2 Replies Latest reply on Jan 24, 2013 10:40 PM by webmonkeymagic

    Unexpected Accounts Behaviour

      1. Login to Oracle UCM with "weblogic"(admin) user
      2. Create a folder by name "Folder1" under "Contribution Folders"
      3. Add account "Account1(R)" and security group "Group1" to folder created in step 1
      4. Log out
      5. Log in with a new user "User3" who is not part of "Account1(R)" and "Group1"
      6. Then "User3" is able to see the "Folder1" and also is able to update the folder

      "Folder1" should not be visible/updatable to "User3" as he is neither part of the "Account1" nor "Group1" which is added on the folder

      "User1" is part of "Account1(R)"
      "User2" is part of "Role1(R)" and "Role1(R)" is added to "Group1"
      "User3" is neither part of the "Account1" nor "Group1"

      I would like to know, is this the expected behavior of OUCM..
        • 1. Re: Unexpected Accounts Behaviour
          This is not an expected behavior (see the exception below).

          See: http://docs.oracle.com/cd/E23943_01/doc.1111/e10978/c08_folders.htm#CIHFHBJH
          "Folder security: Security is also applied at the folder level:

          Each contribution folder has an owner, a user who has permission to manage the folder. The owner can change a folder's metadata and delete the folder, even if they do not have Write or Delete permission to the folder's security group. However, the owner does not have additional permissions to content items in the folder.

          Users can see only the contribution folders assigned no security group or a security group for which they have at least Read permission."

          and http://docs.oracle.com/cd/E23943_01/doc.1111/e10978/c08_folders.htm#CIHIGJAC
          "Users can create and edit folders, shortcuts to folders, and links to documents as allowed by Content Server's standard security model. Folders are assigned security attributes in the same way they are assigned to content items, including security group, account, and Access Control List attributes, if enabled."

          I'd recommend you to repeat the same scenario, but rather than folders, use content items. If you see the same results, check your security settings. If you don't, check settings of additional config params that may "Relax security" - see http://docs.oracle.com/cd/E23943_01/doc.1111/e10978/c08_folders.htm#CIHIBCEC

          Note that "f these variables are set to 'false' (not the default), users with no access privileges to secure content items or folders see them on Exploring pages. However, if they try to view the content, an access-denied error is displayed." Therefore, you could also verify whether you can actually step-in the folder, or get an error.
          • 2. Re: Unexpected Accounts Behaviour
            folders created inside the root contribution folder have weird issues with access & control. i think it's so only admins can set them up but everyone can use.
            folders created inside other folders will be fine, apply whatever restrictions you want.