Setting Up Security 5-15 ■ To print physical location labels, the PCM.Admin.PrintLabel right is required. This right is assigned by default to the PCM Administrator role.

5.4.7 Additional PCM Administrative Tasks and Defaults for Predefined Roles

For more information about PCM administration, see Chapter 8, Configuring Physical Content Management . The following rights are required to perform the following tasks: ■ To configure the environment, including enabling or disabling the use of Offsite Storage, the PCM.Admin.Manager right is required. This right is assigned by default to the PCM Administrator role. ■ To run batch services, the PCM.Admin.Manager right is required. This right is assigned by default to the PCM Administrator role.

5.5 External Source Management Tasks and Roles

The following tasks and roles are used when managing external sources adapters.

5.5.1 External Source Tasks and Defaults for Predefined Roles

For more information about adapters, see the Oracle Fusion Middleware Administrators Guide for Universal Records Management. The following rights are required to perform the following tasks: ■ To read external items, the ECM.External.Read right is required. This right is assigned by default to the ERM Requestor and ERM Administrator roles. ■ To create an external item, the ECM.External.Create right is required. This right is assigned by default to the ERM Requestor and ERM Administrator roles. ■ To edit an external item, the ECM.External.Edit right is required. This right is assigned by default to the ERM Administrator role. ■ To delete an external item, the ECM.External.Delete right is required. This right is assigned by default to the ERM Administrator role. ■ To perform administrative functions involving the external source, the ECM.External.Admin right is required. This right is assigned by default to the ERM Administrator role.

5.6 Security Groups

A security group defines security for a group of content. Oracle URM is shipped with a predefined security group called RecordsGroup. This group defines security for a group of content designated as that being tracked andor retained. Users with the predefined Records User, Records Officer, or Records Administrator roles have read and write permission RW to the RecordsGroup security group. Users with the Records Administrator role have read, write, delete, and admin permission RWDA to this security group. 5-16 Oracle Fusion Middleware Setup Guide for Universal Records Management

5.7 Aliases

When the product software is enabled, several aliases are created to help administrators manage large groups of people. Although the aliases are created, no default users are added to those groups. An administrator should add users as needed to the following alias lists: ■ OffSiteRequestReviewGroup ■ ReservationGroup ■ DispositionReviewGroup Several default aliases are also created if the FOIAPA functionality is enabled. Default users are added to those alias lists but the users themselves are not created automatically. An administrator will need to create those users and assign appropriate permissions to them: ■ FOIAOfficers ■ FOIAProcessors ■ FOIASpecialists ■ JAG

5.8 Access Control Lists ACLs

Access control lists ACLs are intended to manage the security for dispositions. ACLs can be assigned to the following retention schedule components: ■ triggers ■ retention categories ■ record folders ACLs can be used to control user and group access permissions for triggers, categories, and record folders. ACLs can be assigned for each category, folder, and trigger. Be aware that searching for items takes more time when using ACLs because the permissions are checked on all parent folders and categories. Note: Even though the default Records User and Records Officer roles appear to be identical, they are not. The default Records Officer role has subadministrator access to certain administrator functions that the default Records User role does not for example, creating triggers and folders. For details about rights that can be assigned to roles, see Tasks and Default Rights for Roles on page 5-4. Important: Enabling or disabling ACLs affects existing ACL settings system-wide. For example, if ACLs are enabled in Oracle UCM and Oracle URM is configured to one of the DoD settings which re-enables ACLs, the Oracle UCM ACLs are overridden. And if the Typical or Minimal Oracle URM settings are used, ACLs are disabled because ACL-based security is not enabled by default for those options. It is enabled by default for the DoD options. Setting Up Security 5-17 If not required, consider disabling ACLs for faster search retrieval performance. The default security, custom security fields, and supplemental markings provide excellent security.

5.8.1 Setting ACLs During Software Use

ACLs for individual users and groups and aliases can be adjusted while setting up elements of Oracle URM. Not all procedures allow the setting of all three types of permissions. The following procedure can be followed to adjust ACLs regardless of which type of permission are being set user, group, or alias. 1. In the Group, User, or alias permission section of the Access Control Edit Section of the page in use, begin typing the user name of the person to add. A list appears and the user can be selected. Or type two asterisks in the name field or group field. A list of users and groups appears.

2. Scroll to the name to use and click Add User, Add Alias or Add.

3. To the right of the displayed name is a grouping of permissions. Click on a permission to add or remove it.

4. To remove a user or group from the permissions box, click the X next to the name.

5.9 Security Matrix

The table below shows a matrix of content and retention schedule components, and the corresponding permissions for each predefined role. Supplemental markings have the most restrictive access capabilities. See Chapter 6, Additional Security Settings for details. Objects and Retention Schedule Components Subject to Additional Security of Type Records User rma Records Officer recordsofficer Records Administrator rmaadmin Content Items Rights; supplemental markings; custom security field; ACLs RW RW RWDA Folders Rights; supplemental markings; ACLs R RWD RWD Categories Rights; supplemental markings; ACLs R R RWD Series Rights R R RWD Triggers Rights; ACLs RW RWD permission required to delete triggers. RWDA Only custom triggers can be deleted. Periods Rights R RWD Only custom periods can be deleted. Supplemental markings Rights RWD Classification guides Rights RWD 5-18 Oracle Fusion Middleware Setup Guide for Universal Records Management

5.10 Setting Security Preferences