1 2 Previous Next 24 Replies Latest reply: May 20, 2012 11:46 PM by 915826 RSS

    Questions on 11g

    915826
      Hi,

      I am new to 11g and have few questions :

      1. Is there a way to query database through Portal. In UCM 7.5 we had a service called GET_DB_SEARCH_PAGE and executing it through browser used to open a DB interface and queries could be run in it.

      I am not able to run the same in 11g. On running it it just gives a blank page and no errors.


      2. I need to implement security in 11g. I need to create roles, accounts and users. All these need to be created in UCM and WLS as well.
      Where do I create roles and accounts in WLS.
        • 1. Re: Questions on 11g
          Srinath Menon-Oracle
          Hi ,

          Please find the answer for point 2 :

          2. I need to implement security in 11g. I need to create roles, accounts and users. All these need to be created in UCM and WLS as well.
          Where do I create roles and accounts in WLS.

          All the users , roles , accounts need to be created on WLS or the external LDAP / AD server only .

          There is no need for the duplication of these on UCM server .

          Thanks
          Srinath
          • 2. Re: Questions on 11g
            915826
            Hi Srinath,

            Thanks for the respone.

            I have options such as 'Users and Groups' @ Home >Summary of Security Realms >myrealm >Users and Groups.

            Groups - Do these correspond to Roles in UCM ?

            Where do I create Accounts in WLS.

            Shashwat
            • 3. Re: Questions on 11g
              Srinath Menon-Oracle
              Hi Shashwat ,

              1. Groups - Do these correspond to Roles in UCM ?

              Right , groups on WLS or LDAP server correspond to Roles in UCM .

              2. Where do I create Accounts in WLS.

              Groups which are prefixed with @ will show up as Accounts in UCM .

              eg : @groupname on WLS / AD.

              Thanks
              Srinath
              • 4. Re: Questions on 11g
                915826
                Hi Srinath,

                I have been reading Oracle Documentation as well side by side. I found :
                "For Oracle WebLogic Server groups to be recognized in the Oracle Content Server system, roles with the exact same names must be created in the Oracle Content Server system and assigned to security groups. If this is not done, the Oracle WebLogic Server groups assigned to users has no impact on users' privileges on the Oracle Content Server system.

                " @ http://docs.oracle.com/cd/E21764_01/doc.1111/e10792/c03_security.htm#BGBGIJDJ - 5.4.1

                This contradicts to what you suggest.

                Also how and where can I give Read/Write/delete/Admin permissions to a role in WLS.

                Or can they only be given in UCM.

                Regards
                Shashwat
                • 5. Re: Questions on 11g
                  ryan sullivan2
                  To add to Srinath's answers.

                  All of the details of setting up security, users, etc is very well covered in the documentation:

                  http://docs.oracle.com/cd/E23943_01/doc.1111/e10792/c05_security.htm#CDDECAAF

                  Were you able to read through that document?

                  For searching through the portal. The HowToComponents has a sample component that allows for sql queries to be run. Also, take a look at William P.'s post here about using profiles to execute native sql:

                  http://senasystems.blogspot.com/2012/04/searching-like-native.html

                  -ryan
                  • 6. Re: Questions on 11g
                    915826
                    Hi Ryan,

                    Yes, I have gone through most of the relevant stuff. And it says that Roles/Accounts need to be created in UCM as well.

                    Whereas in the post above Sri says that tehy are required to be created in WLS only.

                    Thats where the confusion is coming from :)

                    Regards
                    Shashwat
                    • 7. Re: Questions on 11g
                      Srinath Menon-Oracle
                      Hi ,

                      " And it says that Roles/Accounts need to be created in UCM as well. "

                      When you create a group on UCM and want it to be assigned to a role that is created in UCM (internally) then the documentation part suits .

                      For example :

                      AD / LDAP group is : grp1 and is assigned to user1 .

                      So when user1 logs in to ucm it will be shown as grp1 on the profile .

                      But how to give the relevant content access based on this grp1 . In this case you can leverage the internal ucm groups by creating credential maps .

                      So for the above example if you want to assign grp1 group users to admin role then the following cred map will do that :

                      grp1 , admin

                      It is for these kind of cases that you will need to create the ucm groups so that the RWDA permission aspect can (if needed) be controlled from UCM end .

                      Hope this clarifies the confusion that you are having .

                      Thanks
                      Srinath
                      • 8. Re: Questions on 11g
                        ryan sullivan2
                        Exactly.

                        The docs point out that the must be created in both places, but, as Srinath states, they serve different purposes in each place.
                        ------
                        roles created in UCM --> manage the authorizations for that role (i.e., what security groups it can access & at what level: (e.g., RW))

                        roles created in WLS or any other certified external user store --> manage which users are assigned to that role**
                        ---------

                        ** Note, it is a UCM Role... but it's also a LDAP group. that's a bit of a confusing point that must be understood.

                        -ryan
                        • 9. Re: Questions on 11g
                          915826
                          Hi Sri/Ryan,

                          This is very confusing. I am trying to do a samll POC to unnderstand teh concept .

