Filtering option list values based on security in UCM

Fellow UCM blog writer John Sim recently posted a comment asking about filtering values based on the user's security. I had never dug into that detail before, but thought I would take a look. It ended up being tricker then I originally thought and required a bit of insider knowledge, so I thought I would share.


  1. The first step is to create the option list table in Configuration Manager. You want to define the column for the option list value and any other columns desired. You then want to have a column which will store the security attribute to apply to the option list value. In this example, we'll name the column 'dGroupName'.

    sf_table.png


  2. Next step is to create a View based on the new table. For the Internal and Visible column, you can select the option list column name. Then click on the Security tab, uncheck the 'Publish view data' checkbox and select the 'Use standard document security' radio button.

    sf_view.png

  3. Click on the 'Edit Values...' button and add the values for the option list. In the dGroupName field, enter the Security Group (or Account if you use Accounts for security) to apply to that value.

    sf_values.png

  4. Create the custom metadata field and apply the View just created.

    sf_field_def.png


  5. The next step requires file system access to the server. Open the file [ucm directory]\data\schema\views\[view name].hda in a text editor. Below the line '@Properties LocalData', add the line:

    schSecurityImplementorColumnMap=dGroupName:dSecurityGroup

    The 'dGroupName' value designates the column in the table which stores the security value. 'dSecurityGroup' indicates the type of security to check against. It would be 'dDocAccount' if using Accounts.

    Save the file and restart UCM.

  6. Now when a user goes to the check-in page, they will only see the options for which they have read and write privileges to the associated Security Group. And on the Search page, they will see the options for which they have just read access.

    sf_checkin.png

    One thing to note is if a value that a user normally can't view on Check-in or Search is applied to a document, but the document is viewable by the user, the user will be able to see the value on the Content Information screen.

Comments:

Thanks for this kyle :) bookmarked for future reference now. If only I had known about this a couple years back.. I remember spending hours try to figure this out and how to properly implement the custom security implementor. I`m sure I never set this though - schSecurityImplementorColumnMap=dGroupName:dSecurityGroup

Posted by John Sim on December 20, 2010 at 09:06 AM CST #

Hi Kyle, I have a silly small question... There is a scenario as below. Think that I have two contents (C1, C2) which are present in a Site Studio env. And there are three users (U1, U2, U3). I want C1 should be visible to only U1 and U2 but not to U3. So how can I set a new Security Group so that the content is visible only for two users not for the third. And more over I would like to add a new parameter or a metadata so that in future if there I want the U3 to see C1, I should just change the metadata value. Regards, NewUser123

Posted by guest on May 31, 2011 at 05:43 PM CDT #

You may want to look at Access Control Lists (ACLs) which provide entity level security on folders and content. http://download.oracle.com/docs/cd/E21764_01/doc.1111/e10792/c03_security.htm#CD DBCIDA. If you are on 10g or earlier, see support knowledgebase article #603148.1. One thing to note is this can lead to administrative/maintenance work as users come and go in an organization. So content and/or aliases needs updating as that happens. That's why we typically recommend Security Groups and Accounts as they scale better and don't have that administrative overhead. So be careful what you ask for. :-) Thanks, Kyle

Posted by Kyle Hatlestad on June 01, 2011 at 12:35 AM CDT #

This is excellent! I was able to apply this in a different way, however I am not sure if it is any better. Basically instead of using the column name dGroupName and having to update the hda file I used dDocAccount as the column name and it worked the same. Can you tell me if you can see any caveats to this?

Posted by guest on June 14, 2011 at 04:18 AM CDT #

No, I'm not aware of any caveats to that method. So if that works for you, then go for it! Thanks, Kyle

Posted by guest on June 14, 2011 at 06:52 AM CDT #

Hi Kyle,

I implemented your solution for an option list we're using on our portal ADF/WebCenter application, which integrates with UCM for WCM functionality. I think the Security Group dropdown also has this kind of a Security implementor.
The thing is that in the ADF application I want to have a ResultSet of Security Groups that the logged in user can write to (by calling a service of UCM). This should be possible as UCM does the same thing on the Search and Checkin page (first one shows all groups with Read permission, second one with Write permission).
I found the GET_SCHEMA_VIEW_FRAGMENT service, but this one always returns all Security Groups with Read permission; I cannot filter it to list only the ones to which I have Write permission.
Do you know a solution for this?

Posted by StijnR on October 24, 2011 at 11:32 PM CDT #

Hey Stijn,

That's a great question. I've posted the answer as its own posting here: http://blogs.oracle.com/kyle/entry/getting_a_list_of_security .

Thanks,
-Kyle

Posted by guest on October 25, 2011 at 04:47 AM CDT #

This doesn't seem to work if you have a column of type int set as primaryKey. Have you tested that scenario?

Posted by Bryan on February 23, 2012 at 10:33 AM CST #

Actually, it doesn't appear to be an issue with the primary key. It's only when I try to use dDocAccount as the filter. My predefined account name is news/feed1, and in my GroupName column I have news/feed1. Seems like it should work, but it doesn't. :)

Posted by Bryan on February 23, 2012 at 10:16 PM CST #

Ugh, nevermind. Seems I figured it out. It always works after I post a few questions on your blog. ;)

Posted by Bryan on February 24, 2012 at 07:17 AM CST #

Hi

When I go back and add values to the option list the new values does not display in the search or checkin forms.
What do I need to do?

Regards
Adrian

Posted by Adrian Campanaro on April 18, 2013 at 08:06 PM CDT #

Hello Adrian,

I'd try and go through the steps and make sure everything matches as it does here. Try setting it to 'No Security' temporarily to see if they appear then. Also check the server tracing and logs for any errors.

Thanks,
-Kyle

Posted by Kyle Hatlestad on April 22, 2013 at 09:22 AM CDT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Kyle Hatlestad is a Solution Architect in the WebCenter Architecture group (A-Team) who works with WebCenter Content and other products in the WebCenter & Fusion Middleware portfolios. The WebCenter A-Team blog can be found at: https://blogs.oracle.com/ ateam_webcenter/

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today