Skip Headers
Oracle® Application Server Portal User's Guide
10g Release 2 (10.1.4)
B13809-04
  Go To Documentation Library
Home
Go To Product List
Solution Area
Go To Table Of Contents
Contents
Go To Index
Index

Previous
Previous
Next
Next
 

18 Protecting Your Content

OracleAS Portal uses privileges to control access to portal objects, such as pages, tabs, items, templates, and styles. Administrators can delegate the assignment of privileges to other users and groups. Privilege assignments enable users and groups to access, personalize, or modify the object. Administrators can also grant global privileges on all objects of a given type.

Figure 18-1 Set Access Rules to Protect Content

Set access rules to protect content
Description of "Figure 18-1 Set Access Rules to Protect Content"

This chapter contains information on how to use privileges to control who may view and interact with objects in your portal. It includes the following sections:

Intended Audience

This chapter is intended for users who want to understand how security operates within OracleAS Portal. The privilege required to perform the actions discussed in this chapter vary according to the type of action. Each section provides information about required privileges. For more information about privileges, see Appendix B, "Page Group Object Privileges".

18.1 Page and Object Security in OracleAS Portal

OracleAS Portal provides privilege levels to allow increasing degrees of protection for your data. To determine a user or group's access to an object, OracleAS Portal synthesizes the answers to the following questions:

This section explores the underlying meaning of these questions.

Is the object public, or is it restricted to certain users?

All objects in OracleAS Portal are either public or restricted. Restrictions are controlled by an access list. Anyone can see a public object—even users who do not log on. When an object is restricted by an access list, only users on the list can see the object. The access list states the extent to which specified users and groups can interact with the object. The list is created through the granting of privileges to users and groups.

You can explicitly make pages and tabs available to public users (on the Access tab of page or tab properties). By extension, a public page or tab's content is also public.

Has the user or group been granted an explicit privilege on the object?

If an object is not public, it is controlled by an access list. The object's creator—or a user with the Manage privilege on the object—uses this list to explicitly grant privileges to other users and groups.

Different levels of privilege allow for greater or lesser levels of access. For example, one group might be able to see the object, but not change it. Another group might be able to add, edit, hide, or delete the object.

When an access privilege on an object is granted to a group, all group members have the same level of access to the object. That is, you cannot grant access to most members of a group, excluding one or two members.

You can grant a greater level of privilege to a user who is also a member of a group. For example, the group Accounting has the View privilege on a page. The user Jane Doe, who is also a member of the Accounting group, can be granted additional privileges (as an individual user), such as Manage Content.

Has the user or group been granted a global privilege on the object type?

A global privilege applies to all objects of a given type. For example, if you have the global privilege Manage on the object type All Styles, you can create, edit, or delete any style in OracleAS Portal, no matter which page group owns the style. Apply global privileges to both users and groups.

Use global privileges as a means of implicitly granting access to an object. Compare this to the object's access list, through which privileges are explicitly granted.

Does the user or group belong to a special group created by OracleAS Portal?

When your user account is created, the portal administrator decides if you are allowed to log on. If you can log on, you are an authenticated user. If you cannot log on, you are a public user. Users who can log on belong to the Authenticated Users group, one of the default groups provided with OracleAS Portal out of the box. The Authenticated Users group has the Create global privilege on the object types All Pages and All Styles.

Users with the global privilege Create on the object type All Pages can create sub-pages in any page group provided they also have the page privilege Manage on the parent page under which sub-pages will be created.

Users with the global privilege Create on the object type All Styles can create styles in any page group on which they also have the page group privilege Manage Styles.

Each of the default groups provided by OracleAS Portal is granted its own set of global privileges. For more information, see Oracle Application Server Portal Configuration Guide.

18.2 Delegating the Task of Assigning Privileges

In a large enterprise, the portal administrator should consider delegating the power to assign privileges. The range of privileges extends from portal-wide to item-specific. A lone portal administrator handling all privilege assignments could easily be overwhelmed by access requests.

Typically, a privilege that provides total control over an object—from a page group to an item—also provides the power to assign equal or subordinate access privileges to other users. For example, a page group administrator—that is, a user with the page group privilege Manage All on a page group—can assign the page privilege Manage to users and groups. Among other things, this privilege enables users to create sub-pages under the page on which they have the privilege. A user with the page privilege Manage can enable item level security and assign item-level access privileges.

Table 18-1 lists the privileges that include the power of privilege assignment and the types of privileges that can be assigned.

Table 18-1 Privileges that Include the Assignment of Privileges

Privilege Power of Assignment

The global privilege Manage All on the object type All Page Groups

  • Page group privileges on all page groups

  • Page privileges on all pages in all page groups

  • Tab privileges on all tabs in the page group

  • Item privileges on all items in the page group

  • Template privileges on all templates in the page group

  • Style privileges on all styles within the page group

The global privilege Manage Templates on the object type All Page Groups

  • Template privileges on all templates on all page groups

The global privilege Create on the object type All Page Groups

  • Page group privileges on all page groups the user creates

  • Page privileges on all pages the user creates

  • Tab privileges on all tabs the user creates

  • Item privileges on all items the user creates

The global privilege Manage on the object type All Pages

  • Page privileges on all pages

  • Tab privileges on all tabs

  • Item privileges on all items

Page group privilege Manage All

  • Page privileges on all pages in the page group

  • Tab privileges on all tabs in the page group

  • Item privileges on all items in the page group

  • Template privileges on all templates in the page group

  • Style privileges on all styles within the page group

Page privilege Manage

  • Page privileges on the managed page and any of its sub-pages that inherit their privileges from the managed page

  • Tab privileges on the managed page and any of its sub-pages that inherit their privileges from the managed page

  • Item privileges on the managed page and any of its sub-pages that inherit their privileges from the managed page

  • Style privileges on the managed page and any of its sub-pages that inherit their privileges from the managed page

    For users with the page privilege Manage Style to change the style of a page, the option Allow Privileged Users To Manage Page Style must also be selected for the page group.

    The template-level option Enable Pages To Use Different Style controls whether page designers can specify different style settings for pages based on the template.

Tab privilege Manage

  • Tab privileges on the tab and its sub-tabs

  • Item privileges on tab and its sub-tabs

  • Style privileges on the tab and its sub-tabs

    For users with the tab privilege Manage Style to change the style of a tab, the option Allow Privileged Users To Manage Page Style must also be selected for the page group.

    If a tab is based on a template, users with the tab privilege Manage Style may not be able to control the style of the tab. The template-level option Enable Pages To Use Different Style controls whether page designers can specify different style settings for the tab.

Item privilege Manage

  • Item privileges on the item and its sub-items


For a list and description of all privileges, from page groups to items, see Appendix B, "Page Group Object Privileges".

18.3 Granting Global Privileges

Users or groups who create page groups must have at least the global privilege Create on the object type All Page Groups. Portal administrators are usually the ones to grant such high-level privileges.

Use global privileges to grant a user or group a certain level of privileges on all objects of a particular type, on portal database providers, and on tasks pertaining to portal administration.


Note:

Global privileges confer a great deal of power on the user or group to whom they are granted. As a result, such privileges should be granted very cautiously and only to users or groups who truly require them. There should be only a small number of users with global privileges.

Grant global privileges to users in the Portal User Profile portlet. Grant global privileges to groups in the Portal Group Profile portlet. In a default installation of OracleAS Portal, both of these portlets are located on the Portal sub-tab of the Administer tab of the Portal Builder page.


Note:

The Portal User Profile portlet is visible only to users with the global privilege Manage or Edit on the object type All User Profiles. The Portal Group Profile portlet is displayed to all users, but only the owner of a group or users with the global privilege Manage or Edit on the object type All Group Profiles can edit a group profile.

This section describes how to assign global privileges to a user or a group. It contains the following sub-sections:

18.3.1 Granting Global Privileges to a User

To grant global privileges to a user:

  1. Log in to OracleAS Portal.

  2. Click the Administer tab to bring it forward.

  3. Click the Portal sub-tab.

  4. In the Name field of the Portal User Profile portlet, enter the name of the user to whom to grant global privileges.

    Optionally, click the Browse Users icon to select a user from a list.

    By default, the Portal User Profile portlet is located on the Portal sub-tab of the Administer tab on the Portal Builder page. If you do not find it there, speak to the person who installed your portal.


