ACLs are used on both your management and your delivery systems. However, the main focus of the following topics is user management on the management system. For more information about user management on your delivery system, see The WebCenter Sites Development Process in Developing with Oracle WebCenter Sites.
You can control access to the WebCenter Sites system or database tables by assigning ACLs to users, database tables, and WebCenter Sites pages. To manage access to sites and their components you use roles. If you would like to enable interface functions or hide them, you can assign roles to users and interface functions on a site.
If a user's ACLs match the database ACLs, the user has permission (defined by the ACLs) to operate on the database tables. ACLs therefore serve as the foundation of the security and user management model. Without ACLs user accounts cannot be created.
If the user's roles match the roles that are assigned to the interface functions, the functions are enabled for the user. Otherwise, the functions are hidden.
Before you can establish users you must determine ACLs and roles for the users. If the ACLs and roles do not exist, you must create them in WebCenter Sites, even if you intend to use LDAP plug-ins to create the user accounts.
Access Control Lists (ACLS), are named sets of database operation permissions such as read, write, create, and retrieve. Because just about everything in WebCenter Sites (and the WebCenter Sites content applications) is represented as one or more rows in one or more database tables, user management on any of your WebCenter Sites systems starts with ACLs.
With ACLs, you can limit access to the following items:
Individual database tables
Individual WebCenter Sites pages
Oracle WebCenter Sites and the WebCenter Sites content applications control a user's access rights to the database tables that represent those functions through ACLs. WebCenter Sites verifies that the users attempting the function have the same ACL assigned to their user accounts as are assigned to the database table.
For example, user account information is contained in the system tables named SystemUsers and SystemUserAttrs. Because certain ACLs are assigned to those system tables, only a user with the same ACLs assigned to his or her user account is able to create users or edit existing user information.
ACLs serve as the foundation of the security and user management model in your WebCenter Sites system by providing authorization functionality. Even if you are using an external user manager like LDAP to store user information, you must use WebCenter Sites ACLs.
A user must always have at least the Browser ACL to view WebCenter Sites pages. However, additional ACL restrictions are enforced only when the
cc.security property in the
wcs_properties.json file (categorized under Core) is set to
true. For more information about the
cc.security property, see Core Properties in Property Files Reference for Oracle WebCenter Sites. Also see Setting Up External Security.
ACLs are assigned to three things: user accounts, database tables, and page entries in the SiteCatalog table (that is, WebCenter Sites pages).
User management on your delivery system is also based on ACLs. If your online site is designed to require visitors to register or log in before they can access areas of the site, you create the ACLs that are required on the delivery system and then assign them to the appropriate database tables.
Typically your site designers take care of assigning ACLs to WebCenter Sites pages. Managing Users on the Management System in Developing with Oracle WebCenter Sites discusses how to design a user management process on the delivery system and provides code samples for pages that log visitors in to the site and verify their identities.
Every user must be assigned at least one ACL and the ACLs assigned to a user define that user's access to the WebCenter Sites system.
While users have one user account and one set of ACLs, no matter how many sites they have access to, they can have one set of roles for one site and a different set of roles for another site. Therefore, users must be assigned all the ACLs necessary to provide them the permissions that they must fulfill all of their site-specific roles.
For example, if you create a role that allows a user with the role the ability to create template assets, the user assigned that role must also be assigned the ElementEditor ACL, because creating templates writes data to the
Oracle WebCenter Sites and the WebCenter Sites content applications use several system ACLs to control user access to their features and functions. Different combinations of these ACLs must be assigned to users. Information about system ACLs and their permissions are given in System Defaults.
To restrict access to the data in a table, assign an ACL to it through the WebCenter Sites Database forms available through the Admin node (under the General Admin tree). Then, only those users with the same ACL have access to the data in that table.
If you assign multiple ACLs to a table, a user only requires one of those ACLs to access the table. The user's access rights to that table (read, write, create, and so on) are the ones defined by the ACL.
All of the WebCenter Sites system tables (and several of the WebCenter Sites content applications tables) have ACL restrictions. The SystemInfo table lists all the tables in the WebCenter Sites database and the ACLs assigned to them. See Assigning ACLs to Custom Tables.
Do not add ACLs to database tables through the Oracle WebCenter Sites Explorer application. Instead, use the Sites Database option in the System Tools node of the Admin node.
With one exception—to register a foreign table in the WebCenter Sites database—never attempt to change the information in the
SystemInfo table even if your user account has the ACL that allows you to do so. See Foreign Tables in Developing with Oracle WebCenter Sites.
The SiteCatalog table holds page entries for all the pages shown for the WebCenter Sites content applications and the pages shown for your online site (that is, the site that you are delivering from the delivery system). To restrict access to a page, assign an ACL to it.
Typically, site developers determine how page restrictions should be configured on the delivery system. If you are customizing the user interface on the management system, however, you might have to use ACLs to restrict access to your custom pages.
A newly installed WebCenter Sites system contains only system ACLs. No additional ACLs have been created for any of the sample sites that are packaged with WebCenter Sites.
Because WebCenter Sites provides a comprehensive set of ACLs, it is unlikely that you will have to create your own. However, situations can arise where user management requirements on the management or delivery systems require you to create ACLs. For example:
If your site requires user registration, you may have to create a set of ACLs for site visitors.
