5-2 Oracle Fusion Middleware Setup Guide for Universal Records Management Figure 5–1 Typical Retention Management Organization Most people in the various departments of an organization can file content or check in content items, search for items, and view them. These are basic Records Users. A much smaller group of people privileged users is typically granted rights to perform some additional functions not allowed for basic users for example, altering classifications or creating triggers or retention schedules. These are people with the Records Officer right. A very limited number of people are administrators, who are typically responsible for setting up and maintaining the management infrastructure. Records Administrators have the widest range of rights to perform management tasks. For example, they can usually perform all and disposition actions, including those assigned to others. The administrators are often in the legal department of an organization, which can drive the efforts for effective and efficient management. The software comes with predefined management roles called ‘rma’, ‘rmalocalrecordsofficer’, and ‘rmaadmin’, designated in the documentation as Records User, Records Officer, and Records Administrator. Each of these standard roles provides a default set of permissions and rights, which coincide with the typical responsibilities of basic users, privileged users, and administrators, respectively. However, these roles can easily be modified to suit specific management needs. New roles can be created with assigned management rights or different management rights can be given to existing roles. Users without specific rights can still apply life cycles to content items.

5.2 Roles

The system comes with predefined user roles, discussed in detail in Security Groups on page 5-15: ■ rma denoted as Records User in this documentation: This role is generally assigned to basic users and allows them to perform basic management tasks. Users Important: Record management consists of more than just software. You also need to have the appropriate organizational structures and policies in place in your organization. Setting Up Security 5-3 with this role have read permission R to the Public security group, and read and write permission RW to the special Record Group security group. ■ rmalocalrecordsofficer denoted by Records Officer in this documentation: This role is generally assigned to privileged users, who have all the permissions assigned to basic users ‘rma’ role but are also granted rights to perform additional functions for example, creating triggers or folders, and modifying content attributes. Users with the this role have read permission R to the Public security group, and read and write permission RW to the special Records Group security group. ■ rmaadmin denoted by Records Administrator in this documentation: This role is generally assigned to administrators who are responsible for setting up and maintaining the management infrastructure and environment. These users have the widest range of rights to perform management tasks for example, defining users in this role to have read permission R to the Public security group, and read, write, delete, and write permission RWDA to the special Records Group security group. The Records Administrator can create variations to provide a fine level of granularity in security. In this documentation, only the default roles or Records Administrator, Records Officer, or Records User are discussed. If Physical Content Management is enabled, the following roles are also available: ■ pcmrequestor denoted by PCM Requestor in this documentation: This role is generally assigned to users who have all the permissions assigned to basic users without a PCM role but are also granted additional rights to perform some functions not allowed for basic users for example, making reservations for physical items. Users with the pcmrequestor role have read and write permissions RW for the special RecordsGroup security group. ■ pcmadmin denoted by PCM Administrator in this documentation: This role is generally assigned to administrators who are responsible for setting up and maintaining the physical content management infrastructure and environment. These users have the widest range of rights to perform physical content management tasks for example, setting up the storage space, editing and deleting reservations, and printing user labels. Users with the pcmadmin role have read, write, delete, and admin permissions RWDA for the special RecordsGroup security group. The PCM Administrator can create variations to provide a fine level of granularity in security. In this documentation, only the default roles or PCM Administrator or PCM Requestor are discussed. If users have no PCM role assigned to them, they can still search for physical items. Note that Physical Content Management is treated as an ’external’ source, just as an adapter is treated. Therefore, if Physical Content Management is enabled, two additional roles are created. Those roles are not discussed in this documentation because the tasks associated with those roles are not discussed here but should be discussed in the appropriate adapter documentation. ■ ermrequestor : This role is generally assigned to users who can read, edit, or create content on the external source. ■ ermadmin : This role is generally assigned to administrators who can read, edit or delete content on the external source. 5-4 Oracle Fusion Middleware Setup Guide for Universal Records Management Each of these predefined roles comes with a default set of permissions and rights, but these can be modified to suit specific needs. New roles and management rights can be created. This functionality enables provides the opportunity for a very granular security model. Role permissions are additive, just as in Oracle UCM. If your organization uses accounts, the accounts are a hierarchical overlay to your current security model. Access to the majority of functions is controlled by rights assigned to user roles. The predefined management roles each have a default set of rights assigned to them, but the roles can easily be modified to restrict or expand their access to management functions see Assigning Rights to User Roles on page 5-18 for details. To see what roles are assigned to a user, click the user name in the top upper right corner of the screen. The roles assigned to the logged-in user are displayed at the top of the User Profile information. To see rights assigned to the logged-in user, click Records then Rights from the Top menu. The Assigned Rights Page is displayed. This screen shows the rights assigned to the current user for the enabled components. To view details about each component, click the Show link for that component. To view details about all rights, click the Show All Rights link at the top of the screen. To hide rights again, click the Hide link in the component section or at the top of the screen. For information about adding new roles and assigning roles to users, see the Oracle Fusion Middleware System Administrators Guide for Content Server.

5.3 Tasks and Default Rights for Roles