Security Groups and Accounts Overview (Part 3)

This is the third entry of a three-part series on Oracle UCM (Stellent) security.

How Access Works

Access to documents is defined by both the Security Group and the Account.  In order to perform an action (such as view the document or check in a revision), a user needs to have permissions to do so by BOTH the Role the user has (and, by extension, the Security Groups the user has) and the Accounts the user has.  Both the Role and the Account settings for that user must grant permission to perform an action.  If either the Role or the Account permission does not exist, the user will be unable to perform the action.

Note: if Accounts are not enabled, then the user needs access via the Role only; accounts are not considered.

Practical Usage

The following roles are defined in the system:

Role	Security Groups
Employee	Intranet (R)
IntranetManager	Intranet (RW)
ExtranetManager	Extranet (RW)
Partner	Extranet (R)

The following users exist in the system:

User	Roles	Accounts
John	Employee	dept (R)
Sally	Employee IntranetManager	dept (R) dept/hr (RW)
Beth	Employee Intranet Manager	dept (R) dept/legal (RW)
Mike	Partner	partner/all (R) partner/acme (R)
Hugh	Employee IntranetManager	dept (RW)
Brian	Employee ExtranetManager	dept (R) partner (RW)
Anne	Employee IntranetManager ExtranetManager	#all (RWDA)

Let’s look at some sample documents in the system.

Document A

Security Group	Intranet
Account	dept/legal

Here’s the breakdown of how people can access this document:

User	Highest Permission by Role	Highest Permission by Account	Final Permission
John	R	R	R
Sally	RW	R	R
Beth	RW	RW	RW
Mike	None	None	None
Hugh	RW	RW	RW
Brian	R	R	R
Anne	RWDA	RWDA	RWDA

Sally cannot check out this document, even though her Role allows it. Her account settings are too granular (dept/hr) to write to a document in the dept/legal account.  On the other hand, Hugh can check out this document, because his role allows it and his account setting of /dept (RW) will cascade down to accounts beneath it; so he has write permissions to all documents under the /dept account.

Document B

Security Group	Extranet
Account	partner/acme

Here’s the breakdown of how people can access this document:

User	Highest Permission by Role	Highest Permission by Account	Final Permission
John	R	None	None
Sally	R	None	None
Beth	R	None	None
Mike	R	R	R
Hugh	None	None	None
Brian	RW	RW	RW
Anne	RWDA	RWDA	RWDA

Most of these users cannot see this document at all because they do not have the account requirement.  Mike, the partner, can see this document just fine however.

Document C

Security Group	Extranet
Account	partner/abc

Here’s the breakdown of how people can access this document:

User	Highest Permission by Role	Highest Permission by Account	Final Permission
John	R	None	None
Sally	R	None	None
Beth	R	None	None
Mike	R	None	None
Hugh	None	None	None
Brian	RW	RW	RW
Anne	RWDA	RWDA	RWDA

This document is similar to Document B, but the account is different.  Using the account, this system is able to put a document on the Partner Extranet that only some partners can see.  Notice how Mike is denied access to this document.