    Note:

    The Portal User Profile portlet is visible only to users with global privilege Manage or Edit on the object type All User Profiles.

  5. Click the Edit button.

  6. Click the Privileges tab to bring it forward.

  7. Grant privileges relating to page groups, portal database providers, and portal administration.

    Users or groups who create page groups must have at least the global privilege Create on the object type All Page Groups.

  8. Click Apply to save your changes and remain on the Privileges tab, or click OK to save your changes and return to the Portal User Profile portlet.

For more information about global privileges, see Oracle Application Server Portal Configuration Guide.

18.3.2 Granting Global Privileges to a Group

To grant global privileges to a user:

  1. Log in to OracleAS Portal.

  2. Click the Administer tab to bring it forward.

  3. Click the Portal sub-tab.

  4. In the Name field of the Portal Group Profile portlet, enter the name of the group to whom to grant global privileges.

    Optionally, click the Browse Groups icon to select a group from a list.

    By default, the Portal Group Profile portlet is located on the Portal sub-tab of the Administer tab on the Portal Builder page. If you do not find it there, speak to the person who installed your portal.


    Note:

    The Portal Group Profile portlet is displayed to all users, but only the owner of a group or users with the global privilege Manage or Edit on the object type All Group Profiles can edit a group profile.

  5. Click the Edit button.

  6. Click the Privileges tab to bring it forward.

  7. Grant privileges relating to page groups, portal database providers, and portal administration.

    Users or groups who create page groups must have at least the global privilege Create on the object type All Page Groups.

  8. Click Apply to save your changes and remain on the Privileges tab, or click OK to save your changes and return to the Portal Group Profile portlet.

For more information on global privileges, see Oracle Application Server Portal Configuration Guide.

18.4 Securing Page Groups

Page group privileges are granted on the Access tab of page group properties.

To grant privileges on a page group:

  1. Log in to OracleAS Portal.

  2. Click the Build tab to bring it forward.

  3. From the Page Groups portlet Work In drop-down list, select the page group on which to grant privileges.

  4. Click the Configure link.

  5. On the resulting page, click the Access tab to bring it forward.

  6. In the Grantee field, enter the name of a user or group.

    Optionally, click the Browse Users or Browse Groups icon to select a user or group from a list.

  7. Select a privilege from the drop-down list. Choose from:

    • Manage All

    • Manage Classifications

    • Manage Templates

    • Manage Styles

    • View

    These privileges are described in detail in Appendix B, "Page Group Object Privileges".

    Though you cannot select multiple privileges to grant at one time, after you click Add, you can repeat the process, select the same user or group, and grant another privilege. In this way, you can grant a general privilege, such as View, to a group, then a higher-level privilege, such as Manage All, to a user who is also a member of the group.

  8. Click Add.

    The assignment displays in the Change Access section, where you can revise the grant to a greater or lesser privilege level, or remove the grant entirely.


    Note:

    When you change access privileges, click the Clear Cache link at the bottom of the Access tab to make such changes take effect immediately.

18.5 Securing Pages

When you want users to have privileges on pages, it sometimes takes more than granting a specific privilege. For example, users may have the page privilege Manage Style, but they cannot apply styles to pages unless the page group option Allow Privileged Users To Manage Page Style is also selected.

This section guides you through the process of granting privileges on pages. It includes the following sub-sections:

18.5.1 Making a Page Available to Everyone

By making a page public, you allow all users to view your page, even users who are not logged on. Users who are not logged on are called public users. If you do not make your page available to everyone, only users with the page privilege View or higher are able to view the page.

Making a page available to public users enables public as well as privileged users to view the page. If you want to enable users and groups to manage, personalize, or add content to the page, you must grant them additional privileges.

To make a page available to everyone:

  1. Log in to OracleAS Portal.

  2. Go to the page to be made public.

    For information on locating a page, see Section 9.1, "Locating Pages in OracleAS Portal".

  3. Switch to Edit mode.

  4. Click the Page: Properties link in the page toolbar.

  5. Click the Access tab to bring it forward.

  6. Select Display Page To Public Users.

    For this option to display, page access must be set to Specify Access Settings. If page access is set to Inherit Access Settings from Page <page_group_name>, you do not see the option Display Page To Public Users.


    Note:

    Any page with the option Display Page To Public Users enabled becomes a crawlable data source for Oracle Ultra Search. See also Oracle Application Server Portal Configuration Guide.

  7. Click OK to save your change and return to the page.

Changing the access settings of a Portal Template affects all pages that are based on that template, unless the template allows different access settings. This means that when you set access on a Portal Template for pages to public, all pages based on the template are public, unless the template allows the pages based on it to have their own access settings. The control for allowing different access settings for pages that are based on a template is on the Access tab of the template's Properties page: Enable Pages To Have Different Access.

18.5.2 Granting Privileges on a Page

You can specify who has access to a page and how much access they have. Access privileges work incrementally, starting at the global privilege level. For example, you can grant the global privilege View on the object type All Pages to group A, then explicitly grant the Manage privilege on a particular page to user A3. All members of group A can see the page, but the only group A member who can do everything else to the page is user A3.

With respect to page access and personalization, it may help to consider two versions of a page: an individual user's version, and the version displayed to all users with access. If you manage the page, you control the extent to which other users can personalize the page: whether they can modify the display version, their own private version, or nothing at all.

If a page is based on a template, page managers may not be able to control the access and style of the page. There are two options at the template level that control whether page designers can specify different style and access settings for pages based on the template: Enable Pages To Have Different Access and Enable Pages To Use Different Style. These must be selected; otherwise, the page access and style settings cannot be changed.

To control access to a page:

  1. Log in to OracleAS Portal.

  2. Go to the page where you will control access.

    For information on locating a page, see Section 9.1, "Locating Pages in OracleAS Portal".

  3. Switch to Edit mode.

  4. Click the Page: Properties link in the page toolbar.

  5. Click the Access tab to bring it forward.

  6. Select Enable Item Level Security to allow item creators to specify access control for individual items in the page.

    • If you select this check box, item creators have the choice of inheriting access control from the page, or specifying access control for individual items.

    • If you do not select this check box, all the items on the page inherit access control from the page.

    This option is available only if the page is a Standard page, or is a custom page that is based on the Standard page type.

    For more information, see Section 18.9.1.1, "Understanding Item Level Security"

  7. To explicitly grant privileges to users or groups:

    1. In the Grantee field, enter the name of the user or group to whom to grant page access.

      Optionally, click the Users or Groups icon, and select from the list provided.


      Note:

      OracleAS Portal uses the Oracle Internet Directory for identity management, serving as the repository for users and groups. In the Oracle Internet Directory, groups are uniquely identified by their distinguished name (DN). Each group has a unique DN, though many groups can share a common name, in the same way that two people can share a common name, yet have completely different lineage (for example, John Smith and John Doe). When working within the portal, groups created from within that portal are displayed simply with their common names. However, when the portal references a group from some other location in the Oracle Internet Directory—such as a group from some other portal associated with the same Identity Management Infrastructure—the DN of the group is displayed to distinguish it from the portal's locally defined groups.

    2. Choose a privilege level from the list.


      Note:

      For a list and description of page privileges, see Appendix B, "Page Group Object Privileges". The order of the list of privileges is irrelevant. Privileges higher on the list are not necessarily more or less powerful.

    3. Click Add.

      Though you cannot select multiple privileges to grant at one time, after you click Add, you can repeat the process, select the same user or group, and grant another privilege. In this way, you can grant a general privilege, such as View, to a group, then a higher-level privilege, such as Manage All, to a user who is also a member of the group.

  8. To clear all the Web Cache entries for the page, click Clear Cache.

    The next time the page is requested, it is retrieved from the database, not the cache.

    For example, if you revoke a user's privileges on the page, the user will still be able to access the page if it is in the cache. If you want to make sure that your changes are applied immediately, clear the page from the cache by clicking this link.

  9. Click OK to save your changes and return to the Page.

Use the Privilege list under Change Access to change a user or group's privilege level. Click the Delete icon to remove the user's or group's privileges entirely.

Changing the access settings of a Portal Template affects all pages that are based on that template, unless the template allows page designers to use different access settings for the pages that are based on it. The control to allow pages to have different access is on the Access tab of the template's Properties page: Enable Pages To Have Different Access.

