5 Setting Up Security 5-1 5 Setting Up Security Multiple layers and types of security are available in Oracle URM, including roles, rights, security groups, and access control lists. As with the standard Oracle UCM security model, the final determination of permissions and privileges is determined by the intersection of all security mechanisms in place. Access control lists and supplemental markings are required for compliance with the DoD 5015.2 specification. Classification levels are required for compliance with Chapter 4 of DoD 5015.2. Custom security fields can be created and additional security added to individual fields. See Chapter 6, Additional Security Settings for details. You can also use the accounts security model in addition to the options provided by the system. For more information about the account security model, see the Oracle Fusion Middleware System Administrators Guide for Content Server. See Fusion Middleware Security Considerations on page 3-2 for details about user roles, accounts, and permission considerations. This section covers the following topics: Concepts ■ Retention Management in an Organization on page 5-1 ■ Roles on page 5-2 ■ Tasks and Default Rights for Roles on page 5-4 ■ Security Groups on page 5-15 ■ Access Control Lists ACLs on page 5-16 ■ Security Matrix on page 5-17 ■ Default Rights for Roles on page 5-19 Tasks ■ Setting Security Preferences on page 5-18 ■ Assigning Rights to User Roles on page 5-18 ■ Specifying PCM Barcode Values for Users on page 5-24

5.1 Retention Management in an Organization

The figure below shows a typical retention management structure in an organization. 5-2 Oracle Fusion Middleware Setup Guide for Universal Records Management Figure 5–1 Typical Retention Management Organization Most people in the various departments of an organization can file content or check in content items, search for items, and view them. These are basic Records Users. A much smaller group of people privileged users is typically granted rights to perform some additional functions not allowed for basic users for example, altering classifications or creating triggers or retention schedules. These are people with the Records Officer right. A very limited number of people are administrators, who are typically responsible for setting up and maintaining the management infrastructure. Records Administrators have the widest range of rights to perform management tasks. For example, they can usually perform all and disposition actions, including those assigned to others. The administrators are often in the legal department of an organization, which can drive the efforts for effective and efficient management. The software comes with predefined management roles called ‘rma’, ‘rmalocalrecordsofficer’, and ‘rmaadmin’, designated in the documentation as Records User, Records Officer, and Records Administrator. Each of these standard roles provides a default set of permissions and rights, which coincide with the typical responsibilities of basic users, privileged users, and administrators, respectively. However, these roles can easily be modified to suit specific management needs. New roles can be created with assigned management rights or different management rights can be given to existing roles. Users without specific rights can still apply life cycles to content items.

5.2 Roles