2-6 Administrators Guide for Oracle Imaging and Process Management information from Human Resources. Instead, Bob suggests Theo use the employee e-mail address as a unique identifier that is available on documents accessible to Theo. In this example, Theo knew the business need he was implementing, but his knowledge of business practice outside of his area was limited. The security put in place by Oracle IPM allowed him to meet his business need without compromising privacy.

2.1.3.2 Definition Rights

Definition security is defined on the security train stop when the definition is created and managed using the appropriate panel of the Navigator Pane . For example, security for an application definition is defined on the Application Security Page and security for a search definition is defined on the Search Security Page . Definition rights have four levels of security: Definition rights are specific to each definition created. Anyone needing access to a definition through other definition types must have at least View rights to the specific definition. For example, users in XYZ Company needing to create or modify search definitions against the Invoices_US application need to have at least View rights to that application definition. Theo, as director of the US Accounting department, has View rights to the Invoices_US application and all rights to the All US Invoices search in order to be able to refine or change the search as business needs refine or change. Theo also has Grant Access rights to the search in order to provide View rights to individual contract employees that help during high volume periods.

2.1.4 Users and Groups

Definition management rights and definition rights are defined for either individual users or for user groups managed through separate security providers to Oracle WebLogic Server, such as Oracle Internet Directory OID or other. Users or groups are granted various levels of access to definitions and definition management using the Oracle IPM user interface. For example, when an application definition is created, a user or group is granted View rights to the application when they are added using the Application Security Page . Additional rights are then specified as required. Groups are an efficient way to assign security rights to many individuals in an organization with identical access needs. For example, a Managers group could contain managers across an enterprise who need View rights to documents in the Resumes application. An HR_Managers group can be given Write, Delete, and Grant Access document rights to the same application in order to upload and delete resumes to and from Oracle IPM, or grant access to the Resumes application and related searches to individual employees who might be asked to help when hiring a new employee. Security Right Definition View Enabled by default. Grants the user or group the right to view this definition. Modify Grants the user or group the right to modify all aspects of this definition except for granting security rights. Delete Grants the user or group the right to delete this definition. Grant Access Grants a user or group the right to grant security rights to others for this definition. If this is the only security level granted, the user can modify only the security information for this definition. Managing Security 2-7 Note that document security is assigned when an application is defined and only allows security rights to be assigned at the group level.

2.2 Definition and Definition Management Security

Definition and definition management security is managed through the IPM user interface. This section covers the following topics: ■ Section 2.2.1, Working With Definition Management Security ■ Section 2.2.2, Working with Definition Security ■ Section 2.2.3, Working with Document Security ■ Section 2.2.4, Working with Annotation Security ■ Section 2.2.5, Security Example

2.2.1 Working With Definition Management Security

Definition management security is managed using the Definition Management Security pages, accessed from the Manage Security panel of the Navigator Pane . To grant, revoke, or copy users and groups rights to applications, inputs, searches or connections, do the following: Changing Existing User and Group Rights To Definitions 1. Click Manage Security in the Navigator Pane to expand the pane and expose the definition type you want to manage.

2. Click the definition type you want to manage:

■ Applications ■ Inputs ■ Searches ■ Connections The Definition Management Security page for that definition type is displayed.

3. Click Modify. A toolbar is displayed above the listing of security members and the

Create and Administrator security rights columns become active.

4. Enable or disable the rights next to the security member being modified and click

Submit . The modification toolbar closes and the definition management security has been changed. Revoking Existing Users and Groups Security Rights to Definitions 1.