5 Replies Latest reply: Jan 25, 2013 6:44 AM by Jiri.Machotka-Oracle RSS

    UCM security modeling

    987110
      Hi,

      The use case is like this

      OID
      ---
      1. I have different groups in OID say Group1, Group2,...... 1000+ groups
      2. I have other groups (apart from the 1 mentioned above) as well in OID say OtherGroup1, OtherGroup2,...... 1000+ groups

      Please NOTE: The users presnt in Group1, Group2,.... and OtherGroup1, OtherGroup2,.... are completely different users

      Also all the groups mentioned above are already repsenr and I cannot modify the existing groups as they are used for some other purposes as well.
      I can just use the existing groups.

      In my webcenter application I crate a object say "Sales"

      And I want to create a folder in UCM by same name called as "Sales" and the contents inside this "Sales" folder should have the security as mentioned below
      1. "Content1"
           - "Group1" should have R, "Group2" should have RW, "Group3" should have RWD
           - "OtherGroup1" should have R, "OtherGroup2" should have RW, "OtherGroup3" should have RWD (This group might remain same for all contents)
           
      2. "Content2"
           - "Group4" should have RWD, "Group5" should have RW, "Group6" should have R
           - "OtherGroup1" should have R, "OtherGroup2" should have RW, "OtherGroup3" should have RWD (This group might remain same for all contents)

      and so on..

      So please suggest how can I achieve this type of security model in UCM.

      Thanks in advance.
        • 1. Re: UCM security modeling
          Jiri.Machotka-Oracle
          a) use accounts: http://docs.oracle.com/cd/E23943_01/doc.1111/e10792/c05_security.htm#BGBDIFIJ
          (for security groups, see 5.5.1.3 Performance Considerations: For performance reasons, do not use more than approximately 50 security groups if you enable accounts.)

          b) create new groups as described in http://docs.oracle.com/cd/E23943_01/doc.1111/e10792/c05_security.htm#BGBCFIEC
          (you will have groups like @Content1_R, @Content1_RW, @Content1_RWD, @Content2_R, @Content2_RW, @Content2_RWD, ...)

          c) map users from your existing groups into new ones
          (Group1, OtherGroup1 into @Content1_R, etc.)
          • 2. Re: UCM security modeling
            987110
            Hi Jiri,

            Thanks for your response.

            As you said I will create accounts like @Content1_R, @Content1_RW, @Content1_RWD, @Content2_R, @Content2_RW, @Content2_RWD, ...

            Part1: But finally which account am I suppose to add on "Contnent1" because each content item allows us to add only one account. If I add @Content1_R then I cannot add @Content1_RW.
            Also will it be a good option to create new account for every content item because I have currently 2000+ content items.

            And also what should be the "SecurityGroup" for "Content1" since "SecurityGroup" is mandatory for a content item check in.

            Also once the account is added I cannot change the permission for a particular user, so the option left with me will be to assign him to different account which has desired permission for given content (that too if I can add multiple accounts).

            Even I have to think about the performance in OID since all these groups in OID will be a dynamic groups.

            Thanks in advance
            • 3. Re: UCM security modeling
              Jiri.Machotka-Oracle
              which account am I suppose to add on "Contnent1"
              The account will be Content1. @Content1_R is the name of a group in LDAP, which grants its members R permission to the Content1 account.
              And also what should be the "SecurityGroup" for "Content1" since "SecurityGroup" is mandatory for a content item check in.
              You may have to create a generic group where all users have RWD permissions - resulting permission are intersection of those from SG and accounts.
              Also once the account is added I cannot change the permission for a particular user, so the option left with me will be to assign him to different account which has desired permission for given content (that too if I can add multiple accounts).
              Account is a setting on a content item, and it is expected to be changed only exceptionally. What you can change, though, is membership of users in your created groups - thus, granting/revoking permissions of users to particular accounts. This can be as dynamic as you need.
              • 4. Re: UCM security modeling
                987110
                Hi Jiri,

                But if I add only "Content1_R" account to "content1" then how will other users (who as suppose to get RW access on same content) get RW access because I cannot add "Content1_RW" account to same content.

                Also will it be a good option to create new account for every content item because I have currently 2000+ content items.

                Thanks in advance
                • 5. Re: UCM security modeling
                  Jiri.Machotka-Oracle
                  OK. Once again:
                  Your item will be assigned to an account called Content1.
                  Users, who should have R permissions will be members (in LDAP) of a group called @Content1_R, which will grant them R permission to the account Content1
                  Users, who should have RW permissions will be members (in LDAP) of a group called @Content1_RW, which will grant them RW permissions to the account Content1
                  Users, who should have RWD permissions will be members (in LDAP) of a group called @Content1_RWD, which will grant them RWD permissions to the account Content1
                  etc. (for other accounts)

                  You will have just one security group and one role granting RWD permissions to all your users.