrator's job to identify which application roles are required, select suitable role names, and define the responsibilities of each role.

For example, an education environment might require roles such as Teacher, Student, and Guest. While roles such as Finance, Sales, Human Resources, and Support would be more appropriate for a corporate environment.

In WebCenter Portal, custom application roles inherit permissions from the Authenticated-User role.

To learn how to set up application roles for WebCenter Portal users, see Defining Application Roles.

40.3.2 About Application Permissions

Every application role has specific, defined capabilities known as permissions. These permissions allow individuals to perform specific actions in the Home portal. Permissions are categorized are listed individually in the subsequent tables:

• Table 40-3 lists the available application permissions in WebCenter Portal.

• Table 40-4 lists the application roles and default permissions assigned to these roles in WebCenter Portal.

No permission, except for Manage All, inherits privileges from other permissions.

40.3.2.1 Understanding Application Permissions

Table 40-3 lists the application-level permissions available in WebCenter Portal.

Table 40-3 Application Permissions

Category	Application Permissions
Portal Server	Manage All - Enables access to all WebCenter Portal Administration pages: Settings, Portals, Shared Assets, Attributes, andPortal Templates. Through these pages, users can manage application security (users/roles), configure application-wide properties and services, manage resources, create business role pages, manage everyone's personal pages, customize system pages, view portals accessible to them, as well as export/import portals and portal templates. Some administrative tasks are exclusive to the out-of-the-box Administrator role and cannot be performed by granting the Portals: Manage Security and Configuration permission. These tasks include editing the login page, the self-registration page, and profile gallery pages, as well as the ability to manage all portals, all portal templates, external applications, and portlet producers. Manage Configuration - Same as the Portal Server: Manage All permission but excludes security privileges. Users with this permission cannot access the Security page. View - Enables users to view WebCenter Portal, and gives them access to the Home portal. See Table 40-2. Deploy - Enables users to deploy and propagate a portal. For more information, see Deploying Portals, Templates, Assets, and Extensions.
Portals	Manage Security and Configuration - Enables access to all portal administration pages (Overview, Settings, Attributes, Security, Tools and Services), except Assets. Through these pages users can manage portal membership, assign permissions and roles, manage, delete, and deploy and export portals and resources, set portal properties, and manage service availability. To access portal pages, page and asset permissions must be granted. To access portal assets, asset permissions must be granted. Includes Manage Configuration and Manage Membership permissions. Manage Configuration - Same as the Manage Security and Configuration permission but excludes security privileges. Users with this permission cannot access the Security pages unless they are a portal manager. Users with this permission cannot access the Roles and Members pages. To access portal pages, page and asset permissions must be granted. To access portal assets, asset permissions must be granted. Users with this permission must be allowed to view the portal. Manage Membership - Enables access to the Roles and Members pages in the portal administration settings. On these pages, users can create, edit, and delete members and roles for the portal. Create Portals - Enables users to create portals. See Managing Roles and Permissions for a Portal in Building Portals with Oracle WebCenter Portal.
Portal Templates	Manage All - Enables users to manage any portal template (through the Portal Templates page) and delete templates accessible to them. See Managing All Portal Templates in Building Portals with Oracle WebCenter Portal. Create Portal Templates - Enables users to create portal templates.
Pages	Create, Edit, and Delete Pages - Enables users to create, edit and delete pages in the Home portal. Delete Pages - Enables users to delete pages in the Home portal. Edit Pages -Enables users to add or edit personal page content, rearrange content, and set page parameters and properties. Customize Pages - Enables users to customize their view of pages in the Home portal by adding, editing, or removing content. View Pages - Enables users to view pages in the Home portal. Create Pages - Enables users to create a new personal page in the Home portal. Contribute Page Content - These permissions apply to pages in the Home portal. The permissions do not apply to pages that are created within a portal. Page permissions within a portal are granted by the portal manager. See Managing Roles and Permissions for a Portal in Building Portals with Oracle WebCenter Portal.