18.5.3 Caching and Security

The option you select for page, portlet, or template caching can have security implications. Any option that includes caching at the system level retrieves the same data from a single cache source for all users. For this reason, everything on the page (that is not hidden) is displayed to all users who are authorized to view the page. This includes links normally viewed only by users authorized to view the link. However, users can still perform only those actions for which they have the appropriate access privileges. When they click a link to a page, tab, item, or task which they are not authorized to view or to execute, they see an error message and cannot open the link's target or execute the link's action.

Portlets with content that is not generally public that are cached at the system level may not display. For example, objects in the Page Groups portlet typically display according to the privilege-level of the user viewing the portlet. If you did not create a page group and you have no privileges on it, you likely will not see it displayed in the Page Groups portlet. Such objects are not "public." If you cache the Page Groups portlet at the system level, your users are unlikely to see it when the portlet's container page is rendered.

To prevent exposing the access point of sensitive data to unprivileged users, and to avoid the display of portlets without content, consider selecting a page or template caching option that does not include caching at the system level.

This will have performance implications for the speed at which pages are rendered. If you place a high value on performance, consider instead placing such sensitive content on a page with limited access, rather than including sensitive, secure content with more widely accessible content.

For a description of caching options for templates, pages, and portlet instances, see Chapter 22, "Improving Page Performance".

18.6 Securing Tabs

You can secure a tab by granting privileges on it or by locking its regions. Region locking is described in Section 18.8, "Locking Regions". To grant privileges on a tab, you must have at least the tab privilege Manage on the tab. Use tab privileges to control who can access a tab, add content to it, manage the style that is applied to it, or personalize their own view of the tab.

Use tab access privileges to grant a greater level of access to a tab than users or groups may have on the page that hosts the tab. For example, a user may have the page privilege View on a page but the tab privilege Manage on a tab on the page. The user can merely view the page, but can add content, grant access, and perform any other management task on the tab.

To grant privileges on a tab:

  1. Log in to OracleAS Portal.

  2. Go to the page that contains the tab on which to grant access privileges.

    For information on how to locate a page, see Section 9.1, "Locating Pages in OracleAS Portal".

  3. Switch to Edit mode.

  4. Click the Edit Tab icon on the tab on which to grant access privileges (Figure 18-2).

    Figure 18-2 The Edit Tab icon

    Edit Tab icon

    Be sure to click the Edit Tab icon on the tab flap and not the one beside the flap.

  5. Click the Access tab to bring it forward.

  6. Under Access Setting, select a means of specifying tab access; choose from:

    • Inherit Access Settings from the Template—This option displays when the page hosting the tab is based on a template. This selection assigns the tab the same access privileges as are granted on the tab on the template on which this page is based.

      If you select this option, go to step 13.

    • Inherit Access Settings from Page <Page Name>—This selection assigns the tab the same access privileges as are specified for the tab's parent page or a sub-tab's parent (main) tab.

      If you select this option, go to step 13.

    • Specify Access Settings—This selection enables you to specify access settings for the tab. When you select this option, the Access Properties and Grant Access sections display on this page. If these sections do not automatically appear, click Apply.

      The rest of this procedure describes the steps you take when you select Specify Access Settings.

  7. Select or clear the Display Tab to Public Users check box.

    • Select to allow all users, even those who are not logged in, to view this tab.

    • Clear to limit the display of this tab to authenticated users.

  8. Select or clear the Enable Item Level Security check box.

    • Select to enable privileged users to define access privileges on individual items on this tab. When item level security is enabled, a user must have at least the item privilege View on the item in order to view it.

    • Clear to prevent the setting of access privileges on items on this tab.

  9. Under Grant Access, click the Browse Users or Browse Groups icon to select a user or group on whom to grant access privileges on the tab.


    Note:

    OracleAS Portal uses the Oracle Internet Directory for identity management, serving as the repository for users and groups. In the Oracle Internet Directory, groups are uniquely identified by their distinguished name (DN). Each group has a unique DN, though many groups can share a common name, in the same way that two people can share a common name, yet have completely different lineage (for example, John Smith and John Doe). When working within the portal, groups created from within that portal are displayed simply with their common names. However, when the portal references a group from some other location in the Oracle Internet Directory—such as a group from some other portal associated with the same Identity Management Infrastructure—the DN of the group is displayed to distinguish it from the portal's locally defined groups.

  10. Select a privilege from the associated drop-down list.

    Choose from:

    • Manage

    • Manage Content

    • Manage Style

    • Manage Items With Approval

      Approvals and notifications must be enabled for the page's page group for the page privilege Manage Items With Approval to display. For more information, see Section 6.4, "Setting Up Approvals".

    • Personalize Portlets (Full)

    • Personalize Portlets (Add-Only)

    • Personalize Portlets (Hide-Show)

    • Personalize (Style)

    • View

    All of these privileges are explained in detail in Appendix B, "Page Group Object Privileges".

  11. Click Add after defining each user or group's privilege.

    Though you cannot select multiple privileges to grant at one time, after you click Add, you can repeat the process, select the same user or group, and grant another privilege. In this way, you can grant a general privilege, such as View, to a group, then a higher-level privilege, such as Manage All, to a user who is also a member of the group.

  12. Once you have granted privileges, click the Clear Cache link.

    This will clear away any obsolete privileges on this tab that linger in the cache.

  13. Click OK to save your changes and return to the page.

18.7 Securing Portlets

Portlet security consists of three major areas of functionality:

This section explores portlet security related to authorization. It contains the following subsections:

You will find a more in-depth discussion of portlet security, including Authentication, Authorization, and Communication Security, in Oracle Application Server Portal Configuration Guide.

18.7.1 Granting Global Privileges on Portlets

The procedure for granting global privileges to a user is outlined in Section 18.3.1, "Granting Global Privileges to a User". The procedure for granting global privileges to a group is outlined in Section 18.3.2, "Granting Global Privileges to a Group". This section lists and describes the global privileges relating to portlets. It includes the following subsections:


Note:

Global privileges confer a great deal of power on the user or group to whom they are granted. As a result, such privileges should be granted very cautiously and only to users or groups who truly require them. There should be only a small number of users with global privileges.

18.7.1.1 Portlet-Related Global Privileges on All Portlets

The portlet-related global privileges that apply to all portlets include:

  • NoneNo global privileges are granted on portlets.

  • ManageCreate, edit, or delete any portlet in any provider.

  • EditEdit any portlet in any provider.

  • ExecuteExecute any portlet in any provider. Users and groups with this privilege can see all portlets, even when portlet security is enforced. The Show link appears in the Portal Navigator for all portlets. To view portlets through the Portal Navigator, drill down through the providers listed under the Providers tab.

  • AccessView any portlet in any provider.

  • PublishPublish any page portlet, navigation page, or Portal DB provider portlet to the portal. Publishing a portlet makes it available for adding to pages.

18.7.1.2 Portlet-Related Global Privileges on All Providers

The portlet-related global privileges that apply to providers of portlets include:

  • NoneNo global privileges are granted on providers.

  • ManageRegister, edit, and de-register any provider, as well as display and refresh the Portlet Repository. Users and groups with this privilege are also allowed to grant edit privileges on any provider.

  • EditEdit any registered provider.

  • PublishRegister and de-register any provider.

  • ExecuteView the portlets of any provider.

  • CreateCreate portlet providers. Users and groups have the Manage privilege on any provider they create. This means they can perform all manage operations (such as edit and de-register) on any provider they create.

18.7.1.3 Portlet-Related Global Privileges on All Portal DB Providers

The portlet-related global privileges on all Portal DB providers include:

  • NoneNo global privileges are granted on portlets.

  • ManageEdit, delete, or export any Portal DB provider. Create, edit, delete, or export any portlet in any Portal DB provider. Grant access to any Portal DB provider and any portlet in any Portal DB provider.

  • Edit ContentsEdit or export any portlet in any Portal DB provider.

  • View SourceView the PL/SQL package specification and body and run any portlet in any Portal DB provider. This privilege is intended primarily for users or groups who may want to look at a portlet's source to understand how to call it.

  • PersonalizePersonalize any portlet from any Portal DB provider.

  • Run—Run any portlet in any Portal DB provider.

  • CreateCreate Portal DB providers. Users and groups with this privilege can edit, delete, and export the providers they create, and they can create, edit, delete, and export any portlet in any provider.

