Using Accounts or ACL. I want to know which suits better, below are my requirements:
Lets say ACL, I give Role1: Folder1, Folder2, Folder3.... I should make use of RIDC and populate role1 in all given folders.
Lets say Accounts. I define one account per each folder and assign all these accounts to a role in credential mapping file.
How to achieve both through RIDC or any other means? And is ACL a performance deal breaker in the case?
I came across this post https://forums.oracle.com/thread/2543975 which talks about programatically accessing the credential mapping. In my case credential mapping can run into as many lines as folders. In order to change a single line, do i need to retrieve the whole content and manipulate .. and then call the service to upload new mappings?
If my understanding is correct you just need a 4 level static folder structure and assign permission on each level. Why not have predefined Accounts on each of the folders. If this 4 level folder is getting created many times then you might consider writing a custom service which will create this 4 level folder and assign predefined Accounts. The Account information can come from your cfg file which you may change later point in time. You could also consider having the service alter existing folder structure permissions. I am not discussing permission on content within the folders here.
Infact i am planning to do the same. Define accounts on each folder and map those accounts to LDAP roles using credential mappings. But i need a way to access this credential mapping programatically to make additions/deletions/modifications. I am looking for what are RIDC services that i make use of, in order to achieve it.
Hi Sandeep ,
The service for credential mapping is ADD_EDIT_CREDENTIALS_MAP and the code snippet is as provided in https://forums.oracle.com/thread/2543975 .
Please post if you need any details on how to use this service or any questions on that part .
If you plan to do the Folder creation and Accounts assignment programatically, then you will not need credential map as your have an option to assign dynamic account that gets created in LDAP on the folders you create. Other way around if you plan to have the folder structure creation as a custom service you can also do a LDAP lookup and assign the Account to folders. This way you need not have an additional set of configuration to manage.
I mentioned that thread in my initial post. In that thread, it was told that in order to edit credential mapping, we have to get entire credential mapping first, edit it and then post the changes. My credential mapping will have hundreds of lines,that might not be a feasible solution. I was looking at, if I have any specific services for editing credential mappings. Like, add a p'lar entry, delete entry
Let me rephrase what you are saying, to see if im in the same page as you are. Define Accounts and groups in the LDAP. Group - Accounts mapping will happen in the LDAP(?)
we just need to map the accounts from LDAP to accounts in UCM?
Do we need to create those exact accounts again in UCM?
Can we create accounts in embedded LDAP of the weblogic server?
May be this will simplify my solution further, I can define a generic format to map all my accounts for once and do not edit the credential mapping at all.
Define Accounts and groups in the LDAP - Yes
Group - Accounts mapping will happen in the LDAP - By groups do you mean Security Groups, if so the Security Groups will be defined in UCM. Only Accounts and Roles will have to be managed in LDAP.
we just need to map the accounts from LDAP to accounts in UCM - We need not map. The Account that you create in LDAP can be assigned to a content item even if it is not present in UCM as a pre-defined account. This is the advantage we have. Make sure the user is part of the Account with right level of permission and assign it to the content. The user or users belonging to this Account will get access to the content.
Do we need to create those exact accounts again in UCM - No, explained above
Can we create accounts in embedded LDAP of the weblogic server - Yes. Check documentation for how to represent Role and Account as Weblogic supports Groups in general
May be this will simplify my solution further, I can define a generic format to map all my accounts for once and do not edit the credential mapping at all - This is exactly what I am trying to get at
Thanks for the detailing Anand. It makes sense now. I have few last questions.
From what i read, If your group name starts with @, it qualifies as a account. Is that right?
How do we manage permissions on a folder, through account? For example, a single account AccountA, should give admin permissions to UserA, but just Read Only permissions to UserB. How to achieve it.
Can i define lets say, 10000 groups(Roles + Accounts), in my ldap? Will it degrade the performance?
1. From what i read, If your group name starts with @, it qualifies as a account. Is that right? - Correct
2. How do we manage permissions on a folder, through account? For example, a single account AccountA, should give admin permissions to UserA, but just Read Only permissions to UserB. How to achieve it. - Please refer to section 5.5.3 of Managing Security and User Access - 11g Release 1 (11.1.1) which gives a practical scenario on Accounts security model
3. Can i define lets say, 10000 groups(Roles + Accounts), in my ldap? Will it degrade the performance? - This is the scenario when Accounts based model need to be introduced as having more Security Groups will cause performance degrade and should be handled using Accounts. If you are dealing with that large number of Accounts you need a good User Administration tool.
Thanks for your time Anand.
Here is the summary of what I have done. Its working