Application Integration Visualization Templates	Create, Edit, and Delete Visualization Templates - Enables users to create, edit and delete visualization templates through WebCenter Portal. Create Visualization Templates - Enables users to create visualization templates for the application. Edit Visualization Templates - Enables users to edit application-level visualization templates. See Working with Visualization Templates in Building Portals with Oracle WebCenter Portal.
Content Presenter Templates	Create, Edit, and Delete Content Presenter Templates - Enables users to create, edit and delete content display templates through WebCenter Portal. Create Content Presenter Templates - Enables users to create content display templates for the application. Edit Content Presenter Templates - Enables users to edit application-level content display templates. See Publishing Content Using Content Presenter in Building Portals with Oracle WebCenter Portal.
Data Controls	Create, Edit, and Delete Data Controls - Enables users to create, edit and delete data controls through WebCenter Portal. Create Data Controls - Enables users to create data controls for the application. Edit Data Controls - Enables users to edit application-level data controls. See Working with Web Service Data Controls in Building Portals with Oracle WebCenter Portal.
Discussions	Create, Edit, and Delete Discussions - Enables users to manage categories, forums, and topics on the back-end discussions server and set discussion forum properties for all portals. See Understanding Discussion Server Role Mapping
Links	Create and Delete Links - Enables users to create and delete links between objects, and manage link permissions. Create Links - Enables users to create links between objects, and delete links that they create. Delete Links - Enables users to delete a link between two objects.
Page Styles	Create, Edit, and Delete Page Styles - Enables users to create, edit, and delete page styles through WebCenter Portal. Create Page Styles - Enables users to create page styles for the application. Edit Page Styles - Enables users to edit application-level page styles. See Working with Page Styles in Building Portals with Oracle WebCenter Portal.
Page Templates	Create, Edit, and Delete Page Templates - Enables users to create, edit, and delete page templates through WebCenter Portal. Create Page Templates - Enables users to create page templates for the application. Edit Page Templates - Enables users to edit application-level page templates. See Working with Page Templates in Building Portals with Oracle WebCenter Portal.
Pagelets	Create, Edit, and Delete Pagelets - Enables users to create, edit, and delete pagelets through WebCenter Portal. Create Pagelets - Enables users to create pagelets for the application. Edit Pagelets - Enables users to edit application-level pagelets. See Working with Pagelets in Building Portals with Oracle WebCenter Portal.
People Connections	Manage People Connections - Enables users to manage application-wide settings for People Connection services. Update People Connections Data - Enables users to edit content associated with People Connection services. Connect with People - Enables users to share content associated with People Connection services with others.
Resource Catalogs	Create, Edit, and Delete Resource Catalogs - Enables users to create, edit and delete resource catalogs through WebCenter Portal. Create Resource Catalogs - Enables users to create resource catalogs for the application. Edit Resource Catalogs - Enables users to edit application-level resource catalogs. See Working with Resource Catalogs in Building Portals with Oracle WebCenter Portal.
Skins	Create, Edit, and Delete Skins - Enables users to create, edit, and delete skins through WebCenter Portal. Create Skins - Enables users to create skins for the application. Edit Skins - Enables users to edit application-level skins. See Working with Skins in Building Portals with Oracle WebCenter Portal.
Task Flow Styles	Create, Edit, and Delete Task Flow Styles - Enables users to create, edit, and delete content display templates through WebCenter Portal. Create Task Flow Styles - Enables users to create content display templates for the application. Edit Task Flow Styles - Enables users to edit application-level content display templates. See Publishing Content Using Content Presenter in Building Portals with Oracle WebCenter Portal.
Task Flows	Create, Edit, and Delete Task Flows - Enables users to create, edit, and delete task flows based on a task flow style through WebCenter Portal. Create Task Flows - Enables users to create task flows for the application. Edit Task Flows - Enables users to edit application-level task flows. See Working with Task Flows in Building Portals with Oracle WebCenter Portal.

40.3.2.2 Default Application Permissions Assignments to Application Roles

Table 40-4 shows the default permissions assigned to built-in application roles.

✔ - Shows an explicitly granted permission or action.

✙ - Shows an implied permission because of an explicitly granted permission.

