1. Administering Oracle WebCenter Sites
  2. Managing User Interfaces and Assets
  3. Creating and Authorizing Users

8 Creating and Authorizing Users

You can create a user in the WEM Admin interface, and authorizing that user to manage a site and the applications available on that site.

8.1 Creating Users

You can create general administrators, site administrators, and contributors as users of a site.

Note:

Only general administrators can create users. See Authorizing a Predefined User.

To create the user:

  1. Log in to the WEM Admin interface using the general administrator credentials that you used during the WebCenter Sites installation process.

  2. In the Admin menu bar, click Users.

    The Users form opens.

  3. In the Users form, click Add User.

    The Add User form opens.

    Figure 8-1 Add User Form

    Description of Figure 8-1 follows
    Description of "Figure 8-1 Add User Form"

    Fill in the following fields:

    • Image Preview: (Optional) Use the Browse button to associate a picture with the new user.

    • Name: Enter a name with which the user logs in.

    • Email: (Optional) Enter a valid, unique email address.

    • Locale: (Optional) Select the user language preference. If you do not specify a preference, the WEM Framework uses the default locale that is set for the browser.

    • Time Zone: (Optional) Select the user time zone preference from the menu. If you do not specify a time zone preference, the system automatically detects the time zone of the user from the browser.

    • ACLs: ACLs regulate user access to the database tables. All users require Browser, ElementReader, PageReader, UserReader, and xceleditor. General and site administrators also require xceladmin. General administrators further require TableEditor and UserEditor (and VisitorAdmin, if they use Oracle WebCenter Sites: Engage).

    • Groups: Groups provide access to REST. You use groups to control access to application resources.

      • If you are creating a regular user, skip this step, for now. You will assign the user to a group (or groups) in step 4, as part of the authorization process (Authorizing Users to Work with Applications).

      • If you are creating a general administrator, assign the user to the RestAdmin group (a default group, configured in the WebCenter Sites Admin interface). This group has unrestricted permissions to REST resources.

      • If you are creating a site administrator, assign the user to the SiteAdmin_AdminSite group (a default group, configured in the WebCenter Sites Admin interface).

        Note:

        Security configurations for groups are available in the WebCenter Sites Admin interface. See Viewing REST Security Configurations.

    • New Password: Enter a password that is at least 6 characters long.

    • Confirm Password: Re-type the password you just entered.

  4. Click Save and Close.

    At this point the user can log in, but a message indicates that the user does not have access to any sites.

To enable the user as an administrator or regular user:

  1. Assign the user to a site:

    1. From the Users form, hold the cursor over the user, select Manage User, and click Assign to Sites.

      • If you are creating a general administrator, assign the user to AdminSite.

      • If you are creating a site administrator or regular user, assign the user to a site other than AdminSite.

    2. Assign roles to the user on the site:

      • If you are creating a general administrator, assign the GeneralAdmin role, which grants the user access to the system.

        The WEM Admin application is now available to the user on AdminSite.

      • If you are creating a site administrator, assign the SiteAdmin role.

        A user who is assigned the SiteAdmin role on a site other than AdminSite is implicitly assigned to AdminSite and has access to the WEM Admin application on AdminSite. In the WEM Admin application, the user can access only the Sites form, which lists only the sites in which the user is assigned the SiteAdmin role.

      • If you are creating a regular user, assign the user roles that are not GeneralAdmin or SiteAdmin.

        The user now has access to the site (listed in the menu), but if the user's roles do not authorize access to any applications on that site, no application icons are displayed below the menu.

  2. To authorize a user to work with applications, see the next topic on authorizing users to work with applications.

8.2 Authorizing Users to Work with Applications

You can authorize users to work with applications, such as the Oracle WebCenter Sites: Contributor interface. After authorizing users, assign roles to them based on the application they need to access.

To authorize a user:

  1. Select or create a site.

  2. Assign an application to the site.

  3. Assign a user to the same site and couple the user to the application.

  4. Assign the user to a group to give permission to the REST application resources.

    Note:

    Both general and site administrators can authorize users.

    If you must have access to an application on a given site, authorize yourself to access the application on the site.

In the steps below, you can select multiple applications and multiple users. For simplicity, instructions specify a single application and user.

In this procedure, we assume that the user you want to authorize works with applications that do not specify a predefined user. See Authorizing a Predefined User.

To authorize a user:

  1. Select or create the site:

    From the WEM Admin interface, click Sites on the Admin menu bar.

    The WEM Admin Sites Form opens.

    If you are a general administrator you can select a site or add a site (click Add Site). If you are a site administrator you can select a site. The Sites form lists only the sites you are allowed to manage.

  2. Assign an application to the site:

    1. In the Sites form, hold the cursor over the site name and click Manage Site Apps.

    2. Click Assign Apps.

      The Select Apps For Site form is shown.

      Note:

      The Assign Apps button is dimmed if no applications are registered with the WEM Framework.

      Figure 8-2 Select Apps for Site Form

      Description of Figure 8-2 follows
      Description of "Figure 8-2 Select Apps for Site Form"

    3. Select the application you want to assign to the site and move it to the Selected list.

      To search for an application, type its name in the Filter List field. The results appear in the Available list.

    4. Click Continue to assign roles to the application.

    5. In the Assign Roles to Apps form, select roles for the application and move them to the Selected list.

      Note:

      If the application is the Admin interface, assign it the AdvancedUser role. If the application is the Contributor interface, assign it the SitesUser role.

      Take note of the roles you assign. You must assign at least one of those roles to the user on the site to grant the user access to the application.

