17 Managing User Types, Logins, and Aliases

This chapter describes Oracle WebCenter Content user login types, user logins, user information fields, and aliases. It also explains how to manage the logins and aliases. Oracle WebCenter Content user login types, logins, and aliases information is integrated with Oracle WebLogic Server user information by default, and with OPSS and other sources of user information according to customer configuration.

This chapter includes the following topics:

• Introduction to User Login Types

• Introduction to User Logins and Aliases

• Managing Logins and Aliases

• User Information Fields

17.1 Introduction to User Login Types

Content Server software supports the following user login types:

• External Users

• Local Users

17.1.1 External Users

The default user type supported in Oracle WebCenter Content 11g and 12c releases is external users. External users are defined outside the WebCenter Content system and authenticated by external security using the Oracle WebLogic Server Administration Console and Oracle Platform Security Services (OPSS). Once authenticated, external users can access the Content Server instance through Oracle WebLogic Server. Generally, external users are users in a trusted domain to whom you grant access, but do not manage through the WebCenter Content system. Their passwords are owned by the Oracle WebLogic Server domain, the network domain, or another provider such as Oracle Internet Directory, although the User Admin applet can be used to set a user password when converting an external user to a local user. Unlike local users, undefined external users are not assigned the guest role.

The first time users log in to the Content Server instance through Oracle WebLogic Server they are added to the Content Server database, and administrators can view external user information through the Repository Manager. However, external users are not automatically included in user lists, such as the Author field on a content Check In page. If an Override check box is selected on a user's User Profile page, any user information defined in the Content Server database overrides the user information derived from the external user base.

The Admin User applet only shows users after they have logged in at least one time to the Content Server instance. All users from the Oracle WebLogic Server user store or other user store outside the Content Server instance are shown as external users.

By default, external security integrations map a limited set of user information (user name, password, roles, accounts, and some additional information such as email address) from the external user base to the Content Server instance. If you are using LDAP integration, then additional user information, such as email address or user locale, can be mapped from the embedded LDAP server with the Oracle WebLogic Server Administration Console and integrated with Oracle Platform Security Services.

Note:

When an OPSS policy store is used, Oracle WebCenter Content roles represent application roles (not enterprise roles). Oracle WebCenter Content honors only application role to security group grants. It ignores any grants created from user role or enterprise role to security group. Do not create grants from user or enterprise roles to security groups.

The following is a list of common characteristics of external users:

• Login (authentication) is defined by: User ID and password are stored in a user database external to the WebCenter Content system, such as:

  • Trusted domain (such as Oracle WebLogic Server)

  • Lightweight Directory Application Protocol (LDAP)

  • Other database

• Access (authorization) is determined by: Credentials (for example, roles) from a trusted domain or other user database (such as the Oracle WebLogic Server user store, Oracle Internet Directory, or another LDAP provider) and WebCenter Content.

• User login: Oracle WebLogic Server and the Content Server instance must be running for users to log in.

• User password: User passwords are defined on Oracle WebLogic Server or another user database (such as a LDAP server) by the administrator. Users cannot change their passwords on the Content Server instance.

• Interface issues: User names do not appear in the content check-in lists. However, users can participate in workflows.

Note:

The ^ (caret) is a special character in WebCenter Content and it must not be used in a username, group name, or rule name. The ^ character is parsed by WebCenter Content for the StringUtils class where the character is used for string encoding and decoding.

Follow this process to set up roles, groups, and accounts for external users:

1. Set up security groups. See Adding a Security Group on Content Server.

2. Establish roles. See Creating a Role in Content Server.

3. Arrange permissions. See Adding and Editing Permissions in Content Server.

4. (Optional) Use accounts. See Enabling Accounts in Content Server.

See Create users in Oracle WebLogic Server Administration Console Online Help.

17.1.2 Local Users

Local users are defined by an administrator within the Content Server instance. Administrators assign these users one or more roles, which provide the user with access to security groups.

Caution:

Local users are not supported on the Oracle WebLogic Server domain. Although Content Server administrators can create and configure local users with the User Admin applet, for local users to be authenticated for access to the Content Server instance, the users and passwords also must be created with the Oracle WebLogic Server Administration Console. The default user type supported in 11g and 12c releases is external users.

The following is a list of common characteristics of local users:

• Logins (authentication) are created by: Administrator in the Content Server.

• Access (authorization) is determined by: Content Server roles, which provide access to security groups.

• User login: Local users cannot log in to the Content Server Admin Server because the Admin Server requires logging in through Oracle WebLogic Server.

• User password: Users can change their passwords.

• Interface issues: User names appear in the content check-in lists. Users can specify whether to change full name, email address, and user type.

• Considerations: Previously recommended for 1000 or fewer users, but now recommended only when required by the system administrator for purposes such as troubleshooting Content Server. Because of performance considerations, do not configure more than 1000 local users.

Note:

The ^ (caret) is a special character in WebCenter Content and it must not be used in a username, group name, or rule name. The ^ character is parsed by WebCenter Content for the StringUtils class where the character is used for string encoding and decoding.