Table 40-4 Default Application Roles and Permissions in WebCenter Portal

Permissions	Administrator	Application Specialist	Portal Creator	Public-User	Authenticated-User
Portal Server Manage All	✔
Manage Configuration	✙
View	✙	✔	✔	✔	✔
Deploy	✙
Portals Manage Security and Configuration	✔	✔
Manage Configuration
Manage Membership
Create Portals		✔	✔		✔
Portal Templates Manage All	✔	✔
Create Portal Templates					✔
Pages Create, Edit, and Delete Pages and Contribute Content	✔	✔
Delete Pages
Edit Pages
Customize Pages
View Pages
Create Pages					✔
Application Integration Visualization Manage Application Integration Visualization	✔
Content Presenter Templates Create Content Presenter Templates
Create, Edit, and Delete Content Presenter Templates	✔	✔
Edit Content Presenter Templates
Data Controls Create Data Controls
Create, Edit, and Delete Data Controls	✔	✔
Edit Data Controls
Discussions Create, Edit, and Delete Discussions	✔
Links Create Links
Create and Delete Links	✔
Edit Links
Page Styles Create Page Styles
Create, Edit, and Delete Page Styles	✔	✔
Edit Page Styles
Page Templates Create Page Templates
Create, Edit, and Delete Page Templates	✔	✔
Edit Page Templates
Pagelets Create Pagelets
Create, Edit, and Delete Pagelets	✔	✔
Edit Pagelets
People Connections Manage People Connections	✔
Update People Connections Data		✔			✔
Connect with People		✔			✔
Resource Catalogs Create Resource Catalogs
Create, Edit, and Delete Resource Catalogs	✔	✔
Edit Resource Catalogs
Skins Create Skins
Create, Edit, and Delete Skins	✔	✔
Edit Skins
Task Flow Styles Create Task Flow Styles
Create, Edit, and Delete Task Flow Styles	✔	✔
Edit Task Flow Styles
Task Flow Styles Create Task Flows
Create, Edit, and Delete Task Flows	✔	✔
Edit Task Flows

40.3.2.3 Understanding Discussion Server Role Mapping

Some WebCenter Portal services that need access to remote (back-end) resources also require role-mapping based authorization, that is, the WebCenter Portal roles that allow users to work with the Discussions service in WebCenter Portal, must be mapped to corresponding roles on WebCenter Portal's discussions server.

WebCenter Portal uses application roles to manage user permissions in the Home portal and portal roles to manage user permissions within a particular portal. On WebCenter Portal's discussions server, a different set of roles and permissions apply.

Users who are working with discussions and announcements in WebCenter Portal automatically map to the appropriate discussions server role, shown in Table 40-5 and Table 40-6.

Table 40-5 Discussions Server Roles and Permissions - Application

Discussion Server Role	Discussion Server Permissions	WebCenter Portal Equivalent Application Permission
Administrator	Category Admin	Discussions-Create, Edit, and Delete Create, read, update and delete sub categories, forums, and topics inside the category for which permissions are granted.

Table 40-6 Discussions Server Roles and Permissions - For a Portal

Discussion Server Role	Discussion Server Permissions	WebCenter Portal Equivalent Permissions in a Portal
Portal Manager	Category Admin Forum Admin	Discussions-Create, Edit, and Delete Create, read, update and delete forums and topics. Announcements-Create, Edit, and Delete Create, read, update and delete announcements.
Portal Manager	Create Message Create Announcement	Discussions-Create and Edit Create and edit topics. Announcements-Create and Edit Create and edit announcements.
Portal Manager	Read Forum Create Thread	Discussions-Reply To Reply to discussion topics.
Portal Manager	Read Forum	Discussions-View View forums and topics. Announcements-View View announcements.

Any user assigned the Application-Discussions-Create Edit Delete permission in WebCenter Portal is automatically added to WebCenter Portal's discussions server and assigned the Administrator role with the Category Admin permission. Out-of-the box, WebCenter Portal assigns the Application-Discussions-Create Edit Delete permission to the Administrator role only.

Similarly, in a given portal, any member assigned discussion and announcement permissions is granted the corresponding permissions on the discussions server.

40.3.2.4 Understanding Enterprise Group Role Mapping

In WebCenter Portal you can assign individual users or multiple users in the same enterprise group to WebCenter Portal roles. Subsequent enterprise group updates in the back-end identity store are automatically reflected in WebCenter Portal. Initially, when you assign an enterprise group to a WebCenter Portal role, everyone in the enterprise group is granted that role. If someone moves out of the group, the role is revoked. If someone joins the group, they are granted the role

For WebCenter Portal to properly maintain enterprise group-to-role mappings, back-end servers, such as the discussions server and content server, must support enterprise groups too. WebCenter Portal's Discussion Server and WebCenter Content's Content Server versions provided with this release both support enterprise groups but previous versions may not. See also, Troubleshooting Issues with Users and Roles.