    6. Click Save and Close.

  3. Assign a user to the site:

    1. In the Admin menu bar, click Sites.

    2. Hold the cursor over the new site name and click Manage Site Users.

    3. Click Assign Users.

      The Select Users for Site dialog opens.

      Figure 8-3 Assign Users Form

      Description of Figure 8-3 follows
      Description of "Figure 8-3 Assign Users Form"

    4. In the Select Users for Site form, select the user you want to assign to the site and move the user to the Selected list.

    5. Click Continue to assign roles to the user.

    6. Couple the user to the application (application-level authorization):

      In the Assign Roles to Users form, assign the user at least one role that you assigned to the application in step e.

      Note:

      For all applications: Sharing a role to a user and an application on a site grants the user access to the application on that site. If the application is the Admin interface, you must assign the user the AdvancedUser role. If the application is the Contributor interface, you must assign the user the SitesUser role.

      For applications other than WebCenter Sites: If the application has role-protected interface functions (such as Edit), configure access to each function by assigning the user at least one function roles (specifications are available from application developers). The user is then fully authorized at the application level. However, the user cannot work with the application resources until you authorize the user at the REST level. Click Save and Close and continue to step 5.

      For WebCenter Sites applications and users: WebCenter Sites has role-protected interface functions. The roles of users configured directly in WebCenter Sites are preserved in the WEM Framework. They are listed in the WEM Admin interface, site by site. For example, to grant a user permission to publish assets from the Contributor interface, you must assign the user the Publisher role in addition to the SitesUser role (see Authorizing Users to Publish Assets from the Contributor Interface). Also, the application REST service authorizes WebCenter Sites users at the REST level (eliminating step 4 for administrators). Click Save and Close and skip to step 5.

  4. Authorize the user at the REST level:

    This step grants the user permissions to operate on resources that are used by the application (selected in step 2).

    Note:

    As noted above, skip this step if you are authorizing dedicated WebCenter Sites users to access the WebCenter Sites applications from the WEM Framework. Continue to step 5.

    1. In the Admin menu bar, click Users.

    2. In the Users form, hold the cursor over the user you want to authorize and click Edit.

    3. In the Edit User form, select groups for the user. Each group is configured with specific permissions to operate on specific objects (such as asset types and assets), which map to REST resources used by the application. To determine the permissions of the listed REST groups, or to create groups and configure their privileges, see Authorizing Users to Access Application Resources.

    4. Click Save and Close.

  5. Verify the user can access the new application.

    The login dialog lists the new site (in the Site menu) and shows the application icon below the menu.

    The new site is also listed in the menu next to the name of the logged-in user, and the application icon opens in the upper left-hand corner.

  6. As a reminder, if you have not yet authorized the user with permissions to REST, complete the steps in Using REST Security.

8.3 Authorizing a Predefined User

Site developers can specify predefined users in their applications to simplify administration of the authorization processes. Instead of authorizing each user individually at the REST level, you authorize the predefined user. When these predefined users log in to the sites, they can readily access the applications.

If an application is configured with a predefined user, complete the following steps in the WEM Admin application to make a predefined user available and authorized.

  1. Create the predefined user. Have the following information ready:

    • Login name: This name must exactly match the predefined user's name, as specified in the application.

    • Password: The password must exactly match the predefined user's password, as specified in the application.

    • ACLs: ACLs regulate access to the database tables. You must assign the predefined user the ACLs of the logged-in users who will access the application. All users require Browser, ElementReader, PageReader, UserReader, and xceleditor. General and site administrators also require xceladmin. General administrators further require TableEditor and UserEditor (and VisitorAdmin, if they use Engage).

    • Group assignment: Groups authorize the user at the REST level (to manage application resources). You must assign the predefined user to a group with the security privileges that you would otherwise grant to the application users. For information about configuring REST security, see Using REST Security.

    For instructions on creating the user, see Creating Users.

  2. Assign the predefined user to the application. For instructions, see Authorizing Users to Work with Applications.
  3. Assign users to the application (using the procedure in Authorizing Users to Work with Applications), but skip their assignment to groups (step 4).

8.4 Authorizing Developers to Register Applications

If you want to display assets through REST services on the Apps page in the WEM Admin interface, register them or create them as assets. After registering the assets for a site, you can authorize users to work with the applications.

Typically, developers register the applications they create programatically. If developers register applications manually, they must use the WebCenter Sites Admin interface to create assets of type FW_Application and FW_View. The asset types are enabled on AdminSite. (See Registering Applications Manually in WEM Framework in Developing with Oracle WebCenter Sites.)

To authorize a developer, make sure the developer is a general administrator (that is, has complete permissions to the system, including REST services). For instructions on creating a general administrator, see Creating Users.

8.5 Asking Your Developers About Available Applications

If you want to manage applications and users, gather information from your developers about the applications they have created for the WEM Framework.

  • Resources: ask your developers about the resources that custom-built applications use; once you know which asset types, assets, and other resources users work with, you can determine which privileges (such as create, update) the users must have for those resources and assign the users to groups that have those privileges. Information about configuring groups and assigning users is available in Using REST Security.

  • Roles: ask your developers if interface functions, such as Edit, are role-protected. In WEM, roles are used to manage access to applications. Sharing a role to a user and an application on the same site grants the user access to the application on that site. Roles can also be used in application code to protect interface functions, such as Edit. When an application specifies role-protected functions, application users must share at least one role with each interface function. To ensure proper authorization, see Authorizing Users to Work with Applications.

  • Users: ask your developers if predefined users are configured in the applications. If an application specifies a predefined user, you must authorize the predefined user at the REST level, instead of authorizing all application users individually. Security privileges granted to the predefined user by membership in groups are passed to logged-in users when they access the application. See Authorizing a Predefined User.