This discussion is archived
5 Replies Latest reply: Jan 23, 2013 6:32 AM by jiri.machotka RSS

Need info regarding Oracle UCM Accounts and Security Groups behaviour

841626 Newbie
Currently Being Moderated
Need information regarding Oracle UCM Accounts and Security Groups behaviour.

Oracle UCM version: 11.1.1.5.0

Steps:
1. Log in with "weblogic" user and created a content with id "content1"
2. Applied "@acc1(R)" and "TestGroup1" to the cotent created in step 1
3. Log out
4. Log in as "acc1user1", the user is not able to see the "content1"
5. Log out
6. Log in as "role1user1", the user is not able to see the "content1"

Account and Group information:
1. User "acc1user1" is part of "@acc1(R)"
2. User "role1user1" is part of "role1(R)" and is mapped to "TestGroup1" in UCM

Expected:
Both "acc1user1" and "role1user1" should be able to see "content1" as they have at least Read permission.

Please help me understand why the users are not able to see the content.
  • 1. Re: Need info regarding Oracle UCM Accounts and Security Groups behaviour
    jiri.machotka Guru
    Currently Being Moderated
    See the chapter 5.5.1.1 in the manual: http://docs.oracle.com/cd/E23943_01/doc.1111/e10792/c05_security.htm#BGBGIJDJ

    If both accounts and roles are used, the resulting result is an intersection, not a union.
  • 2. Re: Need info regarding Oracle UCM Accounts and Security Groups behaviour
    841626 Newbie
    Currently Being Moderated
    Hi Jiri,

    Thanks for quick reply.

    But, what I was trying to achieve was something like explained below
    1. I have few groups in OID which will be mapped to roles in UCM
    2. Those roles will be finally added to group with the corresponding permissions
    3. The groups will be added to contents
    NOTE: We have not used accounts

    Till this everything will work fine.
    But after doing all these we still have some users (who are not part of the roles mentioned above) to whom we have to give read permission on the same content.
    NOTE: Those users cannot be added to the above roles as well.

    Kindly suggest some way to achieve this in UCM.

    Thanks in advance

    Edited by: 838623 on 23-Jan-2013 05:39
  • 3. Re: Need info regarding Oracle UCM Accounts and Security Groups behaviour
    jiri.machotka Guru
    Currently Being Moderated
    If you have content assigned to a security group, which is not public, and you want a user to have access to it, you have to create a role that has Read permission to the security group. This is the basic security requirement and there is no way to by-pass it.

    If you have some roles that you don't want to assign to some users, and yet, you need the users access content authorized by these roles, then the only option is to create another role(s) that have Read permissions too and assign them to your users.
  • 4. Re: Need info regarding Oracle UCM Accounts and Security Groups behaviour
    841626 Newbie
    Currently Being Moderated
    Hi Jiri,

    The first part will remain same for all the contents, which means the same predefined group will be applied to all the contents

    FIRST PART
    =======
    But, what I was trying to achieve was something like explained below
    1. I have few groups in OID which will be mapped to roles in UCM
    2. Those roles will be finally added to group with the corresponding permissions
    3. The groups will be added to contents
    NOTE: We have not used accounts

    But in the second part the number of set of users is huge (approx say 600). Also the number may increase in future.
    So creating roles will not be a good option.

    Can I achieve this using ACL? particularly using "Role Access List"? because I have all the required groups in OID.
    All I have to do is that create the same roles in "ExternalRolesView" and give respective permission on contents.


    Edited by: 838623 on 23-Jan-2013 06:18

    Edited by: 838623 on 23-Jan-2013 06:19
  • 5. Re: Need info regarding Oracle UCM Accounts and Security Groups behaviour
    jiri.machotka Guru
    Currently Being Moderated
    ACLs, like Accounts, are optional security setting which may add on some extra functionality to mandatory security groups. Likewise, the resulting permission is taken as an intersection of SG and ACLs.
    But in the second part the number of set of users is huge (approx say 600)
    I don't get this completely. Does this mean that those "sets of users" (users who see the same data) are distinct and that there is 600 of such groups?

    If you read thoroughly the manual I sent earlier, there is a recommendation that there should be maximum 50 security groups, and you should use accounts, should this number be exceeded. This means you could have all the documents in one security group (and have one common role with Read permission), but combine it with accounts. ACLs are not a good choice here - their performance and manageability is much worse than of accounts. ACLs are primarily used if you expect security settings to change during the lifetime (e.g. a project manager adds temporarily rights to access an item to another user, and revokes it when the user finishes his or her work).

    Note that accounts as well as permissions of users within accounts can also be mapped externally (from LDAP/AD) and it usually follows some kind of org chart.

    I'd feel more comfortable not to speak about users, security groups, roles, etc., but about some real-life objects and scenarios.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points