This discussion is archived
14 Replies Latest reply: Oct 28, 2013 9:57 PM by Anand U RSS

Accounts Credential Mappings Vs ACL, Programmatic approach

sandeep.gundap Newbie
Currently Being Moderated

Hello All,


Using Accounts or ACL. I want to know which suits better, below are my requirements:

  • I have 4 level folder structure. Each subfolder(till leaf) should be secured.
  • I need to automate all this folder permissions using GUI. Build some background process to populate permissions.

                  Lets say ACL, I give Role1: Folder1, Folder2, Folder3.... I should make use of RIDC and populate role1 in all given folders.

                  Lets say Accounts. I define one account per each folder and assign all these accounts to a role in credential mapping file.

       How to achieve both through RIDC or any other means? And is ACL a performance deal breaker in the case?


I came across this post https://forums.oracle.com/thread/2543975 which talks about programatically  accessing the credential mapping. In my case credential mapping can run into as many lines as folders. In order to change a single line, do i need to retrieve the whole content and manipulate .. and then call the service to upload new mappings?


Thoughts please?


Thanks

~

  • 1. Re: Accounts Credential Mappings Vs ACL, Programmatic approach
    Anand U Journeyer
    Currently Being Moderated

    Hi Sandeep,

     

    If my understanding is correct you just need a 4 level static folder structure and assign permission on each level. Why not have predefined Accounts on each of the folders. If this 4 level folder is getting created many times then you might consider writing a custom service which will create this 4 level folder and assign predefined Accounts. The Account information can come from your cfg file which you may change later point in time. You could also consider having the service alter existing folder structure permissions. I am not discussing permission on content within the folders here.

     

    - Anand

  • 2. Re: Accounts Credential Mappings Vs ACL, Programmatic approach
    sandeep.gundap Newbie
    Currently Being Moderated

    Anand,

     

    Infact i am planning to do the same. Define accounts on each folder and map those accounts to LDAP roles using credential mappings. But i need a way to access this credential mapping programatically to make additions/deletions/modifications. I am looking for what are RIDC services that i make use of, in order to achieve it.

     

    Any thoughts?

     

    Thanks

    Sandeep

  • 3. Re: Accounts Credential Mappings Vs ACL, Programmatic approach
    Srinath Menon Guru
    Currently Being Moderated

    Hi Sandeep ,

     

    The service for credential mapping is ADD_EDIT_CREDENTIALS_MAP and the code snippet is as provided in https://forums.oracle.com/thread/2543975 .

     

    Please post if you need any details on how to use this service or any questions on that part .

     

    Thanks,

    Srinath

  • 4. Re: Accounts Credential Mappings Vs ACL, Programmatic approach
    Anand U Journeyer
    Currently Being Moderated

    Hi Sandeep,

     

    If you plan to do the Folder creation and Accounts assignment programatically, then you will not need credential map as your have an option to assign dynamic account that gets created in LDAP on the folders you create. Other way around if you plan to have the folder structure creation as a custom service you can also do a LDAP lookup and assign the Account to folders. This way you need not have an additional set of configuration to manage.

     

    HTH

    - Anand

  • 5. Re: Accounts Credential Mappings Vs ACL, Programmatic approach
    sandeep.gundap Newbie
    Currently Being Moderated

    Srinath,

     

    I mentioned that thread in my initial post. In that thread, it was told that in order to edit credential mapping, we have to get entire credential mapping first, edit it and then post the changes. My credential mapping will have hundreds of lines,that might not be a feasible solution. I was looking at, if I have any specific services for editing credential mappings. Like, add a p'lar entry, delete entry

     

    Thanks

    Sandeep

  • 6. Re: Accounts Credential Mappings Vs ACL, Programmatic approach
    sandeep.gundap Newbie
    Currently Being Moderated

    Thanks Anand,

     

    Let me rephrase what you are saying, to see if im in the same page as you are. Define Accounts and groups in the LDAP. Group - Accounts mapping will happen in the LDAP(?)

     

    we just need to map the accounts from LDAP to  accounts in UCM?

     

    Do we need to create those exact accounts again in UCM?

     

    Can we create accounts in embedded LDAP of the weblogic server?

     

    May be this will simplify my solution further, I can define a generic format to map all my accounts for once and do not edit the credential mapping at all.