18.7.2 Granting Personalization Privileges on Portlets

Many personalization privileges can be granted on portlets at the global level, the page level, and the tab level. When personalization privileges are granted at the global level, users with such privileges can use them on every portlet in the portal. When personalization privileges are granted at the page level, users with such privileges can use them on every portlet on the page. When personalization privileges are granted at the tab level, users with such privileges can use them on every portlet on the tab, though not on other portlets on the page that contains the tab.

In most cases, personalizations affect only the view of the user who makes them. A portlet must be edited, rather than personalized, before changes display to all users viewing the portlet.

An exception to this is when the portlet instance is shared. Provided users have sufficient privileges to edit a page, they can share a portlet instance to make their view of a portlet, along with all of its personalizations, available to other users. Shared portlet instances are available for selection under the Shared Portlets page in the Portlet Repository. The sharing option is available on pages, though not on pages that are based on Portal Templates. For more information, see Section 16.7, "Sharing a Portlet Across Multiple Pages".

Granting global access privileges on a portal is discussed in Section 18.3, "Granting Global Privileges". Granting access privileges on a page is discussed in Section 18.5, "Securing Pages". Granting access privileges on a tab is discussed in Section 18.6, "Securing Tabs". This section lists and describes portlet-related access privileges for the portal, for pages, and for tabs.

Global-, page-, and tab-related privileges pertaining to portlet personalizations include:

  • The global privilege Personalize on the object type All Portal DB providers

    Users with this privilege can personalize their view of any portlet in the portal.

  • The page or tab privilege Personalize Portlets (Full)

    Users with this privilege can alter their view of the page by adding portlets to the page, and deleting, moving, hiding, or showing any portlet on the page. Additionally, such users can change the style applied to their view of the page. Personalization changes are visible only to the user who makes them. For example, if a user with this privilege deletes a portlet from a page, the portlet will nonetheless continue to display on other users' views of the page. Likewise, if a user with this privilege adds a portlet to a page, only that user sees the portlet; it does not display when other users view the page.

    For users with this privilege to change the style applied to their view of a page, the option Allow Privileged Users To Personalize Page Style must be selected for the page group. This option is available on the Main tab of page group properties.

  • The page or tab privilege Personalize Portlets (Add-Only)

    Users with this privilege can alter their view of the page by adding portlets to the page, and removing, hiding, or showing the portlets that they add. Additionally, such users can change the style applied to their view of the page.

    For users with this privilege to change the style applied to their view of a page, the option Allow Privileged Users To Personalize Page Style must also be selected for the page group. This option is available on the Main tab of page group properties.

  • The page or tab privilege Personalize Portlets (Hide-Show)

    Users with this privilege can alter their view of the page by hiding, showing, or rearranging any portlet on the page. Additionally, such users can change the style applied to their view of the page. These changes are visible only to the user who made them. For example, if a user with this privilege hides a portlet on a page, that portlet is hidden only for that user; other users still see the portlet.

    For users with this privilege to change the style applied to their view of a page, the option Allow Privileged Users To Personalize Page Style must also be selected for the page group. This option is available on the Main tab of page group properties.

18.8 Locking Regions

Region locking is a way to limit the types of actions users can perform on a region. This section describes the effect of locking a region and how to lock page regions and Portal Template regions. It contains the following subsections:

18.8.1 Locking a Page Region

Once you lock a page region, when users personalize the page they cannot add content to the region or hide, show, delete, or move existing content. When users edit the page, they can still add, hide, show, delete, and move content.

To lock a page region:

  1. Log in to OracleAS Portal.

  2. Click the Build tab to bring it forward.

  3. From the Page Groups portlet Work In drop-down list, select the page group that owns the relevant page.

    By default, the Page Groups portlet is located on the Build tab of the Portal Builder page.

  4. Under Pages in the Layout & Appearance section, click the link to the page on which to lock a region.

    This opens the page in Edit mode.

  5. Click the Edit Region icon in the region to be locked (Figure 18-3).

    Figure 18-3 The Edit Region Icon

    Edit Region icon
  6. On the resulting page, go to the Region Content section, and clear the check box Enable Users To Include Content In This Region.

  7. Click OK to save your changes and return to the page.

18.8.2 Locking a Portal Template Region

When you lock a Portal Template region, no user can change the region content on pages that are based on the template (except through WebDAV; see note). When users edit or personalize a page that is based on a template with locked regions, they will not be able to add content to the region, or hide, show, delete, or move existing content.


Note:

If a default item region in a template is set not to allow users to add content, this setting is ignored by WebDAV when adding content to pages that are based on the template.

To lock a Portal Template region:

  1. Log in to OracleAS Portal.

  2. Click the Build tab to bring it forward.

  3. From the Page Groups portlet Work In drop-down list, select the page group that owns the relevant Portal Template

    By default, the Page Groups portlet is located on the Build tab of the Portal Builder page.

  4. Under Portal Templates in the Layout & Appearance section, click the link to the relevant template.

    This opens the template in Edit mode.

  5. Click the Edit Region icon in the region to be locked (Figure 18-4).

    Figure 18-4 The Edit Region Icon

    Edit Region icon
  6. On the resulting page, go to the Region Content section, and clear the check box Enable Users To Include Content In This Region.

  7. Click OK to save your changes and return to the Portal Template.

18.9 Securing Items

OracleAS Portal provides two powerful features for securing items: item level security and approvals. Item level security enables you to shield an item from unprivileged users or to grant higher access privileges on an item than might otherwise be granted on the page or tab that contains the item. Approvals enable you to structure an approval process through which new and revised content must pass before it can be published to your portal.

This section describes item level security and approvals and provides pointers on how to use these features. Additionally, it provides a table that outlines item URL access rules for items in various states, such as Draft, Pending, Unpublished, and so on. It contains the following subsections:


Note:

To enable item level security, you must have at least the page or tab privilege Manage on the page or tab that contains the item.

18.9.1 Using Item Level Security

Item level security provides a means of:

  • Preventing unprivileged users from seeing an item

    For example, when item level security is enabled and a user has the page privilege View but no item privileges, the user can view the page but not its items.

  • Granting a higher level of privilege on the item than is granted on the page

    For example, if a user has the page privilege View on a page, but the item privilege Manage on an item on the page, the user can enter page edit mode and perform content management tasks on that specific item. Such a user cannot perform any other editing tasks on the page.

Item level security can be applied to items placed on pages, tabs, and pages that are based on a Portal Template; though it cannot be applied (successfully) to items that are part of the template itself—even when item level security is turned on for the template and the user has privileges on the item.

The following sections further define item level security and describe how to enable it on a page or a tab. It includes the following subsections:

18.9.1.1 Understanding Item Level Security

By default, items inherit the access settings that apply to the page or tab that contains the item. Only users or groups who are authorized to access a given page or tab can access its items. When you enable item level security for a page or tab, items initially use the same security settings that are applied to the page or tab. But, using item level security capabilities, you can now grant a higher level of access on individual items.

When item level security is enabled, users with no privileges on the item cannot see the item.

The page privileges Manage and Manage Content override item level security privileges. This means that if you grant the item privilege View to a user who also has the page privilege Manage Content, the user can do anything to the item, more than just viewing it. However, item level security takes precedence over other page-level privileges.

For example, if a user has the page privilege Manage Style on a page, and the item privilege Manage on an item, the user can delete the item from the page, and is not limited to merely changing the page's style.

Item level security can be enabled only on Standard pages and custom pages that are based on the Standard page type.


Note:

There is no relationship between item level security and item versioning. Item level security has to do with who can access an item, and item versioning has to do with how older versions of an item are handled as newer versions are uploaded. For more information on item versioning, see Section 15.12, "Using Item Version Control".

Changes to the access settings of a Portal Template affect all pages that are based on the template, unless the template specifically allows the pages that are based on it to use different access settings. The option to allow pages based on templates to define their own access is located on the Access tab of Portal Template properties.


18.9.1.2 Enabling Item Level Security on a Page

To enable item level security on a page:

  1. Log in to OracleAS Portal.

  2. Click the Build tab to bring it forward.

  3. From the Page Group portlet's Work In drop-down list, select the page group that owns the page on which to enable item level security.

    In a typical installation, the Page Groups portlet is located on the Build tab of the Portal Builder.

  4. Under the Pages heading in the Layout & Appearance section, click the page on which to enable item level security.

    This opens the page in Edit mode.