40.4 About Roles and Permissions Within a Portal

When a user becomes a member of a particular portal, a different set of roles and responsibilities apply. For more information, see Adminstering Security in a Portal in Building Portals with Oracle WebCenter Portal.

40.5 Managing Users

System administrators must ensure that all WebCenter Portal users have appropriate permissions. To get permissions, users must be assigned to an appropriate application role.

From the Users and Groups page (Figure 40-3), system administrators can manage application roles for all the users who have access to WebCenter Portal, that is, all users defined in the identity store. From here, you can change user role assignments, grant administrative privileges, and revoke user permissions. To access the Users and Groups page, open WebCenter Portal Administration Settings and click Security. For details, see Accessing the Settings Pages in WebCenter Portal Administration.

Only users granted special (non-default) application privileges appear in this table. Initially, all users in the WebCenter Portal identity store are assigned minimal privileges through the Authenticated-User role. Users with the default Authenticated-User role are not listed here. See also Default Application Roles.

Figure 40-3 WebCenter Portal Administration: Users and Groups Page

Description of "Figure 40-3 WebCenter Portal Administration: Users and Groups Page"

This section describes how to assign roles and contains the following subsections:

• Adding and Removing Users

• Assigning Users (and Groups) to Application Roles

• Assigning a User to a Different Application Role

• Revoking Application Roles

40.5.1 Adding and Removing Users

WebCenter Portal administrators cannot add new user data directly to the WebCenter Portal identity store or remove user credentials. Identity store management is the responsibility of the systems administrator and takes place through the WLS Administration Console or directly into embedded LDAP identity stores using LDAP commands. See also Adding Users to the Identity Store Using the WLS Administration Console.

WebCenter Portal administrators can, however, enable self-registration for the application. Through self-registration, public users can create their own login and password for WebCenter Portal. A user who self-registers is immediately and automatically granted access to WebCenter Portal and a new user account is created in the identity store. See also Enabling Self-Registration.

40.5.2 Assigning Users (and Groups) to Application Roles

Initially, all users in the WebCenter Portal identity store are assigned minimal privileges through the Authenticated-User role. You can assign individual users (or multiple users in the same enterprise group) to a different application role through WebCenter Portal Administration.

Updates in your back-end identity store, such as new users or someone leaving an enterprise group, are automatically reflected in WebCenter Portal. Initially, when you assign an enterprise group to a WebCenter Portal role, everyone in the enterprise group is granted that role. If someone moves out of the group, the role is revoked. If someone joins the group, they are granted the role.

Note:

For WebCenter Portal to properly maintain enterprise group-to-role mappings, back-end servers, such as the discussions server and content server, must support enterprise groups too. When back-end servers do not support enterprise groups, the message "Group [name] not found in the Identity Store" displays. See also Troubleshooting Issues with Users and Roles.

To assign a user (or a group of users) to a different application role:

1. On the Settings page (see Accessing the Settings Pages in WebCenter Portal Administration), click Security.

   You can also enter the following URL in your browser to navigate directly to the Security page:

   http://host:port/webcenter/portal/admin/settings/security
   

   See Also:

   WebCenter Portal Pretty URLs in Building Portals with Oracle WebCenter Portal.

2. Click Users and Groups (Figure 40-3).

   This page lists users to whom additional roles are defined.

3. Choose User or Group from the drop-down list.

   • Select User to grant permissions to one or more users defined in the identity store.

   • Select Group to grant permissions to a group of users.

4. If you know the exact name of the user or group, enter the name in the text box, separating multiple names with commas.

   If you are not sure of the name you can search your identity store:

   1. Click the Find icon ().

      The Find User (or Find Group) dialog box opens (Figure 40-4).

      Figure 40-4 Finding Users and Groups in the Identity Store

      
      Description of "Figure 40-4 Finding Users and Groups in the Identity Store"

   2. Enter a search term for a user or group, then click the Search icon.

      For tips on searching for a user or group in the identity store, see Searching for a User or Group in the Identity Store in Building Portals with Oracle WebCenter Portal.

      Users (or groups) matching your search criteria display in the Select User dialog box. For more details on which fields are searched, see Searching for a User or Group in the Identity Store in Building Portals with Oracle WebCenter Portal

      Tips

      • Use * as a wildcard, for example *sales.

