Control UCM Services execution based on user role

Sanjeev-OFM

    Hello Experts,

     

    We are using the webcenter content version of 12.2.1.3.0.

    Is there any possibility to control the access of all UCM services based on user role?

     

    For Example:

    If user is having RW access then he should have access only for search, checkin, getfile services only not any other services like folder services etc..

     

    Thanks

    sanjeev

      • 1. Re: Control UCM Services execution based on user role
        ManojC

        Hey Sanjeev,

         

        Can you provide more details on this use case. It looks like you are trying to block the users having only RW permission on a certain role from accessing folder related services.

         

        Regards,

        Manoj

        • 2. Re: Control UCM Services execution based on user role
          Sanjeev-OFM

          Hi Manoj,

          Thanks for your response, yes you are right I'm having the same requirement where I want to restrict all the user's to access the folder services if they are not having admin role.

           

          Kindly suggest how to do tha

          • 3. Re: Control UCM Services execution based on user role
            ManojC

            Hey Sanjeev,

             

            Your requirements are more generic for blocking users from accessing framework folders. I would recommend you to come up with specific use cases related to folder operation and build solutions for that.

             

            For example you want only users with delete permission should be able to create folders and RW should be able to only contribute documents, then add the following configuration in config.cfg

            ffolderCreateRestrict=1 (Doc ID 1991242.1)

             

            Also only users with admin role can add a folder under root directory (Doc ID 2277717.1).

             

            All the folder related operations cannot be controlled just by creating a global rule. The rule will take effect only during an event and lets say if the RW user tries to access Browse Content page then it won't trigger. It would be better you can display the Browse Content menu only for admin.

             

            If you want to block users from accessing all folder related services then I am afraid that you might have to customize all those service to verify the user role during execution time.

             

            HTH

             

            Regards,

            Manoj

            • 4. Re: Control UCM Services execution based on user role
              Sanjeev-OFM

              Hi Manoj,

               

              Thanks alot for this information, actually we don't want any non admin user to access the FLD_BROWSE menu option so they can not view the document from /cs/ UI due to some security limitation.

               

              I have hide the FLD_BROWSE menu option using the custom component and it's not displaying for any non admin user in /cs/ UI, even in searchResult page also not giving the option to view the documents I have hide the docname hyperlink and Action columns from search Result.

               

              If anyhow any non admin user having the FLD_BROWSE service url he can view all the folder and documents inside folder so to avoid this access we want to restrict this services for non admin user.

              So directly any non-admin user can not view the any document from CS UI but can view the document from other respective integrated application.

               

              Kindly suggest how we can achieve it.

               

              Thanks

              Sanjeev

              • 5. Re: Control UCM Services execution based on user role
                ManojC

                It's very interesting to see that you are not allowing the users to read/view the documents inside the folder. I mean the core use case of folder is to allow departmental user collaborate and the content will be classified for easy access.

                 

                If you are trying to block all users apart from admins then I would suggest you to create a custom security group and apply that to fSecurityGroup for all the folders and provide access to only admin role.

                 

                You need to be careful when you try to contribute documents under these folders because the security group value will get propagated. Also the non-admin user will be able to access the documents under the folder and under content info page the folder path will be available, so you need to hide that as well.

                 

                The other option would be to override the FLD_BROWSE service to validate the user permission using a custom component service handler. Refer the sample component https://www.onwardpath.com/wp-content/uploads/2016/03/OnwardPath_CMU.zip

                 

                Looking at your use case I would strongly suggest you to work with the architects to make sure that the design won't impact any future requirements since you guys have the complete knowledge and understanding of client environment than us.

                 

                Regards,

                Manoj

                • 6. Re: Control UCM Services execution based on user role
                  Sanjeev-OFM

                  Hi Manoj,

                   

                  Thanks for your response actually we don't want to publish the wcc on internet and want to integrate with internet published siebel applications using siebel adapter.

                  when we are integrating with siebel application using siebel adapter wcc window will open in siebel Iframe.

                  here user can view and get wcc url/ frame source and open it in new window. Here we are having some security concern so to avoid all these issues we are looking for these alternatives.

                  Kindly suggest how we can integrate intranet wcc with internet published siebel application, so we can avoid all these customization.

                   

                  Thanks

                  Sanjeev

                  • 7. Re: Control UCM Services execution based on user role
                    Sanjeev-OFM

                    Hello Experts,

                     

                    any updates.

                     

                    Thanks

                    • 8. Re: Control UCM Services execution based on user role
                      ManojC

                      Hey Sanjeev,

                       

                      I would suggest you to create a new security group in WCC for folders and assign access to only admin users. Also you are planning to hide the folders from non-admins so you need to make sure the contents under these folders are classified in the same way.

                       

                      I see this is the viable option OOTB otherwise you would have to customize the interface and folder service without disturbing the existing Siebel integration.

                       

                      Recently in one of the project I did come across an issue with iFrame usage. Basically to avoid clickjacking in the application oracle restricted the iFrame access to WCC as same origin(X-Frame-Option). I would recommend to take a look at the following articles and make sure the iFrame works fine when you invoke it from siebel to view the documents.

                       

                      How to properly setup a Remote iFrame html page test in Webcenter Content 11.1.1.9.0 and 12c (Doc ID 2208789.1)   

                      Error Generated when Clicking on Attachments in WebCenter Content Siebel Integration (or any other application using an iFrame): "This Content Cannot Be Displayed In A Frame" (Doc ID 2086506.1)   

                       

                      HTH

                       

                      Regards,

                      Manoj