Saturday, July 23, 2011

Configuring Oracle UCM 11g Access Control List Security - Missing Steps

If you are working with Oracle UCM 11g, I can imagine you may encounter hard times, when thinking about content security architecture design. But really, its not so complex - as it looks first, just there are lots of confusion between Security Groups, Accounts and Access Control Lists (ACL). For your reference, in Oracle UCM its not enough to define security groups to protect content - Understanding Oracle UCM 11g and Oracle ADF 11g Security Integration. One of the recommended ways is to use security Accounts in combination with Security Groups to protect RWDA permissions for files and folders. However, while this approach is recommended - is not so practical. Idea of using Security Groups and Accounts combination is hardly acceptable by customers, because first is hard to understand, second is hard to maintain. Its hard to maintain, because from administration point there is no difference between Security Group and Account, but it matters for UCM.

We prefer to use Access Control List (ACL) functionality to implement content security in Oracle UCM 11g. ACL was available in previous versions of UCM, before 10g and returned back in 11g. This suggests ACL being simple to understand and preferred solution to protect content security - 5.6 Access Control List Security.

Goal of this post is to describe few missing steps from Oracle UCM 11g documentation, related to ACL configuration.

Let's follow 5.6.1 Configuring Access Control List Security section and define UseEntitySecurity=true together with AllowQuerySafeUserColumns=true properties:

This should be enough to enable ACL support, as per documentation.

We can see now that two additional fields became available - User Access List and Group Access List (out of scope for this post) for folder/file configuration. Type redsa into Add User box, auto-suggest list with matching users will appear:

Assign RWD permissions to redsam for the 266 folder. You should keep in mind, this folder is enabled with Security Group called - Proposal :

Make sure that Force Folder Security is set to True - this will ensure ACL list propagation to child folders or files:

For example, if we upload new file into 266 folder, this file will inherit ACL list:

Another folder - 267, is assigned for user redsam1 with RWD permissions:

Let's do a test now, logically thinking folder 267 should not be visible for user redsam because of ACL setup:

Its still visible, both folders are visible, when it should be visible only one:

What was missing in UCM 11g ACL configuration guide, is SpecialAuthGroups property. From WebCenter Administrator's Guide Configuring Oracle Content Server 11g to Support Item Level Security in All WebCenter Applications:

SpecialAuthGroups is a comma separated list of security groups that contains the content on which ILS can be specified. If in a WebCenter Spaces application users are to be provided ILS support, then the security group in which all Spaces content is created must be one of the SpecialAuthGroups. For WebCenter Spaces, the security group is named the same as the Document Spaces Property's application name. (For WebCenter Portal applications, the applicationName is the name of the security group in which content is created.)

In our case, we are using Proposal group for ACL enabled folders and files, it can be any other custom Security Group:

Make sure this group is included into ACL configuration:

It works now as expected, user redsam will see only those folders allowed through ACL - it works:

Folder 267 is not accessible for redsam, when going directly through URL as well, as it should be:

Major difference between UCM 10g and 11g, in 11g it runs directly integrated into WebLogic. This simplifies lots of administration and configuration tasks, for example UCM security is synchronized with WebLogic security providers. This means its enough to define Active Directory security provider for WebLogic, it will be visible for UCM as well.

UCM 11g is fetching users from WebLogic security provider automatically:

UCM role is mapped with roles from WebLogic security provider automatically as well, for example ProposalRole from UCM:

Can be used directly inside WebLogic security provider or fetched from Active Directory, etc.:


Anonymous said...

Awesome post man....
It's really hard to make customers understand the Security Model on UCM.
Your post will help them I hope...


Andre -

Hasim said...

Best way to implement security in ucm.

Bex said...

unless you want performance... ACLs slow down a system horribly. Without major hardware, you're gonna have *major* problems if you try to scale above half a million items.

If you think about "accounts" as a "department" and a "security group" as a "classification," it's much easier to set up a maintainable system.

Andrej Baranovskij said...

Yes, I know this. But same time very often we have different security model and can't think in terms of "department" and "classification". The problem is, customers don't like (I like it myself because of performance) UCM accounts security model, because its not straight forward to understand and complex to manage when same folder or file can be accessed by multiple accounts (for example 70 accounts must be granted access to folder).

ACL is definitely winning here, I believe Oracle should improve performance for ACL, because more and more customers will go ACL route.


Andrej Baranovskij said...

We did performance test to compare our ACL setup with UCM without ACL - there was no significant difference. It might be because in our case, UCM folder structure is relatively flat and there are no many levels.

I guess performance goes down, when there are many nested folders.


Bex said...

It's really the "complexity" of the security model that causes performance degradation. With groups and accounts, it's hard to make one so complex it doesn't scale. But with ACLs, users can do anything... so the potential is there.

My preference is to use ACLs for "active" content, or stuff undergoing active collaboration. After that, it's promoted to a more permanent home (internal documents, secure archive, etc.)

Another option: use a controlled set of ACLs, but don't let users set security directly. Do it automatically with a profile.

I should probably blog about this ;-)

Andrej Baranovskij said...

Looking forward for your blog post :)

We have implemented completed RIDC API to manage ACL lists as a controlled sets, its done automatically.


Vishal said...

I tried Using ACL . For User Access list automatically list of User was populating and i need to choose , but in the case of Group Access list , no groups are populating even though groups have been defined . Please revert with a solution

Anonymous said...

i have installed oracle ECM 11g, Oracle webcenter portal 11g, Oracle soa 11g after installing the db11g, rcu, jdev, weblogic server...

i can see oracle ecm 11g, oracle webcenter portal 11g, oracle soa 11g in my start -- programs .... but i do not know how to configure these.. i want to configure one admin server and then to have a ucm, webcenter spaces,webcenter portal, soa managed servers... can you share me some link as to how the configuration should be done.


Alberto said...

Really a good post.
We are thinking about an step further by stablishing some kind of schema that allows a little group of non admin users(our doc admins) to be ignored by acl. In some documental environments is very useful a documental admin with permissions on every doc but not over any system config on UCM. It will be possible to stablish this with standard acl?

Unknown said...

ACL not working for me.I have created 2 folders and assigned this to 2 different users but these folders are visible to both the users even after adding the SpecialAuthGroups=groupname.Please help