  5. Click the Access link in the page toolbar.

  6. On the resulting page, go to the Access Properties section and select Enable Item Level Security.

  7. Click OK to return to the page.

This enables item creators to set access controls for individual items on the page. Item creators have the choice of inheriting access controls from the page or setting specific access controls for individual items.

18.9.1.3 Enabling Item Level Security on a Tab

To enable item level security on a tab:

  1. Log in to OracleAS Portal.

  2. Click the Build tab to bring it forward.

  3. From the Page Group portlet's Work In drop-down list, select the page group that owns the tab on which to enable item level security.

    In a typical installation, the Page Groups portlet is located on the Build tab of the Portal Builder.

  4. Under the Pages heading in the Layout & Appearance section, click the page that contains the relevant tab.

    This opens the page in Edit mode.

  5. Go to the tab on which to enable item level security.

  6. Click the Edit Tab icon (Figure 18-5).

    Figure 18-5 The Edit Tab Icon

    Edit Tab icon

    Be sure to click the Edit Tab icon on the tab flap and not the one beside the tab.

  7. On the resulting page, click the Access tab to bring it forward.

  8. Go to the Access Settings section, and select Specify Access Settings.

  9. In the Access Properties section, select Enable Item Level Security.

This enables item creators and item owners to grant access privileges on individual items on the tab. Item creators have the choice of inheriting access controls from the tab or granting access privileges on each item on the tab.

18.9.1.4 Enabling Item Level Security on a Portal Template

To enable item level security on a Portal Template:

  1. Log in to OracleAS Portal.

  2. Click the Build tab to bring it forward.

  3. From the Page Group portlet's Work In drop-down list, select the page group that owns the Portal Template on which to enable item level security.

    In a typical installation, the Page Groups portlet is located on the Build tab of the Portal Builder.

  4. Under the Portal Templates heading in the Layout & Appearance section, click the template on which to enable item level security.

    This opens the page in Edit mode.

  5. Click the Access link in the toolbar at the top of the template.

  6. On the resulting page, go to the Access Properties section and select Enable Item Level Security.

  7. Click OK to return to the page.

18.9.1.5 Changing Item Access

As a content contributor, you can decide if you want to grant additional access to an item to selected users or groups.You can grant access on one item or on multiple items simultaneously. This section provides information on both actions. It includes the following subsections:


Note:

To grant access privileges on an item, you must have at least the item privilege Manage on the item.

18.9.1.5.1 Changing Access on One Item

To grant access privileges on one item:

  1. Log in to OracleAS Portal.

  2. Click the Build tab to bring it forward.

  3. From the Page Group portlet's Work In drop-down list, select the page group that owns the page that contains the item on which to grant access privileges.

    In a typical installation, the Page Groups portlet is located on the Build tab of the Portal Builder.

  4. Under the Pages heading in the Layout & Appearance section, click the page that contains the item on which to grant access privileges.

    This opens the page in Edit mode.

  5. Locate the relevant item, and click the Actions icon beside the item (Figure 18-6).

    Figure 18-6 The Actions Icon

    Actions icon

    Note:

    For Page Link items, even if users have item level privileges on the item, they will not see the item if they do not have access to the target page.

  6. On the resulting page, click the Access link.

  7. In the Item Level Security section, select Define Item Level Access Privileges.

    Two additional sections display: Grant Access and Change Access. For some older versions of browsers, such as Netscape 4.x browsers, you may have to click Apply to make the additional sections display.


    Note:

    If you select Inherit Parent Page Access Privileges, the item has the same access privilege as was set for the parent page.

    If the item has multiple versions, the access setting is applied to all versions of the item, not just the one that you are editing.


  8. In the Grant Access section, enter the name of the user or group to whom to assign privileges.

    Click the Browse Users icon to display a list of existing users or the Browse Groups icon to display a list of existing groups.


    Note:

    Adding a group saves time when you want to grant the same access privilege to multiple users.

  9. From the privilege drop-down list, select an item level privilege to grant to the specified user or group.


    Note:

    For a list and description of item-level privileges, see Appendix B, "Page Group Object Privileges".

  10. Click Add.

    Grantees and their privilege levels display in the Change Access section. In this section, you can choose a different item-level privilege, or revoke item privileges from users or groups.

  11. Repeat steps 8 through 10 for each relevant user or group.

  12. When you are done, click OK.


    Note:

    OracleAS Portal uses the Oracle Internet Directory for identity management. The Oracle Internet Directory serves as the repository for users and groups. In the Oracle Internet Directory, groups are uniquely identified by their distinguished name (DN). Each group has a unique DN, though many groups can share a common name, in the same way that two people can share a common name, yet have completely different lineage (such as John Smith and John Doe). When working within the portal, groups created from within that portal are displayed simply with their common names. However, when the portal references a group from some other location in the Oracle Internet Directory—such as a group from some other portal associated with the same Identity Management Infrastructure—the DN of the group is displayed to distinguish it from the portal's locally defined groups.

    Item level security cannot be disabled for items in the Portlet Repository page group.


If a user is a member of two different groups with different privileges on the same item, the user is not limited by the lesser privilege. For example, if one group has the item privilege Edit, and another group has the item privilege Manage, and you belong to both groups, you can both view and manage the item.

To revoke the user or group's access, click the Delete icon next to the Grantee Name under Change Access.

18.9.1.5.2 Changing Access on Multiple Items Simultaneously

Use the Actions list in List view of page Edit mode to change access settings on multiple items simultaneously. For these actions to be taken, item level security must first be enabled on the page, tab, or template where you will perform the action. For more information, see Section 18.9.1, "Using Item Level Security".

To change access settings on multiple items simultaneously:

  1. Log in to OracleAS Portal.

  2. Click the Build tab to bring it forward.

  3. From the Page Group portlet's Work In drop-down list, select the page group that owns the page that contains the items on which to change access privileges.

    In a typical installation, the Page Groups portlet is located on the Build tab of the Portal Builder.

  4. Under the Pages heading in the Layout & Appearance section, click the page that contains the items on which to change access privileges.

    This opens the page in Edit mode.

  5. Click the List link in the toolbar at the top of the page.

    This displays the page in List view of page Edit mode.

  6. Select the check boxes next to the items to be changed.

  7. From the Actions drop-down list, select one of the following options, and click Go:

    • Modify Item Access Settings

      Select this option to modify the access settings of the checked items. Once you click Go, the Bulk Action: Modify Item Access Settings screen displays:

      • Use the Item Selections section to identify the items on which to modify item access settings.

        Select Specified Item Level Access, to act on items that have individually defined access settings. Click the Revoke All link to revoke all access privileges currently applied to these items.

        Select Items Inheriting From Parent Page, to act on items that inherit their access settings from the page on which they are placed.

      • Under Grant Access, assign privileges to the selected items as desired. For more information, see steps 8 through 12 of Section 18.9.1.5.1, "Changing Access on One Item".

      • Click Close when finished.

    • Do not Inherit Item Access Settings

      Select this option to specify that the specified items do not inherit their access settings from the page or tab on which they are placed. Click Go, then click OK in the resulting confirmation dialog.

    • Inherit Item Access Settings from Parent

      Select this option to specify that the specified items inherit their access settings from the page or tab on which they are placed. Click Go, then click OK in the resulting confirmation dialog.

18.9.2 Using Approvals to Pre-Screen Items

Approvals enable you to delegate the addition and revision of portal content without relinquishing control over what is actually displayed to your users. Approval-related features of particular interest are:

  • A defined approval process

  • The page privilege Manage Items With Approval (or the global privilege of the same name on the object type All Pages)

  • Item drafts

This section describes these features and points you to relevant information in other chapters in this guide.

For any of these features to be meaningful, you must first enable Approvals and Notifications on the Configure tab of page group properties (see Section 6.4.1, "Enabling Approvals and Notifications for a Page Group"). Once approvals are enabled, you can define an approval process, grant the page privilege Manage Items With Approval, and enable item drafts for a page group or (if allowed) a page.

Approval processes can reduce the costs of a paper-driven office in which hard-copy documents requiring approvals, such as expense reports and travel requests, create bottlenecks for your workers. When you define approval processes, you allow the appropriate people in your organization to receive notification of pending items requiring approval, to review the items, and to approve or reject the items, all from your company's portal.

By default, approval processes are defined at the page group level. If the page group is configured to allow pages to have their own approval processes, approval processes can be defined as well at the page level. Both page groups and pages provide a place to define an approval process on the Approval tab of their properties pages. For more information, see Chapter 21, "Setting Up an Approval Chain".

