2-4 Administrators Guide for Oracle Imaging and Process Management If a user has been authenticated for access to Oracle IPM but has not yet been given security rights to any Oracle IPM definitions or definition management, they are presented with the Home page, but no navigation links are displayed in the Navigator Pane . To properly administer an IPM solution, a distinction must be made between definition management rights and definition rights: ■ Definition management security rights grant a user the ability to create or administer definitions applications, inputs, searches, and connections. ■ Definition rights grant a user the ability to view, modify, delete, or manage access to specific definitions, such as an application named Invoices_US or search named US Purchase Orders. Oracle IPM definition management security rights and definition security rights are managed within the Oracle IPM user interface.

2.1.3.1 Definition Management Rights

Definition management security is done using the Definition Management Security pages, accessed from the Manage Security panel of the Navigator Pane . Definition management rights have two levels of security: Administrator Rights Administrator rights are typically given to few people, as they allow full control of definitions across the enterprise. Administrator rights are specific to definitions and do not apply to document rights. Therefore, someone with definition Administrator rights cannot modify any document security within an application. This is designed to prevent people with Administrator rights to definition management from changing definitions in order to gain access to documents that are restricted to them. For this reason, users must be granted access to all of the security layers in order to have access to specific definitions. This approach comes from a need to have separation of business units. For example, if you set up an Oracle Content Server for a specific business unit in order to limit access to content on the server, you would not want other business units to have rights to put applications in that Oracle Content Server, nor to find documents within it. Examples The following are examples of what typical employees can do with assigned security rights. Sasha in IT An IT employee named Sasha at XYZ Company has Create rights to application and search definitions. This gives Sasha the ability to create new applications and grant rights to any application and search definitions she creates, even for other departments. It does not allow her to grant rights to all applications. Security Right Description Administrator Grants users or groups full rights to definition management and includes the ability to assign other users or groups Administrator or Create rights. Create Grants the ability to create new definitions. Users who create a definition are automatically assigned all definition rights for that definition by default. Managing Security 2-5 Theo in Accounts Receivable Theo is a new employee in Accounts Receivable. He must be able to create searches and have access to all documents in Accounts Receivable, including orders that have customer credit card information in them. To secure the credit card information, all US orders are uploaded to the Orders_US application and stored in a specific repository connected to Oracle IPM that Sasha doesnt have access to. Sasha could add Theo as a user and grant him Create rights to searches using the Definition Management Security page, as well as add him as a user to most of the Accounts Receivable applications. However, Sasha does not have View rights to the connection defined in the Orders_US application, and so she cannot add him as a user to that application. Someone other than Sasha who manages system access but has no specific definition management rights in Oracle IPM would add Theo to a group that has Create rights to searches. The group would already be defined in the Orders_US application as having access to the documents within that application. By separating access control and limiting access to the connection, Sasha is prevented from modifying the Orders_ US application to add herself as a user and therefore gain access to customer credit card data. Bob in HR Bob is a new employee in Human Resources. He must have rights to search all HR documents including private employee information, such as Social Security numbers, salary and health related documents. Such documents are stored in Oracle IPM using the HR_Confidential application and retrieved using the Private Employee Information search. Sasha doesnt have View rights to the HR_Confidential application, so she cannot modify the Private Employee Information search to give Bob access. Like Theo, Bob will most likely be added to a group already defined in the necessary search by someone other than Sasha who manages system access but has no specific definition management rights in Oracle IPM. Create Rights Create rights are typically given to business managers throughout the enterprise, as these people know the business processes associated with the documents being uploaded to Oracle IPM. They allow a manager to create and modify application, search, input, and connection definitions unique to their business needs. Additionally, by controlling access to the repository connections used to store documents, different business units can be isolated to help secure documents. Example For example, Theo is the new Director of Accounting for the XYZ Company US division. Bob in Human Resources says that the company is implementing a new employee program that allows employees to debit their pay check when ordering company product. Initially Theo wants to modify the Pending Orders search to not only search the Orders_ US application for orders not yet filled, but also the HR_Confidential application. Theo wants to verify that the person placing the order is a current employee by verifying Social Security information from the search results against Social Security information entered on the new order form. However, Theo doesnt have access to the repository connection used to store the documents in the HR_Confidential application. When Theo contacts Bob to ask for access, Bob explains the legal reasons that Theo cannot capture Social Security information on an order form nor access such 2-6 Administrators Guide for Oracle Imaging and Process Management information from Human Resources. Instead, Bob suggests Theo use the employee e-mail address as a unique identifier that is available on documents accessible to Theo. In this example, Theo knew the business need he was implementing, but his knowledge of business practice outside of his area was limited. The security put in place by Oracle IPM allowed him to meet his business need without compromising privacy.

2.1.3.2 Definition Rights