5-2 Oracle Fusion Middleware System Administrators Guide for Oracle Content Server item is assigned to a security group, and if accounts are enabled then content items can also be assigned to an account. Users are assigned a certain level of permission Read, Write, Delete, or Admin for each security group and account, which enables them to work with a content item only to the extent that they have permissions to the items security group and account. Access control lists ACLs can be configured for the Oracle Content Server instance to provide extended control of content access to enterprise users. An access control list is a list of users, groups, or enterprise roles with permission to access or interact with a content item. This section covers the following topics: ■ Section 5.1.1, Changes in Security Compared to Oracle Content Server 10g ■ Section 5.1.2, Security within Oracle Content Server ■ Section 5.1.3, Additional Security Options

5.1.1 Changes in Security Compared to Oracle Content Server 10g

In 11g Release 1 11.1.1 of Oracle Universal Content Management Oracle UCM, the Oracle Content Server instance is deployed with the Oracle UCM domain on an Oracle WebLogic server. Oracle UCM and the Oracle Content Server system use Oracle Platform Security Services OPSS to authenticate and manage user access through the Oracle WebLogic Server Administration Console. If you have used Oracle Content Server version 10gR3 or earlier, be aware of the following key changes to security: ■ During Oracle Content Server installation and configuration, an Oracle WebLogic Server administration user must be specified for the Oracle Content Server system administration user. For details, see Oracle Fusion Middleware Installation Guide for Oracle Enterprise Management Suite. ■ When Oracle Content Server software is installed, a JPS user provider JpsUserProvider is set up by default to communicate with the Oracle WebLogic Server user store for user authentication and access. ■ All users are authenticated through external security and are considered external Oracle Content Server users. The first time users log in to the Oracle Content Server system through Oracle WebLogic Server, they are added to the Oracle Content Server database, and administrators can view the external user information through the Repository Manager. External users are not automatically included in Oracle Content Server user lists, such as the Author field on a content Check In page. ■ By default, the Oracle Content Server system uses the Oracle WebLogic Server user store to manage user names and passwords. Most user management tasks must be performed with the Oracle WebLogic Server Administration Console instead of the Oracle Content Server User Admin applet. Although an Oracle Content Server administrator can use the User Admin applet to create local users and assign passwords and roles on the Oracle Content Server system, for local users to be authenticated for access to the Oracle Content Server system they must also be created and assigned passwords and roles using the Oracle WebLogic Server Administration Console. Note: Any user created solely on the Oracle Content Server system is not recognized by the Oracle WebLogic Server domain. Managing Security and User Access 5-3 ■ The Oracle WebLogic Server user store also manages some additional user metadata such as e-mail and display names. You can use the Oracle WebLogic Server Administration Server interface to edit these values. User metadata can be changed in the Oracle Content Server system, but only after users have logged in to the Oracle Content Server instance at least one time to establish themselves as users in the Oracle Content Server metadata. After the first login, users can update their User Profile page, or an Oracle Content Server administrator can set user attribute values with the User Admin applet. ■ Users can be assigned groups with the Oracle WebLogic Server Administration Console. When a user logs in to the Oracle Content Server instance, the users groups are mapped to Oracle Content Server roles. For Oracle WebLogic Server groups to be recognized in the Oracle Content Server system, roles with the exact same names must be created in the Oracle Content Server system and assigned to security groups. If this is not done, the Oracle WebLogic Server groups assigned to users have no impact on users privileges in the Oracle Content Server system. ■ Configuration with an external user store is performed using the Oracle WebLogic Server Administration Server instead of the Oracle Content Server Admin Server. The Oracle WebLogic Server Administration Server has an embedded Lightweight Directory Access Protocol LDAP server, but it can be configured to work with other LDAP servers such as Oracle Internet Directory OID for enterprise-level systems. Integration with an external user store applies to the domain and all its servers; the Oracle WebLogic Server Administration Server could be shut down, and Oracle UCM and other applications could continue to use the configured LDAP server. For more information on security integration and configuration, see Section 5.2, Oracle Fusion Middleware Security Configuration for Oracle UCM.

5.1.2 Security within Oracle Content Server