      • Leave the search field blank to list all users (or groups) in the identity store.

      • Enter a space between two search terms to search First Name and Last Name, for example jo sm, searches for jo in First Name and sm in Last Name.

   3. Select one or more names from the list.

      To assign roles to multiple users or groups, multi-select all the names required. Ctrl + click rows to select multiple names.

   4. Click OK.

      The names that you select appear on the User and Groups tab.

5. To assign a role, select a Role from the drop-down list.

   Select an appropriate role for the selected users (or groups).

   Note:

   Choose Administrator only if you want to assign full, administrative privileges for WebCenter Portal.

   • If the role you want is not listed, create a new role that meets your requirements (see Defining Application Roles).

   • When no role is selected, the user assumes the Authenticated-User role. See Default Application Roles.

6. Click Grant Access.

   User/user group names and new role assignment appear in the table.

Note:

Group names are clickable, enabling you to drill down to see user names of the current group members.

40.5.3 Assigning a User to a Different Application Role

From time to time, a user's role in WebCenter Portal may change. For example, a user may move out of sales into the finance department and in this instance, the user's role assignment may change from Sales to Finance. You can also assign a user to more than one role.

Note:

You cannot modify your own role or the system administrator's role. See About Application Roles.

To assign a user to a different role:

1. On the Settings page (see Accessing the Settings Pages in WebCenter Portal Administration), click Security.

   You can also enter the following URL in your browser to navigate directly to the Security page:

   http://host:port/webcenter/portal/admin/settings/security
   

   See Also:

   WebCenter Portal Pretty URLs in Building Portals with Oracle WebCenter Portal.

2. Click Users and Groups (Figure 40-3).
3. In the Manage Existing Grants table, scroll down to the user whose role assignment you want to modify.

   Only users with non-default role assignments are listed in the table. If the user you want is not listed, grant the role required as described in Assigning Users (and Groups) to Application Roles.

4. Click the Actions icon, then select Change Role from the drop-down list.

   The Change Role dialog opens (Figure 40-5).

   Figure 40-5 Changing a User's Application Role

   
   Description of "Figure 40-5 Changing a User's Application Role"
5. Select roles as follows:

   • Select Administrator to assign full, administrative privileges for WebCenter Portal.

     Administrators have the highest privilege level and can view and modify anything in WebCenter Portal so take care when assigning the Administrator role.

     Some administrative tasks are exclusive to the Administrator role, such as editing the login page, the self-registration page, and profile gallery pages. See also Default Application Roles.

   • Select one or more roles from the list available (you can assign the user or group to one or more roles).

     If the role you want is not listed, create a new role that meets your requirements (see Defining Application Roles).

     At least one role must be selected. To revoke all role assignments, reverting user permissions to the default Authenticated-User role, see Revoking Application Roles.

6. Click OK.

New role assignments display in the table.

40.5.4 Revoking Application Roles

It is easy to revoke application role assignments that no longer apply. You can revoke roles individually or revoke all application roles assigned to a particular user at once.

Revoking all of a user's application roles does not remove that user from the identity store and the user still has access to Oracle WebCenter Portal through the default Authenticated-User role.

Note:

You cannot revoke your own role assignments or the system administrator's role. See About Application Roles.

To revoke application roles:

1. On the Settings page (see Accessing the Settings Pages in WebCenter Portal Administration), click Security.

   You can also enter the following URL in your browser to navigate directly to the Security page:

   http://host:port/webcenter/portal/admin/settings/security
   

   See Also:

   WebCenter Portal Pretty URLs in Building Portals with Oracle WebCenter Portal.

2. Click Users and Groups (Figure 40-3).

   This page lists users to which additional roles are defined.

3. In the Manage Existing Grants table, scroll down to the user you want.
4. Click the Actions icon:

   • Select Change Role, and deselect the application role or roles you wish to revoke. See also Assigning a User to a Different Application Role.

   • Select Delete Role Assignments to revoke all roles assigned to that user, and then click Delete when asked for confirmation.

   Access for that user is revoked immediately.

When you delete all the roles assigned to a particular user, the user is no longer listed on the Users and Groups page. The user remains in the identity store and still has access to Oracle WebCenter Portal through the Authenticated-User role. See Default Application Roles.

