5-54 Oracle Fusion Middleware System Administrators Guide for Oracle Content Server To associate access control lists with a content item, you add one or more users, groups, or enterprise roles when checking in or updating a content item. For each user, group, or role you add to an access list, you assign the appropriate permission: Read R, Write W, Delete D, or Admin A. Access control list permission levels are the same as defined for Oracle Content Server security groups and accounts. When users are added to any one of the access lists, the users have the specified permissions to access the content item. At least one of the following must be true for a user to be granted a particular permission: ■ The users name appears in the xClbraUserList metadata field with the appropriate permission. ■ The user belongs to a group that appears in the xClbraAliasList metadata field with the appropriate permission. ■ The user is part of an enterprise role that appears in the xClbraRoleList metadata field with the appropriate permission. Access control list permissions are cumulative. If you assign Write, you automatically assign Read. If you assign Admin, you automatically assign Read, Write, and Delete. However, users must also satisfy security criteria for access through the Oracle Content Server security group and the account if Accounts are enabled. If any of these security criteria deny a certain permission, users will not have that permission to the content item.

5.6.3.1 Empty Access Control List Fields

If all the User Access List, Group Access List, and Role Access List fields are empty, then by default permission is granted to all users. If only the User Access List and Group Access List fields are blank and the RoleEntityACL component is not enabled so there is no Role Access List, permission is granted to all users. This behavior is configured with the AccessListPrivilegesGrantedWhenEmpty variable, which is set to true by default. If this configuration variable is set to false, then when all Permission Description Read R Allowed to view the content item. Write W Allowed to view, check in, check out, update, and get a copy of the content item. Delete D Allowed to view, check in, check out, update, get a copy, and delete the content item. Admin A Allowed to view, check in, check out, update, get a copy, and delete the content item, and check in a content item with another user specified as the Author. Note: Access control list permissions do not apply to users with the Oracle Content Server admin role. Managing Security and User Access 5-55 access control lists are blank, permission is denied to all users except those with the admin role.

5.7 Oracle Content Server User Information Provider

JpsUserProvider is the default provider for the Oracle Content Server instance to communicate user information and credentials managed through the Oracle WebLogic Server Administration Console. For Oracle Universal Content Management Oracle UCM and the Oracle Content Server instance, it is recommended that you use JpsUserProvider. For details, see Section 4.5.1.2.6, When to Edit JpsUserProvider. If a site is upgrading from an earlier release of Oracle Content Server software and is using Active Directory, LDAP, or Active Directory with LDAP, information about those providers is available in the 10gR3 document Managing Security and User Access. It is strongly recommended that sites upgrade to use JpsUserProvider.

5.8 Additional Oracle Content Server Security Connections

This section provides information about additional security communication connection options for the Oracle Content Server system. It covers the following: ■ Section 5.8.1, About Proxy Connections ■ Section 5.8.2, Credential Mapping ■ Section 5.8.3, Secured Connections to Oracle Content Servers ■ Section 5.8.4, Connections Using the HTTP Protocol

5.8.1 About Proxy Connections

Proxy connections, or connections between Oracle Content Server instances, provide additional levels of security for an Oracle Content Server system through the following functions: ■ Security credentials mapping from one Oracle Content Server instance to another Oracle Content Server instance. ■ Secured named password connections to Oracle Content Server instances password protected provider connections. ■ HTTP protocol communication between Oracle Content Server instances. While it is possible to use both named password connections and HTTP-based Oracle Content Server communication, it is most likely that one type of connection will be Note: If the Oracle Content Server instance has been upgraded from release 10g, empty access control lists will behave differently in release 11g. Release 10g and earlier had the equivalent configuration of AccessListPrivilegesGrantedWhenEmpty=false. The default for release 11g is AccessListPrivilegesGrantedWhenEmpty=false.