12 Replies Latest reply on Sep 3, 2014 8:25 AM by Srinath Menon-Oracle

    How setup content server external user permission

    2729584

      We build a content server authenticated by external LDAP server.

      So these users are external users for content server.

      How can I setup the permissions for these external users?

      For example. I create two folder, "public" and "company". I want all these external users have RW permission for public and R permission for company.

       

      As there are thousands employee in company. I can't convert them all into local user and grant permissions.

       

      From the Content Server Manual. it says as following regards external users permissions. But confused how these roles/groups/accounts associated with external users?

       

      Follow these steps to set up roles, groups, and accounts for external users:

      1. Set up security groups. See "Adding a Security Group on Content Server".
      2. Establish roles. See "Creating a Role on Content Server".
      3. Arrange permissions. See "Adding and Editing Permissions on Content Server".
      4. (Optional) Use accounts. See "Enabling Accounts on Content Server".

       

      also from the manual, it says "undefined external users are not assigned the guest role.", so, what's the role for the external users by default?

       

      thank you.

      Bright

        • 1. Re: How setup content server external user permission
          Srinath Menon-Oracle

          Hi ,

           

          As there are thousands employee in company. I can't convert them all into local user and grant permissions.

           

          If you are looking to give the external users coming from LDAP , privileges / roles which are defined on content server itself then you should use Credential Mapping .

           

          What this functionality does is that all the external groups which are created as mapping will be given the wcc role as per the definition .

           

          For eg :

           

          External user A is assigned to editor group .

           

          Now using credential map you define :

          editor,contributor

           

          Which means that all users logging in with editor group will be assigned contributor role of ucm .

           

          This way you don't need to create all the external users and groups in UCM applets. All that you need to do is create 4-5 additional roles that you think are needed for admin purpose on the WCC applet and assign them the right sec access from applet .

           

          Then create multiple credential maps to define all the users coming with a specific group to be mapped one of these new roles .

           

          Documentation link for this topics : http://docs.oracle.com/cd/E21764_01/doc.1111/e10792/c03_security.htm#BGBEDJFI

          5.8.2 Credential Mapping

           

          Blog link describing it's usage : https://blogs.oracle.com/ecmarch/entry/using_a_credential_map_in_11g

           

          Hope this helps .

           

          Thanks,

          Srinath

          • 2. Re: How setup content server external user permission
            2729584

            Thank you very much.

            You are very helpful.

            • 3. Re: How setup content server external user permission
              Srinath Menon-Oracle

              You are welcome .

               

              If the question is answered , please do mark the thread accordingly so that other boarders can look it up easily .

              • 4. Re: How setup content server external user permission
                2729584

                Hi Srinath,

                I am working on the credential mapping.

                And there are still something not clear

                 

                - I want to map all the users to role 'contributor' with following mapping, is it correct?

                @#all,                     contributor

                 

                - Do I need other configuration ( I mean except create Credential Mapping )? How content server know which Credential Mapping should choose when there are more than 1 Credential Mapping? According to the manual ( To apply a credential map to roles and accounts retrieved using NT integration, set the Oracle Content Server configuration entryExternalCredentialsMap to the name of the credential map of your choice. ). But what about LDAP authentication? Is there other property need to be configured?

                 

                - If I only want to map all the external users to a certain role ( for example contributor ). But the local user don't map. what's the best practice for this case?

                 

                Thank you

                Bright

                • 5. Re: How setup content server external user permission
                  Srinath Menon-Oracle

                  Hello Bright ,

                   

                  1.

                  - I want to map all the users to role 'contributor' with following mapping, is it correct?

                  @#all,                     contributor

                  Using @ prefix means all the accounts which are created on the external store .

                   

                  For your requirement , I think the following would do :

                   

                  |#all|,   contributor

                  2. After creating the credential map you should add the following variable in the provider.hda file under <domain_home>/ucm/cs/data/providers/jpsuserprovider

                  ProviderCredentialsMap=<name of the map created>

                  3. Firstly , local users should not be used / created for WCC 11g .

                   

                  And if they are there then the mapping is not needed since the roles can be assigned from User Applet .

                   

                  Hope this helps .

                   

                  Thanks,

                  Srinath

                  • 6. Re: How setup content server external user permission
                    2729584

                    Hi Srinath,

                    Thank you for the reply.

