Prerequisites: Oracle WebCenter Content, UCM, Security, Roles
Oracle WebCenter Content (WCC, previous UCM) provides comprehensive security features through Security Groups, Roles, Permissions, Accounts, Access Control List (ACL) and WebLogic-based Oracle Platform Security Services (OPSS). It is complex, isn’t it? But once you read through this article, you will understand how it works.
Oracle WCC runs as a managed server on WebLogic Server. How does the security login connect to directory services? The answer is Oracle WCC security is driven by WebLogic Server. It goes through WebLogic OPSS to connect to external directory services and SSO, etc. WCC performs name-pair match for LDAP/AD groups to map to Roles and Accounts. Role permissions are set in WCC; Account permissions are set by names group.
Oracle WCC itself manages user access through both Security Groups and Document Accounts. Let’s imagine that all the content is stored in a room (content repository), there are two locks on the door, one is called Security Group, another is called Document Account. Only the one who owns two keys to these two locks may access the content.
Oracle WCC provides two system generated Security Groups: Public and Secure. WCC Admin may create others. Security Groups should be under 50. Content can only be assigned to one group at a time.
User can have many Roles. Roles assign access permission to Security Groups. If a user has multiple Roles with different permissions (RWDA), then WCC provides the greatest permissions among Roles. Accounts works the same way. When WCC evaluates Roles and Accounts, WCC provides the least permissions among them. ACL are restrictive when evaluated. It usually reduces permissions from the intersection of Roles and Accounts.
Let’s warp up this topic with a simple example:
If we have two Security Groups: Public and Secure, and three Roles below:
- RW to Public, assigned to Marc, Steve)
- R to Secure, assigned to Sam, Steve
- RW to Secure, assigned to Tiffany
- RW assigned to Marc and Sam
- RWDA assigned to Tiffany
- R assigned to Steve
Let’s see the access permission to Secure group Account HR:
- Marc has NO Access
- Steve has NO Access
- Sam has R Access
- Tiffany has RW Access
For more enterprise content security design, please feel free to contact us.