When a user with the page privilege Manage Items With Approval uploads or revises content, the content is submitted to a defined approval process where it can be reviewed and passed for publication or rejected. Keep in mind, however, if you have users with the page privilege Manage Items with Approval, and no approval process is defined, this privilege is equivalent to the page privilege Manage Content in relation to items. In other words, such users are able to publish items that have not been through an approval process. For information on granting privileges on pages, see Section 18.5.2, "Granting Privileges on a Page". For additional information on approvals, see Chapter 21, "Setting Up an Approval Chain".

You can also configure a page group to support item drafts. When the draft feature is enabled, content developers can upload items to the portal without exposing them until the content developers are ready to submit the items for approval. This is because draft items do not display to most users when a page is viewed. (To find out which users can view items in what state, see Section 18.9.3, "Item URL Security".) When the page is in Edit mode, users can see draft items in Pending Items Preview or List view, where such items are clearly labeled as drafts.

Content developers can upload draft content, placing it where they want it to display on the page, but preventing it from general display until they change its draft status. When the draft is finalized, the contributor can change its status, either to Active or to Pending, depending on whether an approval process is in place and the contributor is required to submit items for approval. Keep in mind that, once enabled, the Draft option cannot be disabled until all draft items are switched to active status or submitted for approval.

The option to enable drafts is located on the Approval tab of page or page group properties. Approvals must be enabled for the draft feature to be enabled, although drafts do not necessarily require approval. Approvals can be enabled without there being a defined approval process. This makes it possible to enable drafts for everyone without ultimately requiring that their finalized content be approved. For information on enabling item drafts, see Chapter 21, "Setting Up an Approval Chain".

18.9.3 Item URL Security

Table 18-2 outlines the access rules that apply to URLs for items in various states, such as Draft, Pending, Unpublished, and so on. Additionally, it discusses these states under three scenarios:

  • Access through the portal

  • Access through WebDAV

  • Access through a search


Note:

In addition to an item's status, and the avenue through which the item is accessed, caching options can affect item access. For more information, see Chapter 22, "Improving Page Performance".

References to content managers refer to anyone with the appropriate manage privilege when item level security is enabled. Manage privileges can mean:

  • The global privilege Manage All on the object type All Page Groups

  • The global privilege Manage on the object type All Pages

  • The global privilege Manage Content on the object type All Pages

  • The global privilege Manage Items With Approval on the object type All Pages

  • The page privilege Manage

  • The page privilege Manage Content

  • The page privilege Manage Items With Approval

  • The item privilege Manage

Table 18-2 Item URL Security

Item State Access Through Portal Access Through WebDAV Access Through Search

DRAFT

Content managers and draft creator can access/view the item.

Users with the page or global privilege Manage Items With Approval can see the item and work on it.

Users with the item privilege Manage can see the item with a size of 0 KB. Such users cannot update or view the item.

Users with the item privilege View do not see the item.

Draft items are not returned for any user. Even the Manage Item With Approval users who added the item in Draft mode.

PENDING

Content managers, item creator/updator, and approvers can access/view the item.

Users with the item privilege Manage can see the pending item with a size of 0 KB.

The user who submitted the item can see it with the actual size.

Users with the item privilege View can see the pending item with a size of 0 KB. This is to enable a view of the reserved name space.

Pending items are not returned for any user.

UNPUBLISHED

Content managers and users with the page or global privilege Manage Items With Approval can access/view the item.

If the item uses Item Level Security, users who have the item privilege Manage on the item can access/view the item.

The item is not visible to users with the item privilege View.

Content managers see the item if the option Display Unpublished, Expired, and Deleted Items In Edit Mode is selected in page group properties.

Unpublished items are not returned for any user.

NONCURRENT VERSION

If the item is Active, anyone with privilege to see the page can see the item.

If the page is Public, all users can access/view the item through the draft URL.

If the item uses Item Level Security, users who have the item privilege Manage on the item can access/view the item.

If the item is Expired or Deleted, only the content manager can access/view the noncurrent version.

The current version is always displayed.

The current version is always returned.

HIDDEN

The item is accessible through the item URL by anyone with sufficient privilege to see the page.

If the item uses Item Level Security, users who have the item privilege View on the item can access/view the item.

If the page is Public, anyone can view the item content.

The item is not visible to user with the item privilege View.

The item is visible to users with the page or global privilege Manage or Manage Items With Approval.

Hidden items are not returned for any user.

EXPIRED

Content managers can access/view the expired item.

If the item uses Item Level Security, users who have the item privilege Manage on the item can access/view the item.

The item is not visible to users with the item privilege View.

Content managers see the item if the option Display Unpublished, Expired, and Deleted Items In Edit Mode is selected in page group properties.

Expired items are not returned for any user.

DELETED

Content managers can access/view the deleted item.

If the item uses Item Level Security, users who have the item privilege Manage on the item can access/view the item.

The item is not visible to users with the item privilege View.

Content managers can see the item if the option Display Unpublished, Expired, and Deleted Items In Edit Mode is selected in page group properties.

Deleted items are not returned for any user.


18.10 Granting Privileges on Styles

Style privileges are available at the global level and for page groups, pages, and tabs. Table 18-3 lists and describes the privileges relating to styles at each of these privilege levels.


Note:

Granting a privilege at the global level is discussed in Section 18.3, "Granting Global Privileges". Granting a privilege at the page group level is discussed in Section 18.4, "Securing Page Groups". Granting a privilege at the page level is discussed in Section 18.5, "Securing Pages". Granting a privilege at the tab level is discussed in Section 18.6, "Securing Tabs".

Table 18-3 Privileges Relating to Styles

Privilege Description

The global privilege Manage All on the object type All Page Groups

Perform any task on any page group. This privilege supersedes any other privilege in the other page group global privileges. For example, this also allows managing of any style. Such users can take any action on any style in the portal.

This user is the manager for all page groups.

The global privilege Manage Styles on the object type All Page Groups

Create, edit, and delete any style in any page group.

Such users can take any action on any style in the portal. Note, however, that this privilege does not include the power to apply a style.

The global privilege Create on the object type All Page Groups

Create page groups, and create any page group object in those page groups. Users and groups with this privilege can also edit and delete the page groups and page group objects they create. They cannot create objects in page groups they did not create.

Such users can take any action on any style in the page groups that they create.

The global privilege Manage Style on the object type All Pages

Apply an available or new style to any page in any page group. Create, edit, and delete new styles. Allows editing of only those styles created by the user; one user cannot modify or delete another user's styles.

The global privilege Personalize Portlets (Full) on the object type All Pages

Personalize any page in any page group to add, show, hide, delete, move, or rearrange portlets. Personalize any page to show, hide, delete, or rearrange tabs, or add tabs to existing tabbed regions. Personalize any page in any page group to use a different style.

Such users can change the style for their view of any page in any page group.

The global privilege Personalize Portlets (Add-only) on the object type All Pages

Personalize any page in any page group to add portlets or add tabs to existing tabbed regions. Users and groups with this privilege can also delete the portlets they add. Personalize any page in any page group to use a different style.

Such users can change the style for their view of any page in any page group.

The global privilege Personalize Portlets (Hide-Show) on the object type All Pages

Personalize any page in any page group to show or hide portlets or tabs. Personalize any page in any page group to use a different style. Arrange portlets in any page in any page group.

Such users can change the style for their view of any page in any page group.

The global privilege Personalize (Style) on the object type All Pages

Personalize any style in any page group.

Such users can change the style for their view of any page in any page group.

The global privilege Manage on the object type All Styles

Create, edit, and delete any style in any page group.

For users with this privilege to change the style of a page, the option Allow Privileged Users To Manage Page Style must also be selected for the page group. For users of this privilege to personalize their view with a different page style, the page group option Allow Privileged Users To Personalize Page Style must be enabled for the page group that contains the relevant page. These options are available on the Main tab of page group properties.

The global privilege View on the object type All Styles

View any style in any page group.

The global privilege Publish on the object type All Styles

Make any style in any page group public for other users to use.

The global privilege Create on the object type All Styles

Create styles in any page group. Users and groups with this privilege can also edit and delete the styles they create.

Users must have additional privileges on specific page groups, pages, or tabs to apply the styles they create.

The global privilege Edit on the object type All Group Privileges (profiles)

Edit any group portal profile (setting the default style, default home page, and default mobile home page).