                          What I am tryingt to do is :

                          I have -

                          two users - usr_ann and usr_pp(created only in WLS)
                          Security groups - Public and Secure (Default UCM security groups nothing done in WLS)
                          Roles - McA_Ann and McA_PP (created only in WLS)
                          Accounts - @Por/Ann and @Por/PP (created only in WLS)

                          I need to achieve -

                          usr_ann should have RW access on Public security group through McA_Ann and R on Secure thorugh McA_Ann
                          usr_pp should have RW access on Public security group through McA_PP and R on Secure thorugh McA_PP


                          My question is

                          1. How do I assign permission for a role on a security group

                          2. Do I need to do anythng in UCM in order to implement the above.

                          Regards
                          Shashwat
                          • 10. Re: Questions on 11g
                            ryan sullivan2
                            It looks like this is more of a security modeling question than an implementation question. The docs have very good examples (same link above) of using accounts and security groups. Keep in mind that Accounts are optional. If you can't fully grasp the ways that accounts work with roles, start your poc w/o them.


                            You really should not be making your security roles match your user names. it's not manageable.


                            Here's a snippet from the docs:

                            The below is setup in UCM:

                            5.5.3.4 Roles and Permissions Table

                            To give specific users the ability to start workflows, you would need to add Admin permission and Workflow rights to the Contributor role.

                            Role     Public     Internal     Sensitive     Classified
                            PublicConsumer     R               
                            PublicContributor     RWD               
                            InternalConsumer          R          
                            InternalContributor          RWD          
                            SensitiveConsumer               R     
                            SensitiveContributor          RWD     
                            ClassifiedConsumer                    R
                            ClassifiedContributor                    RWD



                            The below is setup in WLS

                            5.5.3.5 Roles and Users Table

                            Role     David Smith     Helene Chirac     Jim McGuire     Catherine Godfrey
                            PublicConsumer          X          
                            PublicContributor     X          X     X
                            InternalConsumer          X          
                            InternalContributor     X          X     X
                            SensitiveConsumer                    
                            SensitiveContributor     X          X     X
                            ClassifiedConsumer                    
                            ClassifiedContributor     X          X     X







                            I would strongly suggest implementing the examples 100% as they are done in the walkthrough in the documentation. But, I'll try to solve your scenario:

                            In order to provide user1 (usr_ann) and user2 (usr_pp) the following:


                            ROLE-----------------------------user1 (usr_ann)-------------------user2 (usr_pp)

                            McA_Ann------------------------------X--------------------------------------------
                            McA_PP--------------------------------------------------------------------X-------

                            ---------

                            ROLE---------------------------Public-----------------------------Secure

                            McA_Ann----------------------RW---------------------------------R-----
                            McA_PP------------------------RW---------------------------------R-----

                            -------------------

                            You'll see that the two roles are exactly the same, so they're redundant. A better role would be 'employee' and assign both users to that role.

                            Accounts are not needed to achieve your goal.


                            For your two questions:

                            1. It's step-by-step provided in the docs: http://docs.oracle.com/cd/E23943_01/doc.1111/e10792/c05_security.htm#BGBFABHE; this is 100% in UCM

                            2. Yes. as Sri and I have mentioned, the process of "assigning permission for a role on a security group" is only done in UCM


                            I would strongly suggest that you jump into your content server instance and start plugging values into place to see what configuration options are available in each place. In order to create a good security model, you should create a spreadsheet and start defining roles. If you see that a number of roles are identical, you might want to see if you can merge them. Not always possible, but I believe it would benefit this case.

                            Does this help move ya forward at all?

                            -ryan

                            (note that the formatting of the pasted table isn't great. find the actual table in the docs at the section numbers noted)
                            • 11. Re: Questions on 11g
                              915826
                              Hi Ryan,

                              Thanks fo seperating te things that need to be done in WLS and in UCM. I was not able to figure them out and yes it is more for a Security model implementation which I want to start with a POC.

                              I ahve implemented as told by you and teh model looks good :)

                              The user profile looks as follws:

                              User Name: usr_pp
                              Roles: McA_P&Policies,guest,authenticated
                              Accounts: Sportal/PPolicies,#none

                              User Name: usr_ann
                              Roles: McA_Ann,guest,authenticated
                              Accounts: Sportal/Announcement,#none

                              User Name: weblogic
                              Roles: Administrators,admin,refineryadmin,rmaadmin,pcmadmin,ermadmin,sysmanager,guest,authenticated
                              Accounts: #all,#none

                              Also, I created an extra account in WLS and when trying to delete it following error comes :

                              Account Name - @Sportal/P&Policies
                              Error - Messages
                              java.net.MalformedURLException
                              Errors must be corrected before proceeding.

                              Account name conatining '&' cannot be created in UCM.

                              Regards
                              Shashwat
                              • 12. Re: Questions on 11g
                                ryan sullivan2
                                Nice. I'm glad you got through it!

                                Be sure to mark the helpful posts and correct post!

                                -ryan
                                • 13. Re: Questions on 11g
                                  915826
                                  Hi Ryan,

                                  1 more question.

                                  If a user is not assigned an account, will he be able to see content that have that account ?

                                  If NO, then how do I ensure that all users have read only permissions on all contents ie. they should be able to view all contents irrespective of any account assigned to them.

                                  Regards
                                  Shashwat
                                  • 14. Re: Questions on 11g
                                    ryan sullivan2
                                    Please, be sure to mark the individual posts as correct helpful to be sure you continue to get answers :)

                                    Again, please, please read the security link I've provided above. It goes through how to assign a 'none' account and a 'all' account. the 'none' account is the privs allowed for content w/o an accounts assigned. The 'all' account is to assign privs regardless of account assigned.

                                    Please let me know if this solves your issue & don't forget to post correct & as many helpful posts as you feel necessary!

                                    -ryan
                                    1 2 Previous Next