Access Control Lists for Roles
- by Kyle Hatlestad
Back in an earlier post, I wrote about how to enable entity security (access control lists, aka ACLs) for UCM 11g PS3. Well, there was actually an additional security option that was included in that release but not fully supported yet (only for Fusion Applications). It's the ability to define Roles as ACLs to entities (documents and folders). But now in PS5, this security option is now fully supported.
The benefit of defining Roles for ACLs is that those user roles come from the enterprise security directory (e.g. OID, Active Directory, etc) and thus the WebCenter Content administrator does not need to define them like they do with ACL Groups (Aliases). So it's a bit of best of both worlds. Users are managed through the LDAP repository and are automatically granted/denied access through their group membership which are mapped to Roles in WCC. A different way to think about it is being able to add multiple Accounts to content items...which I often get asked about. Because LDAP groups can map to Accounts, there has always been this association between the LDAP groups and access to the entity in WCC. But that mapping had to define the specific level of access (RWDA) and you could only apply one Account per content item or folder. With Roles for ACLs, it basically takes away both of those restrictions by allowing users to define more then one Role and define the level of access on-the-fly.
To turn on ACLs for Roles, there is a component to enable. On the Component Manager page, click the 'advanced component manager' link in the description paragraph at the top. In the list of Disabled Components, enable the RoleEntityACL component. Then restart. This is assuming the other configuration settings have been made for the other ACLs in the earlier post.
Once enabled, a new metadata field called xClbraRoleList will be created. If you are using OracleTextSearch as the search indexer, be sure to run a Fast Rebuild on the collection.
For Users and Groups, these values are automatically picked up from the corresponding database tables. In the case of Roles, there is an explicitly defined list of choices that are made available. These values must match the roles that are coming from the enterprise security repository. To add these values, go to Administration -> Admin Applets -> Configuration Manager. On the Views tab, edit the values for the ExternalRolesView. By default, 'guest' and 'authenticated' are added.
Once added, you can assign the roles to your content or folder.
If you are a user that can both access the Security Group for that item and you belong to that particular Role, you now have access to that item. If you don't belong to that Role, you won't!
[Extra]
Because the selection mechanism for the list is using a type-ahead field, users may not even know the possible choices to start typing to. To help them, one thing you can add to the form is a placeholder field which offers the entire list of roles as an option list they can scroll through (assuming its a manageable size) and view to know what to type to. By being a placeholder field, it won't need to be added to the custom metadata database table or search engine.