40.6 Managing Application Roles and Permissions

WebCenter Portal uses application roles to manage permissions for users working in the Home portal. Administrators manage application roles and permissions on the Roles page (Figure 40-6). See Table 40-4 for more information about built-in application roles and permissions.

Figure 40-6 WebCenter Portal Administration: Roles Page

Description of "Figure 40-6 WebCenter Portal Administration: Roles Page"

This section explains how to manage application roles and their permissions in WebCenter Portal Administration. It contains the following subsections:

• Viewing Application Roles and Permissions

• Defining Application Roles

• Modifying Application Role Permissions

• Deleting Application Roles

40.6.1 Viewing Application Roles and Permissions

On the Roles page, use the Roles drop-down to select an application role and view its associated permissions.

To view permissions associated with a role:

1. On the Settings page (see Accessing the Settings Pages in WebCenter Portal Administration), click Security.

   You can also enter the following URL in your browser to navigate directly to the Security page:

   http://host:port/webcenter/portal/admin/settings/security
   

   See Also:

   WebCenter Portal Pretty URLs in Building Portals with Oracle WebCenter Portal.

2. Click the Roles tab to open the Roles page (Figure 40-6), showing the Administrator role and its associated permissions by default.
3. From the Role drop-down (Figure 40-7), select a role to view its associated permissions.

   Figure 40-7 WebCenter Portal Administration: Roles Page

   
   Description of "Figure 40-7 WebCenter Portal Administration: Roles Page"
4. Do any of the following:

   • To create a new application role, see Defining Application Roles.

   • To change defined permissions for a role, see Modifying Application Role Permissions.

   • To delete an application role, see Deleting Application Roles.

5. Click Save.

40.6.2 Defining Application Roles

Use roles to characterize groups of WebCenter Portal users and determine what they can see and do in the Home portal.

When defining application roles, use self-descriptive role names and try to keep the role policy as simple as possible. Choose as few roles as you can, while maintaining an effective policy.

Take care to assign appropriate access rights when assigning permissions for new roles. Do not allow users to perform more actions than are necessary for the role but at the same time, try not to inadvertently restrict them from activities they must perform. In some cases, users may fall into multiple roles.

To define a new application role:

1. On the Settings page (see Accessing the Settings Pages in WebCenter Portal Administration), click Security.

   You can also enter the following URL in your browser to navigate directly to the Security page:

   http://host:port/webcenter/portal/admin/settings/security
   

   See Also:

   WebCenter Portal Pretty URLs in Building Portals with Oracle WebCenter Portal.

2. Click the Roles tab to open the Roles page (Figure 40-6), showing the Administrator role and its associated permissions by default.
3. Click Create Role to define a new role for WebCenter Portal users.

   Figure 40-8 Creating a New Role

   
   Description of "Figure 40-8 Creating a New Role"
4. Enter a suitable name for the role.

   Ensure the role names are self-descriptive. Make it as obvious as possible which users should belong to which roles. Role names can contain alphanumeric characters, blank spaces, and underscores.

5. (Optional) Choose a Role Template.

   The new role inherits permissions from the role template. You can modify these permissions in the next step.

   Choose Administrator to create a role that inherits full, administrative privileges. Conversely, choose Public-User to create a role that typically provides minimal privileges. Alternatively, choose a custom application role to be your template.

6. Click OK.

   The new role appears in the Role drop-down. The permissions list shows which actions users with this role can perform. Use the Roles drop-down to select another role.

7. To modify user permissions for the role, select or clear each permission check box.
8. Click Save to save any changes that you make to the role's permissions.

40.6.3 Modifying Application Role Permissions

Administrators can modify the permissions associated with application roles at any time. Application permissions are described in About Application Permissions.

Application role permissions allow individuals to perform specific actions in the Home portal. No permission, except for Manage All, inherits privileges from other permissions.

Note:

Application permissions cannot be modified for the Administrator role. See also Default Application Roles.

To change the permissions assigned to a role:

1. On the Settings page (see Accessing the Settings Pages in WebCenter Portal Administration), click Security.

   You can also enter the following URL in your browser to navigate directly to the Security page:

   http://host:port/webcenter/portal/admin/settings/security
   

   See Also:

   WebCenter Portal Pretty URLs in Building Portals with Oracle WebCenter Portal.

