Sunday, December 26, 2010

Understanding Oracle UCM 11g and Oracle ADF 11g Security Integration

Combination of Oracle UCM 11g and Oracle WebCenter/ADF 11g technologies will help you to implement document management applications. There is a special area you should keep in mind - security. Sometimes is not too obvious and can make your system open for hacking attacks. I will describe possible scenario how one user can view all documents and how to prevent this with UCM security accounts, if tight security must be enabled for your system.

Download sample application for this post - UCMNewFolderDC.zip.

As a condition for our experiment, all Content Repository folders are protected by security group - HumanResources:


File is being uploaded by redsam1 user for employee #id = 206:


Another file for employee #id = 200:


When user selects employee, UCM path is calculated and it restricts from navigation through other folders. If user selects employee #id = 200, this means WebCenter Content Manager ADF task flow will bring documents only from that folder mapped with employee #id = 200. If user is restricted to see employee #id = 206 data, this means documents are unaccessible as well? No - we still can open documents. While employee #id = 200 is selected, right click on any of the documents and select Copy Link:


Copy paste this link into new tab of the same browser:


Selected image is rendered as expected:


Now we can remove document and folder names from URL path, try to open root folder:


And here we go - we can see documents folders for other employees (even it is prevented in WebCenter Content Management ADF task flow):


Even more, we can enter into other employee (#206) documents folder:


View and download existing documents:


Of course, this can be done only by the user, who is authorized to login into the system. But still, this user can view other users documents without authorization, simply by changing hardcoded URL path directly:


Document is downloaded:


If documents stored inside different folders share common security level, it is enough to apply only one Security Group - then users assigned with that Security Group will be able to browse through those folders using URL path. However, if users of the same Security Group are not allowed to browse through other users folders, additionally to UCM Security Groups, we need to apply UCM Security Accounts. In theory, we could have different Security Groups for different users, but then we will end up in too many different Security Groups. This means, we should apply intersection between Security Groups and Security Accounts in UCM Content Repository.

I will explain how to assign Security Account through Oracle Content Server User Admin applet (from Admin Applets section):


For this exercise I'm using two users - redsam1 and redsam2, both of them are declared in UCM:


In the same applet, from Security menu I can define different accounts, for example - DepartmentOneGroup and DepartmentTwoGroup. I will use these account to grant them to the users:


By default, every user is granted full access to the documents without accounts:


I will revoke full access to the documents without accounts and grant DepartmentOneGroup account for redsam1:


Another user - redsam2, is granted with DepartmentTwoGroup account:


Once accounts are granted to the users, we need to update existing folders with proper accounts, otherwise these folders will be inaccessible. Folder #200 is granted for DepartmentOneGroup account:


Folder #206 is granted for DepartmentTwoGroup account.

We can test configured Content Repository accounts security. Login with user redsam1:


User redsam1 is granted with DepartmentOneGroup, same account as one configured for folder #200:


While folder #206 is configured for DepartmentTwoGroup account, and is inaccessible for user redsam1 as expected:


Go back into folder #200 and open one of the available documents in new tab:


Document:


Will be rendered by URL:


If we try to change URL to point to the root folder:


Content will be hidden and inaccessible, because root folder is not assigned with any account and user redsam1 is not granted access to folders without accounts (as per configuration above):


Let's login as another user - redsam2:


Folder #206 is granted for DepartmentTwoGroup account and is visible for redsam2 user:


We can open documents from #206 folder:


But can not change folder and open documents from another account, for example folder #200:


Content Repository resource will be not found (as expected):


Our experiment is successful, combination of Security Group and and Account allows to prevent users to open unauthorized folders, even they are granted with the same Security Group.

If you need to create Oracle UCM Content Repository folder programmatically, add one more parameter through RIDC API - dDocAccount:


You can retrieve account name for current user, for example - through ADF Security Context populated from WebLogic security provider:


Content Repository folder will be created programmatically, user can upload documents:


Current user account name will be assigned to the folder:


And to the uploaded content as well:

No comments: