Thursday Jan 10, 2013

Adding browser search engines in WebCenter Content

In a post I made a few years ago, I described how you can add WebCenter Content (UCM at the time) search to the browser's search engines.  I think this is a handy shortcut if you find yourself performing searches often enough in WCC. 

Well, in the PS5 release, this was actually included as a new feature.  You need to enable the DesktopIntegrationSuite component in order to access it.  Once you do, go to the My Content Server -> My Downloads link.  There you will see the 'Add browser search' link. 

Add Browser Search

Once clicked, an OpenSearchDescription XML file is produced which each modern browser supports for adding in the search engine. 

Browser Search Bar

The one piece that's missing is something I mentioned in my earlier post: forcing authentication.  If you haven't logged into the server, your search will be performed anonymously and you will only get back content that is available to the guest role.  To make sure the search is performed as your user, the extra parameter Auth=Internet can be passed to the server to cause the server to challenge your request and force a login if needed.  Because the definition of the search engine URL is defined within the DesktopIntegrationSuite component, a new custom component can be added to override this.  Basically, the new component must override the dis_search_plugin resource and modify the Url locations.  Below is an example:

<@dynamichtml dis_search_plugin@>
<?xml version="1.0" encoding="UTF-8"?>
<OpenSearchDescription xmlns="http://a9.com/-/spec/opensearch/1.1/"
                       xmlns:moz="http://www.mozilla.org/2006/browser/search/">
    <ShortName><$if DIS_SearchPluginTitle$><$DIS_SearchPluginTitle$><$else$>Oracle WebCenter Content Server Search<$endif$></ShortName>
    <Description><$lc("wwDISSearchPluginDescription")$></Description>
    <Url type="text/html" method="get" template="<$xml(HttpBrowserFullCgiPath & "?IdcService=DESKTOP_BROWSER_SEARCH&Auth=Internet&MiniSearchText={searchTerms}")$>" />
    <$iconlocation=strReplace(HttpBrowserFullCgiPath,HttpCgiPath,"") & HttpImagesRoot & "desktopintegrationsuite/dis_search_plugin.ico"$>
    <Image height="16" width="16" type="image/x-icon"><$iconlocation$></Image>
    <Developer>Oracle Corporation</Developer>
    <InputEncoding>UTF-8</InputEncoding>
    <moz:SearchForm><$xml(HttpBrowserFullCgiPath & "?IdcService=DESKTOP_BROWSER_SEARCH&Auth=Internet&MiniSearchText=")$></moz:SearchForm>
</OpenSearchDescription>
<$setContentType("application/xml")$>
<$setHttpHeader("Content-Disposition","inline; filename=search_plugin.xml")$>
<$setHttpHeader("Cache-Control", "public")$>
<@end@>

I've included a pre-built custom component that does just that.

UPDATE (Jan 15, 2013)

In addition to enabling the component, there is also a configuration preference that must be enabled.   After enabling the Desktop Integration Suite component,  go to the 'advanced component manager'.  Go to the bottom to the 'Update Component Configuration' list and select DesktopIntegrationSuite and click Update.  The first entry is to 'Enable web browser search plug-in'.  Check that and click Update.

DIS Configuration

If you've already restarted to enable the DIS component, you do not need to restart for this configuration to take effect.

Monday Dec 03, 2012

Access Control Lists for Roles

Back in an earlier post, I wrote about how to enable entity security (access control lists, aka ACLs) for UCM 11g PS3.  Well, there was actually an additional security option that was included in that release but not fully supported yet (only for Fusion Applications).  It's the ability to define Roles as ACLs to entities (documents and folders).  But now in PS5, this security option is now fully supported.  

The benefit of defining Roles for ACLs is that those user roles come from the enterprise security directory (e.g. OID, Active Directory, etc) and thus the WebCenter Content administrator does not need to define them like they do with ACL Groups (Aliases).  So it's a bit of best of both worlds.  Users are managed through the LDAP repository and are automatically granted/denied access through their group membership which are mapped to Roles in WCC.  A different way to think about it is being able to add multiple Accounts to content items...which I often get asked about.  Because LDAP groups can map to Accounts, there has always been this association between the LDAP groups and access to the entity in WCC.  But that mapping had to define the specific level of access (RWDA) and you could only apply one Account per content item or folder.  With Roles for ACLs, it basically takes away both of those restrictions by allowing users to define more then one Role and define the level of access on-the-fly.

To turn on ACLs for Roles, there is a component to enable.  On the Component Manager page, click the 'advanced component manager' link in the description paragraph at the top.   In the list of Disabled Components, enable the RoleEntityACL component. Then restart.  This is assuming the other configuration settings have been made for the other ACLs in the earlier post.  

Once enabled, a new metadata field called xClbraRoleList will be created.  If you are using OracleTextSearch as the search indexer, be sure to run a Fast Rebuild on the collection.

For Users and Groups, these values are automatically picked up from the corresponding database tables.  In the case of Roles, there is an explicitly defined list of choices that are made available.  These values must match the roles that are coming from the enterprise security repository. To add these values, go to Administration -> Admin Applets -> Configuration Manager.  On the Views tab, edit the values for the ExternalRolesView.  By default, 'guest' and 'authenticated' are added.

Configuration Manager

 Once added, you can assign the roles to your content or folder.

Role entity field

If you are a user that can both access the Security Group for that item and you belong to that particular Role, you now have access to that item.  If you don't belong to that Role, you won't!

[Extra]

Because the selection mechanism for the list is using a type-ahead field, users may not even know the possible choices to start typing to.  To help them, one thing you can add to the form is a placeholder field which offers the entire list of roles as an option list they can scroll through (assuming its a manageable size)  and view to know what to type to.  By being a placeholder field, it won't need to be added to the custom metadata database table or search engine.  

List of possible roles field definition

Tuesday Oct 25, 2011

Getting a list of Security Groups and Accounts for a user through the API

I got an interesting question on one of my previous posts about how to access the list of Security Groups a user can write to through the API.  In first looking at it, I thought it would be straightforward and there would be a schema service for this.  The one the user tried, GET_SCHEMA_VIEW_FRAGMENT, does indeed return a list of Security Groups, but you can't differentiate between the ones the user can read and which ones they can write to.  I looked through the documentation and couldn't find anything related which might work.  I thought perhaps by running the CHECKIN_NEW_FORM service which renders the check-in page template might offer a resultset to use, but no luck there.

The solution comes from a service buried in the std_services.htm file called GET_USER_PERMISSIONS.  When you run this service as the user, it will return the list of Security Groups and Accounts along with the level of access for that entity (1=read, 3=write, 7=delete, 15=admin).  If you access the service through the URL and add the '&IsPageDebug=1', you can see the results as such:

Get User Permissions

Tuesday Feb 22, 2011

New security configuration flag in UCM PS3

[Read More]

Friday Feb 26, 2010

Managing UCM users en masse

[Read More]
About

Kyle Hatlestad is a Solution Architect in the WebCenter Architecture group (A-Team) who works with WebCenter Content and other products in the WebCenter & Fusion Middleware portfolios. The WebCenter A-Team blog can be found at: https://blogs.oracle.com/ ateam_webcenter/

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today