The page group privilege Manage All

Users with this privilege can perform any task within the page group. The Manage All privilege includes all other page group privileges: Manage Classifications, Manage Templates, Manage Styles, and View.

A user with this privilege is called the page group administrator.

The page group privilege Manage Styles

Users with this privilege can create, edit, and delete any style in the page group, and can change the style applied to any page in the page group. A user with this privilege can also view any page in the page group.

The page and tab privilege Manage

For users with this privilege to change the style of a page, the option Allow Privileged Users To Manage Page Style must be selected for the page group. This allows users to apply a different style when editing the page. If this option is not selected at the page group level, only users with the page group privilege Manage All can apply a different style to the page. This option is available on the Main tab of page group properties.

There is a second option for controlling styles at the page group level called Allow Privileged Users To Personalize Page Style. When this option is selected, users with at least the page privilege Personalize (Style) can apply a different style when personalizing the page. This option is available on the Main tab of page group properties.

If a page is based on a template, users with this privilege may not be able to control the access and style of the page. There are two options at the template level, Enable Pages To Have Different Access and Enable Pages To Use Different Style, that control whether page designers can specify different access and style settings for the page. These options must be selected; otherwise, the page access and style settings cannot be changed by users with this privilege.

The page and tab privilege Manage Style

Users with this privilege can change the style and region properties of the page.

For users with this privilege to change the style of a page, the option Allow Privileged Users To Manage Page Style must also be selected for the page group. This option is available on the Main tab of page group properties.

If a page is based on a template, users with this privilege may not be able to control the style of the page. The template-level option Enable Pages To Use Different Style controls whether page designers can specify different style settings for the page. This option must be selected; otherwise, the page's style settings cannot be changed by users with this privilege.

This privilege is not available for mobile pages.

The page and tab privilege Personalize Portlets (Full)

Users with this privilege can alter their view of the page by changing the style of the page, adding portlets to the page, and deleting, moving, hiding, or showing any portlet on the page.

For users with this privilege to change the style of a page, the option Allow Privileged Users To Personalize Page Style must be selected for the page group. This option is available on the Main tab of page group properties.

These changes are visible only to the user who made them. For example, if a user with this privilege deletes a portlet from a page, other users still see that portlet on their version of the page. Likewise, if a user with this privilege adds a portlet to a page, only that user sees the portlet; other users do not.

The page and tab privilege Personalize Portlets (Add-Only)

Users with this privilege can alter their view of the page by changing the style of the page, adding portlets to the page, and deleting, hiding, or showing the portlets that they add.

For users with this privilege to change the style of a page, the option Allow Privileged Users To Personalize Page Style must also be selected for the page group. This option is available on the Main tab of page group properties.

These changes are visible only to the user who made them. For example, if a user with this privilege adds a portlet to a page, only that user sees the portlet; other users do not.

The page or tab privilege Personalize Portlets (Hide-Show)

Users with this privilege can alter their view of the page by changing the style, and hiding, showing, or rearranging any portlet on the page.

For users with this privilege to change the style of a page, the option Allow Privileged Users To Personalize Page Style must also be selected for the page group. This option is available on the Main tab of page group properties.

These changes are visible only to the user who made them. For example, if a user with this privilege hides a portlet on a page, that portlet is hidden only for that user; other users still see the portlet.

The page or tab privilege Personalize (Style)

Users with this privilege can apply a different style to their view of the page.

For users with this privilege to change the style applied to their view of a page, the option Allow Privileged Users To Personalize Page Style must also be selected for the page group. This option is available on the Main tab of page group properties.

These changes are visible only to the user who made them. For example, if a user with this privilege personalizes a page by applying a different style, other users do not see this change.

If a page is based on a template, users with this privilege may not be able to control the style of the page. The template level option, Enable Pages To Use Different Style, controls whether page designers can specify different style settings for the page. The option to enable pages to use a different style must be selected, otherwise, the page's style settings cannot be changed by users with this privilege.

This privilege is not available for mobile pages.


18.11 Granting Privileges on Portal Templates

When you grant privileges on a Portal Template for pages, you are controlling access to the pages that are based on the template, rather than on the template itself. When you grant privileges on a Portal Template for items, you are controlling access to the template, its tabs, and its items—depending on the level of security applied.

This section discusses how to grant access privileges on Portal Templates for pages and Portal Templates for items. It also lists and describes the privileges that provide some level of template management access. It includes the following subsections:

To define template access privileges, you must have the global privilege Manage on the object type All Page Groups or the page group privilege Manage Templates or higher on the page group.

18.11.1 Granting Access to Portal Templates for Pages

Granting access on a Portal Template for pages means setting security controls that affect all pages that are based on the template. For Portal Templates for pages, the Access tab enables you to control access to the pages that are based on this template, but not on the template itself.

You can grant access only on Portal Templates and not on HTML Templates.


Note:

To grant access privileges on a template, you must have at least the page group privilege Manage Templates on the page group that owns the template.

To make a Portal Template available for use in a page group, the option Make available for use in this page group must be selected on the Main tab of template properties.


To grant access privileges on a Portal Template for pages:

  1. Log in to OracleAS Portal.

  2. Click the Build tab to bring it forward.

  3. From the Page Groups portlet Work In drop-down list, select the page group that owns the template on which to grant access privileges.

    In default installations of OracleAS Portal, the Page Groups portlet is located on the Build tab of the Portal Builder page.

  4. Under Portal Templates in the Layout & Appearance section, click the Portal Template on which to grant access.

    This opens the template in Edit mode.

  5. Click the Access link in the toolbar at the top of the template.

  6. Select Enable Pages to Have Different Access to enable users with sufficient privileges to choose different access control settings when they create or edit pages that are based on the template.

    Clear this check box to prevent users from choosing different access control settings when they create or edit pages that are based on this template. Such pages will always use the template access control settings.

  7. Select Display Page to Public Users to enable all users to view pages that are based on this template—even users who are not logged on.

    Clear this check box to limit the display of pages that are based on this template to users who have explicitly been granted access.

    Any rendered page with this option enabled becomes a crawlable data source for Oracle Ultra Search. This means if the page that is based on this template uses the template's access settings, and this option is enabled on the template, the page is available for a crawl initiated through Oracle Ultra Search. See also, "Registering OracleAS Portal as a Content Source," in the Oracle Application Server Portal Configuration Guide.

  8. Select Enable Item Level Security to enable item creators to specify access control settings for individual items on pages that are based on this template.

    • If you select this check box, item creators can choose to inherit access control from the template or specify access control for individual items.

    • If you do not select this check box, all the items on the template inherit access control from the template.

  9. Under the Grant Access section, define access settings for individual users and groups:

    1. In the Grantee field, select a user or group.

      Browse for user or group names by clicking the Browser Users or Browser Groups icons.


      Note:

      OracleAS Portal uses the Oracle Internet Directory for identity management. the Oracle Internet Directory serves as the repository for users and groups. In the Oracle Internet Directory, groups are uniquely identified by their distinguished name (DN). Each group has a unique DN, though many groups can share a common name, in the same way that two people can share a common name, yet have completely different lineage (such as John Smith and John Doe). When working within the portal, groups created from within that portal are displayed simply with their common names. However, when the portal references a group from some other location in the Oracle Internet Directory—such as a group from some other portal associated with the same Identity Management Infrastructure—the DN of the group is displayed to distinguish it from the portal's locally defined groups.

    2. In the next (access privilege) field, select the level of privilege to grant to the user or group selected in the Grantee field.

      For an explanation of the listed privileges, see Appendix B, "Page Group Object Privileges".

    3. Click the Add button.

      Once you grant a privilege, a Change Access section displays. Use this section to revise or revoke privileges.

  10. If you are changing template access, once you have redefined access privileges click the Clear Cache link in the Cache Invalidation section.

  11. Click the Finish button.

    The template displays in Edit mode.

OracleAS Portal provides options for overriding template style and access settings. These are useful for allowing privileged users to select a style or set access rules other than those used by the template for a page that is based on the template.

To use this option for styles, select Enable Pages To Use Different Style on the Style tab of template properties. To use this option for access settings, select Enable Pages to Have Different Access on the Access tab of template properties. This option is available for Portal Templates for pages, but not for Portal Templates for items.