  • 7. Re: Accounts Credential Mappings Vs ACL, Programmatic approach
    Srinath Menon Guru
    Currently Being Moderated

    Hi Sandeep ,

     

    Yes , that is a critical factor here where in the you will need to set the mapping (which is already existing) and then add new ones . That is how the service is created and works even when doing the changes from WCC UI itself .

     

    Thanks,

    Srinath

  • 8. Re: Accounts Credential Mappings Vs ACL, Programmatic approach
    Anand U Journeyer
    Currently Being Moderated

    Hi Sandeep,

     

    Define Accounts and groups in the LDAP - Yes

    Group - Accounts mapping will happen in the LDAP - By groups do you mean Security Groups, if so the Security Groups will be defined in UCM. Only Accounts and Roles will have to be managed in LDAP.

     

    we just need to map the accounts from LDAP to  accounts in UCM - We need not map. The Account that you create in LDAP can be assigned to a content item even if it is not present in UCM as a pre-defined account. This is the advantage we have. Make sure the user is part of the Account with right level of permission and assign it to the content. The user or users belonging to this Account will get access to the content.

     

    Do we need to create those exact accounts again in UCM - No, explained above

     

    Can we create accounts in embedded LDAP of the weblogic server - Yes. Check documentation for how to represent Role and Account as Weblogic supports Groups in general

     

    May be this will simplify my solution further, I can define a generic format to map all my accounts for once and do not edit the credential mapping at all - This is exactly what I am trying to get at

     

    HTH

    - Anand

  • 9. Re: Accounts Credential Mappings Vs ACL, Programmatic approach
    sandeep.gundap Newbie
    Currently Being Moderated

    Thanks for the detailing Anand. It makes sense now. I have few last questions.

     

    From what i read, If your group name starts with @, it qualifies as a account. Is that right?

    How do we manage permissions on a folder, through account? For example, a single account AccountA, should give admin permissions to UserA, but just Read Only permissions to UserB. How to achieve it.

     

    Can i define lets say, 10000 groups(Roles + Accounts), in my ldap? Will it degrade the performance?

  • 10. Re: Accounts Credential Mappings Vs ACL, Programmatic approach
    Anand U Journeyer
    Currently Being Moderated

    1. From what i read, If your group name starts with @, it qualifies as a account. Is that right? - Correct

    2. How do we manage permissions on a folder, through account? For example, a single account AccountA, should give admin permissions to UserA, but just Read Only permissions to UserB. How to achieve it. -  Please refer to section 5.5.3 of Managing Security and User Access - 11g Release 1 (11.1.1) which gives a practical scenario on Accounts security model

    3. Can i define lets say, 10000 groups(Roles + Accounts), in my ldap? Will it degrade the performance?  -  This is the scenario when Accounts based model need to be introduced as having more Security Groups will cause performance degrade and should be handled using Accounts. If you are dealing with that large number of Accounts you need a good User Administration tool.


    HTH

    - Anand

  • 11. Re: Accounts Credential Mappings Vs ACL, Programmatic approach
    sandeep.gundap Newbie
    Currently Being Moderated

    Thanks again Anand for your detailing.

     

    I was referring to LDAP groups not the security groups in UCM. In my use case i need to define 1000 ldap groups. Will der be any performance issues if i define 1000 LDAP groups?

  • 12. Re: Accounts Credential Mappings Vs ACL, Programmatic approach
    Anand U Journeyer
    Currently Being Moderated

    There will be no performance issues if you define 1000 or more groups in LDAP. You don't have to worry about it from Webcenter Content context. The concern is managing the 1000+ groups and managing user to group mapping in LDAP. Be sure that is taken care of.

     

    - Anand

  • 13. Re: Accounts Credential Mappings Vs ACL, Programmatic approach
    sandeep.gundap Newbie
    Currently Being Moderated

    Thanks for your time Anand.

    Here is the summary of what I have done. Its working

     

    • Folder structure is created in UCM
    • Configured groups in LDAP.
    • UCM accounts are defined as groups as well in LDAP
    • Account groups created in LDAP  with @ prefix and populated against folder respective accounts in UCM.
    • LDAP account groups are added to groups, thus providing folder level access to store.
    • Groups are assigned to users to grant access.
    • Define one credential mapping to map all account from LDAP to UCM.
  • 14. Re: Accounts Credential Mappings Vs ACL, Programmatic approach
    Anand U Journeyer
    Currently Being Moderated

    Thanks for the nice summary.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points