Follow this process to set up local users:

1. Set up security groups. See Adding a Security Group on Content Server.

2. Establish roles. See Creating a Role in Content Server.

3. Arrange permissions. See Adding and Editing Permissions in Content Server.

4. Assign user logins. See Adding a User Login.

5. (Optional) Use accounts. See Enabling Accounts in Content Server.

17.2 Introduction to User Logins and Aliases

User logins are the names associated with the people who access Content Server. In 11g and 12c releases, by default user logins must be created on the Oracle WebLogic Server domain that hosts WebCenter Content and the Content Server instance. Authentication and credentials are handled by default with the Oracle WebLogic Server user store and associated security software instead of by the Content Server. See Understanding Identities, Policies, Credentials, Keys, Certificates, and Audit in Securing Applications with Oracle Platform Security Services.

Note:

Instructions for using the Oracle WebLogic Server Administration Console apply to users and groups in the Oracle WebLogic Authentication provider only. If you customize the default security configuration to use a custom Authentication provider, use the administration tools supplied by that security provider to create a user. If you are upgrading to the Oracle WebLogic Server Authentication provider, you can load existing users and groups into its database. See Migrating Security Data in Administering Security for Oracle WebLogic Server.

Caution:

Although user logins still can be created and managed on the Content Server with the User Admin applet, they are not valid for authentication purposes unless they also have been created with the Oracle WebLogic Server Administration Console.

If you use a LDAP server and create a user login with the same name as a local user defined in the Content Server with the User Admin applet, the LDAP user is authenticated against LDAP when logging in, but receives roles assigned to the local user.

The Oracle WebLogic Server administrator assigns one or more groups to each user. A group provides the user access to files within the security groups. Undefined users are assigned to the guest group, which allows viewing of documents only in the Public security group by default.

You can also create a group of users that can be then referenced by a single name, or alias, in workflows, subscriptions, and projects. For example, it is much easier to add an alias called Support to a workflow than it is to add user1, user2, user3, and so on.

Note:

If a workflow is assigned to an alias, the users within the alias can approve or reject the content until they belong to the alias. For example, a workflow is created and assigned for review through an alias comprising Users 1 and 2. If User 1 is removed from the alias, this user can no longer approve or reject the content. Similarly, if User 3 is added to the alias, this user can approve or reject the content.

If you log in to multiple browser windows on the same computer using different login methods (such as standard login, Microsoft login, or self-registered login), the Content Server can become confused about which user is logged in to each window. Remember to close any open browser windows while testing different login methods.

Important:

User logins are case sensitive.

17.3 Managing Logins and Aliases

By default, user logins must be created and managed with the Oracle WebLogic Server Administration Console. For information and instructions on creating and managing user logins, see Create users in Oracle WebLogic Server Administration Console Online Help. If you customize the default security configuration to use another Authentication provider, such as Oracle Internet Directory, use the administration tools supplied by that security provider to create and manage user logins.

If you need to set up a user (other than the Content Server administrator) to work with a standalone Content Server utility such as System Properties, you can use the User Admin applet in Content Server to create a local user. However, a user created with the User Admin applet cannot be authenticated for any other functions than standalone Content Server utilities, unless the user is also created with the Oracle WebLogic Server Administration Console.

The remainder of this section discusses the tasks involved in managing only Content Server user logins for standalone utilities.

• Adding a User Login

• Editing a User Login

• Deleting a User Login

• Creating an Alias

• Editing an Alias

• Deleting an Alias

17.3.1 Adding a User Login

Beginning from 11g Release 1 (11.1.1), external user logins must be added using the Oracle WebLogic Server Administration Console. Although user logins can be managed in Content Server for special purposes, they are not valid for authentication to the Content Server until they have been created with the Oracle WebLogic Server Administration Console. See Create users in Oracle WebLogic Server Administration Console Online Help.

Note:

The ^ (caret) is a special character in WebCenter Content and it must not be used in a username, group name, or rule name. The ^ character is parsed by WebCenter Content for the StringUtils class where the character is used for string encoding and decoding.

To add a user login only for use with Content Server standalone utilities:

1. From the User Admin: Users tab, click Add.
2. Set the Authorization Type from the menu. For more information, see Introduction to User Login Types.
3. Click OK.
4. In the Add/Edit User window, enter information about the user.

   • If you enter a password, you must reenter the same password in the Confirm Password field.

   • Keep in mind that the user name and password are case-sensitive.

5. Assign roles to the user.
6. If accounts are enabled, assign accounts to the user.
7. Click OK.

17.3.2 Editing a User Login

Beginning from 11g Release 1 (11.1.1), external user logins must be edited using the Oracle WebLogic Server Administration Console. Although user logins can be managed in the Content Server for special purposes, they are not valid for authentication to Content Server until they have been created with the Oracle WebLogic Server Administration Console. See Modify users in Oracle WebLogic Server Administration Console Online Help.