If your developers create functions and put them on new tabs to customize the management system, you might have to create additional ACLs (or roles) to support the new functions and tabs.
Although creating and applying ACLs is an administrative task, you must first work with your site designers and developers to determine which ACLs you require and how to apply them.
When using an LDAP integration option, be aware of system response to user and site management operations. For information about system response, see Users, Sites, and Roles in LDAP‐Integrated Sites Systems.
When creating ACLs, consider the roles you are using to ensure that the ACLs are commensurate with the roles. For example, if you are creating a role that allows a user to create template assets, the user who is assigned that role must also be assigned the
ElementEditor ACL, because creating templates writes data to the ElementCatalog table.
To create a new ACL:
The ACLs form opens.
The Add ACL form opens.
Figure 6-1 Add ACL Form
WebCenter Sites creates the ACL and writes it to the SystemACL table. The new ACL opens in the drop-down list in the form described in step 1 of this procedure.
Note:For a new ACL that is created in LDAP, in order to use it in Sites user interface, add an entry for the newly created ACL in SystemACL table.
Never modify any of the system ACLs. For a list of these ACLs, see System ACLs and Their Permissions.
To edit a custom ACL:
The ACLs form opens.
If the ACL you selected is a system ACL, an alert opens. Do not modify system ACLs.
WebCenter Sites writes your changes to the
Never delete a system ACL. For a list of these ACLs.
To delete a custom ACL:
The ACLs form opens.
A warning message opens.
The ACL has been deleted.
If you or the site designers create tables, you might have to restrict access to those tables by assigning ACLs to them. Typically, you assign ACLs to new tables when you create those tables. (See Controlling User Access in Developing with Oracle WebCenter Sites.)
Do not assign additional ACLs (beyond the ones assigned by default) to system or core product tables.
To assign ACLs to an existing table:
The Sites Database form opens.
Leave the field blank. WebCenter Sites will return a list of all tables in the database.
Enter a partial name, ending with the wildcard character (%). WebCenter Sites will return a list of tables named similarly to your criteria.
The Modify Catalog form opens.
Do not change the value of the File Storage Directory field. For information about this field, look up the
defdir property in Indirect Data Storage with the WebCenter Sites URL Field in Developing with Oracle WebCenter Sites.
ACLs are nearly always set using the Oracle WebCenter Sites Explorer tool. However, administrators can assign ACLs to the page entry created for SiteEntry or template assets through a field in the Create or Edit form.
To assign ACLs to a SiteEntry asset:
Find and open the SiteEntry asset to modify.
In the Access Control Lists field, select the ACLs to assign to this asset.
Save the asset.
The Access Control Lists field is available when creating a new SiteEntry asset as well. Assign ACLs when creating SiteEntry assets in the same way.
To assign ACLs to a template asset:
The Access Control Lists field is available when creating a new template asset as well. Assign ACLs when creating template assets in the same way.
To assign ACLs to pages that are not associated with a SiteEntry asset or a template asset, use the Oracle WebCenter Sites Explorer tool.
Roles manage site-specific access to WebCenter Sites interface functions. They represent a job description or the title of individuals with similar functions: for example, content provider, editor, site designer, and administrator. Each WebCenter Sites user has one user definition (account) no matter how many sites have been created; however, the user's roles can vary by site.
When you enable a user for a site, you enable that user within the context of the jobs that user does for that site.
The roles assigned to a user for a site determine the following:
Which assets the user can create on that site.
Which assets the user can search for on that site.
Which tabs are opened in the tree when the user logs in to the site.
Whether the user is eligible for participation in any workflow processes, and, if so, for which steps in those workflow processes.
Which functions a user can or cannot perform on an asset while it is moving through a workflow process.
Whether the user can administer a workflow process or create or modify a workflow group on that site.
Understanding System Roles
Several system roles are installed by WebCenter Sites. One role is required for the WebCenter Sites content applications to function, and three are required for the WebCenter Sites administrators to function. See System Roles.
Understanding Custom Roles
Unlike ACLs, roles are objects that you will most likely have to create to account for the full range of users' responsibilities on your sites. To create roles, follow instructions in the section, Working with Roles.
Understanding Sample Roles
If you installed one or more sample sites, you will have access to several sample roles that are included with the sites. The roles permit the sample site users to access different tree tabs. You can use the sample roles as examples of how you can configure access control on your sites.
You can create, edit and delete roles assigned to the users of a site to manage access to the site and its components.
The following topics show you how to create, edit, and delete roles.
If you are using LDAP, be aware of system responses to user and site management operations. For more information about system responses, see Users, Sites, and Roles in LDAP‐Integrated Sites Systems.
To create a new role:
The Add New Role form opens.
The following characters are not permitted in the Name field: single quote ('), double quote ("), semicolon (;), colon (:), less-than sign (<), and greater-than sign (>). Additionally, the Name field cannot end with a backslash (\).
Note:If you want to see/use a new role that is created in LDAP in Sites user interface, for example, workflow related operations or assign roles to tree tabs, add an entry for the newly created role in CCRoles table.
Although you cannot change the name of a role after you have created it, you can edit the description of the role.
To edit the description of a role:
A list of all roles opens in the main window.
Do not delete any of the system default roles:
AdvancedUser, WebCenter Sites User.
To delete a role:
A list of all roles opens in the main window.
A confirmation message opens.
The role is deleted.