18.11.2 Granting Access to Portal Templates for Items

Granting access to a Portal Template for items means setting security controls on the template itself. Portal Templates for items are rendered dynamically when a link to an item that uses the template is clicked, so any access controls you set on the template apply to every rendered version of the template.

To view a page that is dynamically assembled using a Portal Template for items, one of the following conditions must be met:

  • The template must be public.

  • The user must have at least the View privilege on the template.

  • The user must have the page group privilege Manage Template on the page group that owns the template.

To grant access privileges on a Portal Template for items:

  1. Log in to OracleAS Portal.

  2. Click the Build tab to bring it forward.

  3. From the Page Groups portlet Work In drop-down list, select the page group that owns the template on which to grant access privileges.

    In default installations of OracleAS Portal, the Page Groups portlet is located on the Build tab of the Portal Builder page.

  4. Under Portal Templates in the Layout & Appearance section, click the Portal Template for items on which to grant access.

    This opens the template in Edit mode.

  5. Click the Access link in the toolbar at the top of the template.

  6. Select Display Page to Public Users to enable all users to view this template—even users who are not logged on.

    When this option is selected, users can see all template content, provided the content is not further restricted by access rules on template tabs or items. When tabs or items have their own access rules, users will need specific privileges on the template tabs or items.

    Clear this check box to limit the display of this template to users who have explicitly been granted access.

  7. Select Enable Item Level Security to enable item creators to specify access control settings for individual items on the template:

    • If you select this check box, item creators can choose to inherit access control from the template or specify access control for individual items.

    • If you do not select this check box, all the items on the template inherit access control from the template.

  8. Under the Grant Access section, define access settings for individual users and groups:

    1. In the Grantee field, select a user or group.

      Browse for user or group names by clicking the Browser Users or Browser Groups icons.


      Note:

      OracleAS Portal uses the Oracle Internet Directory for identity management. the Oracle Internet Directory serves as the repository for users and groups. In the Oracle Internet Directory, groups are uniquely identified by their distinguished name (DN). Each group has a unique DN, though many groups can share a common name, in the same way that two people can share a common name, yet have completely different lineage (such as John Smith and John Doe). When working within the portal, groups created from within that portal are displayed simply with their common names. However, when the portal references a group from some other location in the Oracle Internet Directory—such as a group from some other portal associated with the same Identity Management Infrastructure—the DN of the group is displayed to distinguish it from the portal's locally defined groups.

    2. In the next (access privilege) field, select the level of privilege to grant to the user or group selected in the Grantee field.

      For an explanation of the listed privileges, see Appendix B, "Page Group Object Privileges".

    3. Click the Add button.

      Once you grant a privilege, a Change Access section displays. Use this section to revise or revoke privileges.

  9. If you are changing template access, once you have redefined access privileges click the Clear Cache link in the Cache Invalidation section.

  10. Click the Finish button.

    The template displays in Edit mode.

For information about setting access privileges on tabs, see Section 18.6, "Securing Tabs". For information about setting access privileges on items, see Section 18.9, "Securing Items".

18.11.3 Template-Related Privileges

You can grant privileges related to templates at the global level, the page group level, and the page level. Such privileges apply to both Portal Templates and HTML templates. This section lists and describes these privileges.


Note:

For information about granting privileges at the global level, see Section 18.3, "Granting Global Privileges". For information about granting privileges at the page group level, see Section 18.4, "Securing Page Groups".

For more information about templates, see Chapter 13, "Providing a Standard Look and Feel".


Table 18-4 lists and describes the types of privileges that provide access to templates.

Table 18-4 Privileges Relating to Templates

Privilege Description

The global privilege Manage All on the object type All Page Groups

Perform any task on any page group. This privilege supersedes any other privilege in the other page group global privileges. For example, this also allows managing of any page. This user is the manager for all page groups, and by extension, the manager of all templates.

The global privilege Manage Templates on the object type All Page Groups

Create, edit, and delete any Portal Template or HTML template in any page group. Grant access to any template.

The global privilege Manage Classifications on the object type All Page Groups

Create, edit, and delete any category, perspective, custom attribute, custom page type, or custom item type in any page group.

The global privilege Manage on the object type All Pages

Create, edit, personalize, or delete any page in any page group. Grant access to any page in any page group.

This privilege includes the ability to apply templates to all pages.

The global privilege Create on the object type All Pages

Create sub-pages in any page group. Users and groups with this privilege can also edit and delete the sub-pages they create. To use this privilege to create sub-pages, a user must have the page privilege Manage on the parent page under which sub-pages are created.

This privilege includes the ability to apply templates to pages the user creates.

The page group privilege Manage All

A user with this privilege can perform any task within the page group. The Manage All privilege includes all other page group privileges: Manage Classifications, Manage Templates, Manage Styles, and View.

A user with this privilege is called the page group administrator.

The page group privilege Mange Classifications

A user with this privilege can create, edit, and delete any category, perspective, attribute, custom item type, and custom page type in the page group.

The page group privilege Manage Templates

A user with this privilege can create, edit, and delete any template in the page group.

A user with this privilege must also have the page group privilege View to view pages in this page group.

A user with this privilege can delete a tab on a template only if other users have not placed their own content on it on pages that are based on the template or if the user also has content management privileges on the pages that are based on the template.

The page privilege Manage

This privilege enables users to apply a template to the page(s) they manage.

This privilege carries with it many other capabilities. For more information, see Appendix B, "Page Group Object Privileges".


18.12 Granting Content Attribution Privileges

Content attribution includes page group objects such as:

You can find privileges for creating or taking action on these objects at the global and page group levels. At more focussed levels, such as page, tab, and item, you can use these objects—for example, you can apply a category to a page—but you cannot act on them.

This section provides information about the privileges that carry with them the power to act on objects related to content attribution.


Note:

For information on granting privileges at the global level, see Section 18.3, "Granting Global Privileges". For information on granting privileges at the page group level, see Section 18.4, "Securing Page Groups".

Table 18-5 lists and describes the privileges relating to content attribution.

Table 18-5 Privileges Relating to Content Attribution (Categories, Perspectives, Object Types, and so on)

Privilege Description

The global privilege Manage All on the object type All Page Groups

Perform any task on any page group. This privilege supersedes any other privilege in the other page group global privileges. For example, this also allows managing of any page. This user is the manager for all page groups.

The global privilege Manage Classifications on the object type All Page Groups

Create, edit, and delete any category, perspective, custom attribute, custom page type, or custom item type in any page group. This privilege includes the ability to edit category and perspective templates that are generated automatically when a category or a perspective is created.

The global privilege Create on the object type All Page Groups

Create page groups, and create any page group object in those page groups. Users and groups with this privilege can also edit and delete the page groups and page group objects they create. They cannot create objects in page groups they did not create.

The page group privilege Manage All

A user with this privilege can perform any task within the page group, including creating any page group object. The Manage All privilege includes all other page group privileges: Manage Classifications, Manage Templates, Manage Styles, and View.

The page group privilege Manage Classifications

A user with this privilege can create, edit, and delete any category, perspective, attribute, custom item type, and custom page type in the page group. A user with this privilege can also edit the templates used for the categories and perspectives in the page group.

A user with this privilege must also have the page group privilege View to view pages in this page group.

Users with this privilege cannot delete item or page types they have created if the portal contains items or pages based on the type. Such users must first obtain privileges on the items and pages.


18.13 Troubleshooting Page and Object Security Issues

The Privileges tab does not display on the Edit Portal Users Profile page

The portal administrator may have run the script serlacl.sql to enforce role-based security. Role-based security limits privilege grantees to groups; users cannot be selected for privilege assignment. The script does not affect privileges granted to users before it was run, only after. You may also note that the Browse Users icon does not appear next to the Grantee field on Access tabs.

For more information, see Oracle Application Server Portal Configuration Guide.

The Browse Users icon does not display on the Access tab

See the previous entry.

I have the page privilege Manage Style, but I cannot apply a style.

It is not enough to have the Manage Style privilege on a page. The page group option Allow Privileged Users To Manage Page Style must also be selected for the page's page group. For more information, see Section 4.3.2, "Controlling Who Can Apply a Different Style to a Page".

I tried to disable item drafts, but could not.

Once enabled, the Draft option cannot be disabled until all draft items are switched to active status or submitted for approval.

The Style tab does not display.

If the page is based on a template, and template access is set up to prevent users from applying styles to pages that are based on the template, the Style tab cannot be accessed in the page properties of pages based on the template.