Managing Content Repositories 11-17 11.2.3.2 Configuring Oracle Content Server 11g to Support Item Level Security in All WebCenter Applications This section includes the following sections: ■ Section 11.2.3.2.1, What You Should Know About Item Level Security. ■ Section 11.2.3.2.2, How to Configure Item Level Security ■ Section 11.2.3.2.3, How to Configure Additional Settings for WebCenter Portal Applications

11.2.3.2.1 What You Should Know About Item Level Security Oracle WebCenter allows

custom permissions to be set on a file or a folder. This feature is referred to as Item level Security ILS. Once configured, the feature can be accessed from the File menu Security option when viewing a file or folder See Section 34.6.1, Managing Content . ILS can be used to replace the existing file or folder security with a custom set of permissions. ■ When applied to a file, the custom permissions affect only that file. ■ When applied to a folder, the updated security is propagated to all child files and folders recursively, stopping when a folder is encountered with its own custom permissions. The propagation does not affect a file with its own custom permissions, if already set. Within the Oracle Content Server, ILS is implemented as a combination of ACL, account, and other metadata field settings. Oracle Content Server must be correctly configured to enable ILS. See, Section 11.2.3.2, Configuring Oracle Content Server 11g to Support Item Level Security in All WebCenter Applications and Section 11.2.3.3, Configuring Security Between Oracle Content Server 11g and WebCenter Portal Applications. What Happens in Oracle Content Server on Setting Custom Permissions The following occurs in Oracle Content Server on setting custom permissions for a file or folder from the Item Level Security dialog: ■ The account is changed to account WCILSoriginal_account. Note: In WebCenter Spaces, using ILS as the primary security mechanism for a Space may become difficult to administer when the number of users grow. Moreover, ILS may not be as efficient as the Space security model. Therefore, Oracle recommends using ILS only to define security for the documents or folders that do not fit within the Space security model. For example, documents and folders to which only a restricted set of users have access. For information about security, see the section Managing Roles and Permissions for a Space in Oracle Fusion Middleware Users Guide for Oracle WebCenter. Note: ILS cannot be applied to the root folder of a Space in the WebCenter Spaces application. This is so that the Spaces security can be correctly restored on a file or folder when its item level security is removed. 11-18 Oracle Fusion Middleware Administrators Guide for Oracle WebCenter All users are by default granted RWDA on account WCILS. Changing the account to WCILSoriginal_account ensures that only the custom permissions determine the security on the content. ■ The ACL content metadata fields, xClbraUserList and xClbraRoleList are updated with the custom permissions. ■ The content metadata field, xInhibitUpdate is set to true, to prevent ILS from overwriting an item’s own custom security with a parent folders custom permissions. What Happens in Oracle Content Server on Removing Custom Permissions Removing custom permissions from a folder or file attempts to revert the security on that item to the security set on the items parent folder. When you remove custom permissions, the following changes take place within Oracle Content Server: ■ The items account is changed to be the account of its parent folder. ■ The items ACL content metadata fields, xClbraUserList and xClbraRoleList are cleared. ■ The content metadata field, xInhibitUpdate is set to false. These changes are propagated in the same way as when the item level security is set. Prerequisites for Using Item Level Security in a WebCenter Portal Applications For a WebCenter Portal application, the Item Level Security ILS feature is supported only if the applications Oracle Content Server security configuration meets certain prerequisities. In most scenarios ILS is not required, and therefore, it should not be enabled unless explicitly needed. Typical reasons for using ILS are application situations when the Oracle Content Server security models need to be overridden or supplemented to handle exception cases to security policies for individual users or groups of users, on a per document basis. Please be aware that there are performance impacts and additional administrative overhead when using ILS. The following are the Oracle Content Server security ILS prerequisites for a WebCenter Portal application: ■ Security is based on Oracle Content Server Accounts alone. Since all content must also have a security group, this means all application users must have RWD permissions granted to the applications security group. This is necessary because of how ILS works, that is, on setting the custom permissions, the account automatically changes to WCILSoriginal_account, which is an account all users have RWDA granted to. This is so that the custom permissions alone determine the security on the document or folder. ■ The content metadata field, xForceFolderSecurity is set to true for the entire application content. That is, Folder security settings are enforced on child folders and documents. This is necessary to support the propagation of custom permissions. Note: Oracle recommends using the Oracle Content Server security because it is efficient and scales easily for a large number of users and content objects compared with item level security. From an administrative perspective, Oracle Content Server’s security is also easier to maintain. For information about configuring the security, see Section 11.2.3.3, Configuring Security Between Oracle Content Server 11g and WebCenter Portal Applications. Managing Content Repositories 11-19

11.2.3.2.2 How to Configure Item Level Security To configure Item Level Security ILS:

1. Log on to your Oracle Content Server instance.

2. From the Administration menu, choose Admin Server to open Component

Manager .

3. In the Component Manager section, click the Advanced Component Manager

link.

4. In the Advanced Component Manager page, scroll down to the Disabled

Components list, select RoleEntityACL, as shown in Figure 11–7 , and then click Enable . Figure 11–7 Advanced Component Manager - RoleEntityACL Component

5. From the Options pane on left, select General Configuration.

6. Under the General Configuration page, in the Additional Configuration

Variables box, add the following parameters: UseEntitySecurity=1 SpecialAuthGroups=PersonalSpaces,applicationName where: SpecialAuthGroups is a comma separated list no spaces allowed between values of security groups. The ILS option is enabled only on content in these security groups. For WebCenter Spaces, the name of the application, in which all Space content is created, defines the name of a security group. You can find the application name using either Fusion Middleware Control or WLST. In Fusion Middleware Control, the application name is displayed as part of the Oracle Content Server default connection in the WebCenter Spaces connections. In WLST, the application name is shown using the listDocumentsSpacesProperties command, for example: listDocumentsSpacesPropertieswebcenter The Documents Spaces container is myspacesroot The Documents repository administrator is weblogic The Documents application name is myspacesapp - applicationName See Also: Setting Security Options for a File in Oracle Fusion Middleware Users Guide for Oracle WebCenter.