2. Click the Roles (Figure 40-6) tab.

   The page opens, showing the Administrator role and its associated permissions by default.

3. From the Role drop-down, select the role whose permissions you want to modify.

   The permissions associated with the selected role appear next to the Permissions column.

4. Select or deselect Permissions check boxes to enable or disable permissions for the role.
   For the built-in roles, be cautious about changing permissions. See Table 40-2.
5. Click Save.

The new permissions are effective immediately.

40.6.3.1 Granting Permissions to the Public-User

Anyone who is not logged in to WebCenter Portal assumes the Public-User role. By default, the Public-User role is granted minimal privileges, that is, only the Portal Server: View permission.

Caution:

Take care when granting permissions to the Public-User role. Avoid granting administrative permissions such as Portal Server: Manage All, Portal Server: Manage Configuration, or any permission that might be considered unnecessary. See also About Application Permissions.

Granting the Portal Server-View Permission

The Portal Server: View permission allows unauthenticated users to see public WebCenter Portal pages, such as the Welcome page, and also content that individual users choose to make public.

When Portal Server: View permission is granted to the Public-User role:

• Make sure that users understand that any personal page or personal content they choose to make public will become accessible to unauthenticated users outside of the WebCenter Portal community, that is, anyone with Web access.

• Consider customizing the default Welcome page that displays to public users before they log in. See Customizing System Pages.

If you do not want unauthenticated users to see WebCenter Portal content that is marked 'public', do not grant the Portal Server: View permission to the Public-User role. When public access is disabled, public content cannot be seen by unauthenticated users. Also, the Welcome page for WebCenter Portal is not displayed; public users are directed straight to a login page. Administrators may customize the default login page, if required. See Customizing System Pages for All Portals.

Granting Other Permissions

Be careful when assigning permissions to the Public-User role. For security reasons, Oracle recommends that you limit what anonymous users can see and do in WebCenter Portal.

40.6.3.2 Granting Permissions to the Authenticated-User

Anyone who is logged in to WebCenter Portal assumes the Authenticated-User role. By default, the Authenticated-User role is granted minimal privileges, through the following permissions:

• Portal Server: View

• Portals: Create Portals

• Portal Templates: Create Portal Templates

• Pages: Create Pages

• People Connections: Update People Connections Data

• People Connections: Connect with People

Other important notes:

• The Authenticated-User role always inherits permissions from the Public-User role.

• All custom application roles inherit permissions from the Authenticated-User role.

40.6.3.3 Granting Permissions to the Portal Creator

The Portal Creator role is given to a logged in user for specifically creating portals.

Out-of-the-box, this role has minimal privileges, through the following permissions: Portal Server: View and Portals: Create Portals. After creating a portal, the Portal Creator role assumes the permissions inherent in the Portal Manager role.

40.6.4 Deleting Application Roles

When an application role is no longer required, it is recommended that you remove it. This helps maintain a valid and manageable role list, and prevents inappropriate role assignments.

Application roles can be deleted even when users are still assigned to the them. As you cannot delete any default roles, WebCenter Portal users will always have the Authenticated-User role.

Note:

The default application roles of Administrator, Public-User, and Authenticated-User cannot be deleted (the Application Specialist and Portal Creator roles can be deleted). See Default Application Roles.

To delete an application role:

1. On the Settings page (see Accessing the Settings Pages in WebCenter Portal Administration), click Security.

   You can also enter the following URL in your browser to navigate directly to the Security page:

   http://host:port/webcenter/portal/admin/settings/security
   

   See Also:

   WebCenter Portal Pretty URLs in Building Portals with Oracle WebCenter Portal.

2. Click the Roles (Figure 40-6) tab.

   The page opens, showing the Administrator role and its associated permissions, by default.

3. From the Role drop-down, select the role you want to delete (Figure 40-7).

   Note:

   The default application roles of Administrator, Public-User, and Authenticated-User cannot be deleted (the Application Specialist and Portal Creator roles can be deleted).

   The permissions associated with the selected role in WebCenter Portal display in the table.

4. Click Delete next to the role you want to delete (Figure 40-9).

   Figure 40-9 Deleting an Application Role

   
   Description of "Figure 40-9 Deleting an Application Role"
5. Click Delete to confirm that you want to delete the role.

   The role is removed from the table. Any users that were assigned to this role assume the default Authenticated-User role.