This discussion is archived
3 Replies Latest reply: Jun 20, 2013 3:57 AM by user784874 RSS

Can we override permissions between Group Access List and User Access List?

user784874 Newbie
Currently Being Moderated
Hi,

I am doing POC using web center content. Sometimes we need to override permissions provided on Group Access List with the help of User Access List for example

I have created an alias called 'Group1' and added users like User1, User2, User3. I created a folder and added 'Group1' to Group Access List and provided RWD access to 'Group1'

I just need to give Read to access to User2 and rest of the Users should have RWD access.


1) Is this possible to override Group Access List permissions using User Access List ?


2)Do we have any permanence issue if we add more users to Users Access List?

Thanks,
Suresh K
  • 1. Re: Can we override permissions between Group Access List and User Access List?
    jiri.machotka Guru
    Currently Being Moderated
    Hi Suresh,

    ad 1) according to the documentation ( http://docs.oracle.com/cd/E28280_01/doc.1111/e26692/securityacls.htm#BEIIHJAH )

    "At least one of the following must be true for a user to be granted a particular permission:

    The user's name appears in the xClbraUserList metadata field with the appropriate permission.

    The user belongs to a group that appears in the xClbraAliasList metadata field with the appropriate permission.

    The user is part of an Enterprise role that appears in the xClbraRoleList metadata field with the appropriate permission.
    "

    meaning that OOTB a user will be granted both Read permission as per user-granted permissions and RWD as per group-granted permissions (resulting into RWD because at the same level a union operation is used).

    I'd say that conceptually, the group assignment should not be used in your use-case, because you don't want to assign permissions to group's users, do you? You could create new groups, or use assignment of permissions per user.

    ad 2) check this: http://docs.oracle.com/cd/E28280_01/doc.1111/e26692/securityacls.htm#BEIIDCGD

    Using ACLs, regardless User or Group Access Lists, always impacts the performance. And, it is difficult to maintain. From the information at the link you may understand how it is implemented - basically, the execution of the query will be affected by: a) how many items have to be evaluated b) the length of strings (xClbraUserList, xClbraAliasList) to be evaluated.
  • 2. Re: Can we override permissions between Group Access List and User Access List?
    user784874 Newbie
    Currently Being Moderated
    Thanks for giving me enough information.
  • 3. Re: Can we override permissions between Group Access List and User Access List?
    user784874 Newbie
    Currently Being Moderated

    Hi,

     

    I am looking for performance considerations for User access list like it is mentioned for content server accounts here:http://docs.oracle.com/cd/E25178_01/doc.1111/e10792/c05_security.htm#BGBGIJDJ.

     

    I understand performance depends on how many items to be evaluated and length of the string. i would like to know. do we have performance consideration documented anywhere for UAL like if we have assigned x number of user to the document/if user is assigned to y number of document then how much serach performance will be affected?

     

    Thanks,

    Suresh K

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points