2 Managing Security 2-1 2 Managing Security This section contains the following topics: ■ Section 2.1, Security Model Overview ■ Section 2.2, Definition and Definition Management Security ■ Section 2.3, System Level Security

2.1 Security Model Overview

Access to Oracle IPM is granted through the configured credential store managed within the Oracle WebLogic Server domain using the available Oracle WebLogic Server providers. Once access to IPM is granted, specific features within Oracle IPM require security rights assigned by an Oracle IPM administrator or user designated to grant rights to a specific feature. The first person to log in to Oracle IPM after initial installation is granted full rights to all features, in order to properly set up an Oracle IPM solution to meet company needs. After the system is properly set up, security rights can be changed or revoked if necessary. Additionally, initial security rights can be reset if the credential store has been changed during set up. See Section 2.1.2, Installation Security Initialization for more information.

2.1.1 System Access

Oracle WebLogic Server controls user and group access to Oracle IPM and its repository as managed servers running within the WebLogic Server domain. System security configuration and SSL connection configuration are handled through the Oracle WebLogic Server console. Oracle WebLogic Server controls can link to the Note: When Oracle IPM is first deployed, the role of IPMSYS_ ADMIN is created within Oracle Content Server. This role provides specialized security rights necessary for Oracle IPM and Oracle Content Server to operate together. The IPMSYS_ADMIN role is not intended for public use. This role is created and managed programmatically by the Oracle IPM system. Changes to the security rights assigned to the role or adding or removing users associated with that role will have a negative impact on the operation of both Oracle IPM and Oracle Content Server. One such negative impact is that any users added to this role will be deleted from the Oracle Content Server system. 2-2 Administrators Guide for Oracle Imaging and Process Management WebLogic Server domain managing Oracle IPM if additional services are required, such as Oracle Internet Directory or single sign on using Oracle Access Manager. Access to Oracle IPM through web services is controlled by Oracle Web Services Manager OWSM policies. Policies are configured through the Oracle WebLogic Server console. Some policies require a keystore be defined. For example, Oracle IPM must use access credentials stored in Credential Store Framework CSF to communicate with a workflow server or to use SSL. Keystores can be defined using Keytool from the Java Development Kit. Credentials can be added to defined keystores using WebLogic Scripting Tool WLST. Figure 2–1 Oracle IPM Security Overview For additional information, see the following documentation: Note: When configuring Oracle IPM for use with Oracle Access Manager, you must protect the imagingfaces directory. Failure to do so prevents access to the Oracle IPM Viewer. Note: Oracle Content Server account and collaboration security can be enabled on an Oracle Content Server repository being used by Oracle IPM, however Oracle IPM does not support their use on Oracle IPM documents. Table 2–1 Additional System Security Documentation Task Where to Go For More Information Administering Oracle WebLogic Server Oracle Fusion Middleware Administrators Guide Using WebLogic Scripting Tool Oracle Fusion Middleware WebLogic Scripting Tool Command Reference Administering Universal Content Management Oracle Fusion Middleware System Administrators Guide for Oracle Content Server Managing Security 2-3

2.1.2 Installation Security Initialization