To edit a user login only for use with Content Server standalone utilities:

1. From the Users tab of the User Admin window, double-click the user name, or select the user name and click Edit.
2. In the Add/Edit User window or Add/Edit User: Info tab (Global User), edit the user login as necessary.

If you change the user locale for a user who has the sysmanager role, you must restart the Admin Server service for the Admin Server interface to appear in the user's locale language.

17.3.3 Deleting a User Login

Beginning from 11g Release 1 (11.1.1), external user logins must be deleted using the Oracle WebLogic Server Administration Console. Although user logins can be managed in Content Server for special purposes, they are not valid for authentication to Content Server until they have been created with the Oracle WebLogic Server Administration Console. See Delete users in Oracle WebLogic Server Administration Console Online Help.

To delete a user login only for use with Content Server standalone utilities:

1. In the Users tab of the User Admin window, select the user name.
2. Click Delete.
3. Click Yes.

If you delete a user who is involved in a workflow, you are prompted to confirm the deletion. You must adjust the workflow and remove the user from the list of workflow reviewers.

17.3.4 Creating an Alias

Beginning from 11g Release 1 (11.1.1), external user logins must be managed using the Oracle WebLogic Server Administration Console. Although user logins can be managed in Content Server for special purposes, they are not valid for authentication to Content Server until they have been created with the Oracle WebLogic Server Administration Console.

To define an alias only for use with Content Server standalone utilities:

1. Display the User Admin window Aliases tab.
2. Click Add.
3. In the Alias Name field on the Add New Alias/Edit Alias window, enter a name that identifies the group of users.
4. In the Description field, enter a detailed description of the alias.
5. Click Add.
6. In the Select Users window, select the user names from the list.

   • To narrow the list of users on the Select Users page, select Use Filter, click Define Filter, select the filter criteria, and click OK.

   • To select a range of users, click one user login, then hold down the Shift key while clicking another user login.

   • To select users individually, hold down the Ctrl key while clicking each user login.

7. Click OK.
8. Close the User Admin page.

17.3.5 Editing an Alias

Beginning from 11g Release 1 (11.1.1), external user logins must be managed with the Oracle WebLogic Server Administration Console. Although user logins can be managed in Content Server for special purposes, they are not valid for authentication to Content Server until they have been created with the Oracle WebLogic Server Administration Console.

To edit an alias only for use with Content Server standalone utilities:

1. Display the User Admin: Aliases tab window.
2. Highlight an alias and click Edit.
3. Alter the information as needed on the Add New Alias/Edit Alias window.
4. In the Description field, enter a detailed description of the alias.
5. Click OK.
6. Close the User Admin page.

17.3.6 Deleting an Alias

Beginning from 11g Release 1 (11.1.1), external user logins must be managed with the Oracle WebLogic Server Administration Console. Although user logins can be managed in Content Server for special purposes, they are not valid for authentication to Content Server until they have been created with the Oracle WebLogic Server Administration Console.

To delete an alias only for use with Content Server standalone utilities:

1. Display the Add New Alias/Edit Alias window.
2. Highlight the alias to be deleted and click Delete.

   A page appears, asking you to confirm the deletion. Click Yes to delete the entry or No to retain it.

3. Close the User Admin page.

17.4 User Information Fields

User information defines the unique attributes of a user, such as full name, password, and email address. User information fields describe a user in the same way that metadata fields describe a content item. User information is stored in the Content Server database, and can be used to sort users, display user information on Content Server web pages, or customize the display of web pages based on user attributes.

The following user information fields are predefined in the system. These fields cannot be deleted, and the field name and type cannot be changed.

Name	Type	Caption	Is Option List
dFullName	Long Text	Full Name	False
dEmail	Long Text	E-mail Address	False
dUserType	Text	User Type	True
dUserLocale	Text	User Locale	True

This section covers these topics:

• Adding a New User Information Field

• Editing an Option List

• Editing a User Information Field

17.4.1 Adding a New User Information Field

To add a new user information field:

1. In the User Admin: Information Fields tab, click Add.
2. Enter a new field name in the Add Metadata Field Name window. Duplicate names are not allowed. Maximum field length is 29 characters. The following are not acceptable: spaces, tabs, line feeds, carriage returns and ; ^ ? : @ & + " # % < * ~ |
3. Click OK.
4. In the Edit Metadata field window, configure the properties for the field, and click OK.
5. Click Update Database Design.

17.4.2 Editing an Option List

To edit an option list key:

1. In the Edit Metadata Field window, select Enable Option List.
2. Click Edit.
3. Add, edit, or delete option values on the Option List window.

   • Each value must appear on a separate line.

   • A blank line will result in a blank value in the option list.

4. To sort the list, select sort options and click Sort Now.
5. Click OK.

17.4.3 Editing a User Information Field

To edit a user information field:

1. Double-click the field, or select the field and click Edit.
2. Add, edit, or delete option values on the Edit Metadata Field window.
3. Click OK.