Understand Site Security

Site Security

When you publish a site and make it available online, you'll want to control who can access the site. Depending on how your system and site administrators configured your environment, you can make the site publicly available to anyone, restrict the site to registered users, or restrict the site to specific users.

You must be the site owner or have the manager role to change site security or any other settings. To change the sign-in requirement, the site must be offline. To change the specified users or user roles, however, the site can be online. When you take a site offline, the site and its folders and files are removed from the hosting location in Oracle Cloud.

The security options available may be limited by the template policy if site governance is enabled or by the tenant policy if site governance is disabled. See Understand Site Governance.

When you secure a site, you specify which groups of users can access your published (online) site based on an assigned role. These roles are service-wide roles assigned by an administrator of the service instance.

Cloud Users: Authenticated users sign in to the service instance with a user name and password. This includes all authenticated users with or without the Visitors role or the Users role.
Visitors: Only users with this role can access the site. For example, this role might be given to users who can see published sites, but don’t have access to folders and files in this instance of Oracle Content Management.

Note:
This doesn’t include users with the Users role unless they’re the site owner or the site was explicitly shared with them.
Service Users: Only users with this role have access to the site. For example, this role might be given to users who can both see published sites and have access to folders and files in this instance of Oracle Content Management.
Specific Users: Only the users you add as members of the site can see the published site.

Site Sharing

With site sharing, you specify individual users who can access your unpublished (offline) site and allow them to view, modify, or manage the site based on the permission you give them. You can share a site if you’re the site owner or if the site was shared with you and you were given the Manager role.

Note:

Any sharing role you assign to a user augments their security role. For example, if a user has the Visitors role, but you share the site and give them a contributor role, they can modify the offline site while others with the Visitors role can only view the online site.

Viewer: Viewers can see sites in the site listing and view the properties of each site, but not change them. They can also opt to remove themselves as a member.

Note:
If governance is enabled and a viewer has the CECSitesAdministrator role, then the viewer can also delete the site.
Downloader: Downloaders can view the site in the editor, but can’t change anything. Downloaders can also copy and export a site.
Contributor: Same as downloader, and can also edit the site, delete site pages, and delete the site if it’s offline.
Manager: Same as contributor, and can also add users and assign their roles, publish changes to an online site, and switch the site online and offline. The creator of a site (the owner) is automatically assigned the manager role.

When you create a site, a channel is created with that site name. In order to share the channel with others, you must share the site and give someone a minimum of a contributor role in order for that person to use the channel for publishing assets. In order to publish a site, a user must have a Manager role.

Component Sharing

Some components provide access to shared resources such as folders, files, or conversations. Component sharing considers both site security (who can view the published site) and resource sharing (who can view and work with folders, files, and conversations).

For example, when you add a document manager component to your site, all visitors to the site can see the content of the folder, and based on their role and any other permissions, they may be able to add, modify, or delete what’s in the folder.

General considerations:

A site author can’t grant access to a folder that’s greater than the access they themselves have. For example, if the author has downloader access to a folder, they can’t give contributor rights to site visitors.
The privileges set in the component can augment the visitor’s privileges. For example, if the visitor has viewer privileges (or no privileges) for a folder, the documents manager component can grant greater privileges based on the role selected in the component. These enhanced privileges are valid only in the component itself.
If a site visitor has privileges that are greater than those specified for the component, their individual privileges override those set on the component.
Privileges granted on a folder apply to the folders and files nested in that folder.

For public sites:

Conversation components are supported on secure sites only.
Documents manager components give all visitors downloader privileges for the associated folder by default. You can change the role within the guidelines listed above, and you can restrict the options presented to the user with settings on the component itself.
Folder list and file list components grant all users downloader access. Users can view and download files regardless of their role.

Secure Sites URL

When you make a site online, a fully rendered HTML version of the site is created and copied to the hosting location in Oracle Cloud. An online site shows its URL below the site name.

The format of the default URL for unsecured sites is:

https://service_name.identity_domain.sites.oraclecloud.com/site_name

The format of the default URL for secured sites is:

https://service_name.identity_domain.sites.oraclecloud.com/authsite/site_name

Note the addition of authsite in the URL.