                    I did as what you said. But unfortunately, it doesn't work.

                    and, except the steps you suggested. I also did following test.

                    1. change the "default network roles" to "admin" in the "JpsUserProvider"

                    2. change the Credential Mapping to "guest, admin", which should map the "guest" role to "admin" role

                    following is the JpsUserProvider information. Do you have any idea what I should do?

                     

                    Provider Name:JpsUserProvider
                    Provider Description:Default JPS User Provider
                    Connection State:good
                    Last Activity Date:8/27/14 2:10 PM 

                    Provider Type:jpsuser
                    Provider Class:idc.provider.jps.JpsUserProvider
                    Provider Connection:

                    Source Path:jpsuser
                    JPS Context:
                    Credential Map:defaultCredentialMaps
                    Account Name Prefix:@
                    Attribute Map:
                    Role Prefix:
                    Account Prefix:
                    Account Permissions Delimiter:
                    Default Network Accounts:#none
                    Default Network Roles:admin
                    Filter Groups:No
                    Use Full Group Name:No

                     

                    • 7. Re: How setup content server external user permission
                      Srinath Menon-Oracle

                      Hi ,

                       

                      I just tested it and confirmed it is working fine . Steps done are :

                       

                      1. Created 4 users on OID and assigned all 4 to different groups .

                       

                      2. On UCM - created the following credential map :

                       

                      |#all|,                    contributor

                       

                      3. Added this to provider.hda as ProviderCredentialsMap=Test

                       

                      4. Restarted the server and logged in with each of those 4 users and verified that all are assigned contributor role .

                       

                      Is this not what you have tried and verified not working ?

                       

                      What's the version of content server being used ? Copy the version tag from Administration - Configuration Information and post it here .

                       

                      Thanks,

                      Srinath

                      • 8. Re: How setup content server external user permission
                        2729584

                        Hi Srinath,

                        Thank you for the reply.

                        Following is the copy for the configuration information.

                        Configuration Information for brightpcfortinetuscom16200

                        Administration --> Configuration Info

                        System Configuration

                        Server Name:brightpcfortinetuscom16200

                        Version:11.1.1.8.0-2013-07-11 17:07:21Z-r106802 (Build:7.3.5.185)

                         

                        Class Loader:IdcClassLoader

                         

                        Instance Directory:C:/OCS/Middleware/user_projects/domains/ucm/ucm/cs/

                         

                        Database Type:Oracle

                        Database Version:12.1.0.1.0 ---Oracle Database 12c Enterprise Edition Release --- - 64bit Production With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options

                         

                        HTTP Server Address:bright-pc.fortinet-us.com:16200

                        Mail Server:mail.fortinet.com

                         

                        Search Engine::DATABASE.METADATA

                        Index Engine Name:DATABASE.METADATA

                        Features And Components

                        Number of Installed Features:79

                         

                        Number of Enabled Components: 73

                         

                        Number of Disabled Components: 18

                        Options And Others

                        Auto Number Prefix:

                        Use Accounts:True

                        Ntlm Security Enabled:False

                         

                        Allow get copy for user with read privilege:True

                        Allow only original contributor to check out:False

                         

                        Java Version:1.6.0_45

                        • 9. Re: How setup content server external user permission
                          2729584

                          Hi Srinath,

                          Is that possible the enable of account affect the permission?

                          My accounts was enabled. And I tried to disable it several times by un-tick the "Enable accounts". and then save it. But after I restarted the UCM server again.

                          the "Enable accounts" still ticked. How can I disable accounts?

                           

                           

                          General Configuration







                          • 10. Re: How setup content server external user permission
                            Mohan Basavarajappa

                            Are documents already stored based  on accounts in your Content Server? Possibly you'll lose access to content stored based on accounts if you disable the accounts.

                            • 11. Re: How setup content server external user permission
                              2729584

                              Maybe. I am not sure.

                              Is the "Enable Accounts" affects the permissions Credential Mapping?

                              • 12. Re: How setup content server external user permission
                                Srinath Menon-Oracle

                                Enable accounts will not play a part in credential mapping .

                                 

                                I will need to check your instance to get a better idea on this issue .

                                 

                                Thanks,

                                Srinath