Access Control Lists for Roles

Back in an earlier post, I wrote about how to enable entity security (access control lists, aka ACLs) for UCM 11g PS3.  Well, there was actually an additional security option that was included in that release but not fully supported yet (only for Fusion Applications).  It's the ability to define Roles as ACLs to entities (documents and folders).  But now in PS5, this security option is now fully supported.  

The benefit of defining Roles for ACLs is that those user roles come from the enterprise security directory (e.g. OID, Active Directory, etc) and thus the WebCenter Content administrator does not need to define them like they do with ACL Groups (Aliases).  So it's a bit of best of both worlds.  Users are managed through the LDAP repository and are automatically granted/denied access through their group membership which are mapped to Roles in WCC.  A different way to think about it is being able to add multiple Accounts to content items...which I often get asked about.  Because LDAP groups can map to Accounts, there has always been this association between the LDAP groups and access to the entity in WCC.  But that mapping had to define the specific level of access (RWDA) and you could only apply one Account per content item or folder.  With Roles for ACLs, it basically takes away both of those restrictions by allowing users to define more then one Role and define the level of access on-the-fly.

To turn on ACLs for Roles, there is a component to enable.  On the Component Manager page, click the 'advanced component manager' link in the description paragraph at the top.   In the list of Disabled Components, enable the RoleEntityACL component. Then restart.  This is assuming the other configuration settings have been made for the other ACLs in the earlier post.  

Once enabled, a new metadata field called xClbraRoleList will be created.  If you are using OracleTextSearch as the search indexer, be sure to run a Fast Rebuild on the collection.

For Users and Groups, these values are automatically picked up from the corresponding database tables.  In the case of Roles, there is an explicitly defined list of choices that are made available.  These values must match the roles that are coming from the enterprise security repository. To add these values, go to Administration -> Admin Applets -> Configuration Manager.  On the Views tab, edit the values for the ExternalRolesView.  By default, 'guest' and 'authenticated' are added.

Configuration Manager

 Once added, you can assign the roles to your content or folder.

Role entity field

If you are a user that can both access the Security Group for that item and you belong to that particular Role, you now have access to that item.  If you don't belong to that Role, you won't!

[Extra]

Because the selection mechanism for the list is using a type-ahead field, users may not even know the possible choices to start typing to.  To help them, one thing you can add to the form is a placeholder field which offers the entire list of roles as an option list they can scroll through (assuming its a manageable size)  and view to know what to type to.  By being a placeholder field, it won't need to be added to the custom metadata database table or search engine.  

List of possible roles field definition

Comments:

Hi Kyle,

nice post.

Do you know how it performs when there are many number of ACL roles defined.

Will the search performance degrade (linearly/exponentially) ??

Thanks,Sunil

Posted by Sunil Ravinder on December 06, 2012 at 12:33 PM CST #

Hey Sunil,

While enabling Entity Security does have an impact on performance for searching and browsing for content, the ACL and Security Group fields are optimized in the search index to help minimize that impact.

And the way the values are hashed and stored in the search collection, and the way the search query is built, the number of roles you define on a particular content item or folder does not have any impact. What does have more of an impact is the number of roles a particular user may have. These roles automatically get appended to the search query for the user. So the more roles a user belongs to, the longer the query. But this is no different then managing the number of Accounts or Security Groups a particular user has access to because they behave the same way.

Thanks,
-Kyle

Posted by Kyle Hatlestad on December 07, 2012 at 10:36 AM CST #

Hi Kyle,

Thanks for sharing this information.

I have one question regarding ACL. Is it mandatory to set the below mentioned "Additional Configuration Variables:", if I want to use only "Role Access List"

UseEntitySecurity=true
AllowQuerySafeUserColumns=true
SpecialAuthGroups=Public

Also it would be a great help if you can give some more information on "SpecialAuthGroups"
Also is it mandatory to define roles in "ExternalRolesView"

Thanks in advance

Posted by Madhu on January 23, 2013 at 02:54 AM CST #

Hello Madhu,

Yes, those configuration flags are required for Access Control Lists including the Role list. Rather then explain what those configurations are and what they do here in this comment, I suggest you take a look at the documentation that covers Access Control Lists and the Role Access List here: http://docs.oracle.com/cd/E23943_01/doc.1111/e10792/c05_security.htm#CDDBCIDA

All of those configuration values are covered there.
Thanks,
-Kyle

Posted by Kyle Hatlestad on January 23, 2013 at 10:14 AM CST #

Hi Kyle,

Thanks for your inputs.

I would like to know regarding the performance of ACL. Particularly in case of "Role Access List".

I have a scenario where I have to add say like 50 roles to "Roles Access List" for a particular content item with different permissions.
There can be say like 50 to 100 such content items. So will it impact the performance when I use these content items in Webcenter.

Also is it a good practice to use say like 50+ roles in "Role Access List".

Thanks in advance

Posted by Madhu on January 25, 2013 at 03:34 AM CST #

Hello Madhu,

Please take a look at the comment above in which I describe how entity security, including the Role Access List, can have an impact on performance. It's not so much a matter of how many roles are defined on a particular item. But more a factor of how many roles a particular user may have. The roles a user has will get appended upon queries which is what can have an impact.

Every implementation and use-case is different, so it's hard to make a blanket statement on what kind of impact it will make. It's best to set up a testing scenario with your particular use-case and environment in mind and run some test with and without the entity security to gauge the outcome.

Thanks,
-Kyle

Posted by Kyle Hatlestad on January 29, 2013 at 10:24 AM CST #

Hi Kyle,
in answer to Sunils question about the impact of ACLs on performance you said that "...What does have more of an impact is the number of roles a particular user may have...". Does that mean direct user ACLs have less impact on (query) performance than role ACLs?
Do you think it is still feasible to use ACLs when there is about thousends users and about million documents - say I will assign ACL to every document? Or will ACLs in this case completly kill the query performance?
Thanks
Marian

Posted by Marian on March 27, 2013 at 09:48 AM CDT #

Hey Kyle,
I wanted to get the list of User roles and the group he belongs programatically in my filter.

I got the subject as :

Subject subject = Security.getCurrentSubject();
Set<Principal> prin=subject.getPrincipals();

It contains only user group not his role list. How to get them?

Posted by guest on April 03, 2013 at 03:50 AM CDT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Kyle Hatlestad is a Solution Architect in the WebCenter Architecture group (A-Team) who works with WebCenter Content and other products in the WebCenter & Fusion Middleware portfolios. The WebCenter A-Team blog can be found at: https://blogs.oracle.com/ ateam_webcenter/

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today