ReadOnly User in WebCenter Sites
Recently, I was at a client, and they had a requirement to create a ReadOnly User for WebCenter Sites. By default, WebCenter Sites does not have a ReadOnly user. However, to create a ReadOnly User is a simple task. Before I go into details about how to create a ReadOnly user, let me briefly talk about authorization in WebCenter Sites.
WebCenter Sites uses a combination of ACLs and Roles to provide authorization. Access to assets is controlled using ACLs, Roles, Start Menus & Tabs, permissions in ini files, functional privileges for assets in work-flow, and Access Privileges for controlling access to individual assets.
Access Control Lists
In WebCenter Sites, Access Control Lists, or ACLs allow access to:
- Read/Write access to database tables
- Access to URLs (Site Catalog records)
- Features of the GUI (e.g. xcelpublish allows you to publish)
Some ACLs are preconfigured in the System, and other custom ACLs can be added. All users must have the following ACLs:
- Browser
- Element Reader
- PageReader
- UserReader
- xceleditor
These ACLs allow users to be able to login to WebCenter Sites UI. The scope of ACLs is system wide. That is, a user will have the same ACLs, irrespective to the site the user is logged into. ACLs play a role in both Management & Delivery environments. In Management they are needed so a user can login to WebCenter Sites UI and can read/write from database tables. In Delivery, ACLs can restrict the URLs, and pagelets (Site Catalog records) a user can view.
Roles
In WebCenter Sites, Roles allow access to:
- Different User Interfaces (e.g. Advanced User, DASH User)
- Start Menus & Tabs
- Workflow States & Function Privileges
Roles are site specific. A user can have different roles on different sites. For example, he can be a Content Editor on one site, and an Approver on another site.
Controlling Access to Assets
Once users are granted permission to access a site their ability to work with the site’s content is managed through:
- Start menus, determine whether the users can create, search for, and edit assets of certain types.
- Permissions to assets that are not part of a workflow process.
Access to assets that are not part of work-flow are controlled through access policies that define which roles have permissions to perform different functions on assets. - Permission to assets that are part of workflow process.
Access to assets that are part of workflow process is controlled through Functional Privileges. Functional Privileges are part of the workflow definitions. - Permissions to WebCenter Sites’ tree.
Using Roles, one can control users’ permissions to the tree, tabs in the tree, nodes in the tabs, and items in the nodes.
Setting Access Permissions from Property Files
Access permissions can be set from futuretense_xcel.ini. One can either grant or deny permissions by setting the following properties:
- xcelerate.grant.functionname = rolelist
- xcelerate.deny.functionname = rolelist
where functionname is the name of the function, as shown in the futuretense_xcel.ini file, on the Authorization tab. rolelist is a comma-separated list of roles for which the permission is either denied or granted. If the permission is granted or denied in the futuretense_xcel.ini, it is granted or denied for all assets, irrespective of the asset type. These permissions can be overridden by specifically setting access permissions on an asset-by-asset basis, using WebCenter Sites' access permissions feature.
Creating Read Only User
To create a Read Only User, one must do the following:
- Create a role, say ReadOnly. The ReadOnly Users must be assigned only this role.
- Create another role, say Editor. This role must be assigned to all other users. The read only users must not be assigned this role.
- Make sure that ReadOnly user can not access any Start Menus for creating assets, e.g. ‘New Article’.
- Set the Access Permission in futuretense_xcel.ini to deny ReadOnly role functions like edit and delete.
- Set the Access Permission in futuretense_xcel.ini to grant Editor role these functions.
Typically, the following entries may be made in futuretense_xcel.ini file to create a ReadOnly user. These may be changed/configured depending exactly what functions have to be granted/denied to ReadOnly user, and the exact name of the ReadOnly role & Editor role.
- xcelerate.deny.build=ReadOnly
- xcelerate.deny.checkout=ReadOnly
- xcelerate.deny.delegate=ReadOnly
- xcelerate.deny.setExportData=ReadOnly
- xcelerate.deny.placepage=ReadOnly
- xcelerate.deny.showparticipants=ReadOnly
- xcelerate.deny.rollback=ReadOnly
- xcelerate.deny.setparticipants=ReadOnly
- xcelerate.deny.removefromgroup=ReadOnly
- xcelerate.deny.removefromworkflow=ReadOnly
- xcelerate.deny.edit=ReadOnly
- xcelerate.deny.setprocessdeadline=ReadOnly
- xcelerate.deny.setnestedworkflow=ReadOnly
- xcelerate.deny.setstepdeadline=ReadOnly
- xcelerate.deny.approve=ReadOnly
- xcelerate.deny.copy=ReadOnly
- xcelerate.deny.authorize=ReadOnly
- xcelerate.deny.delete=ReadOnly
- xcelerate.deny.share=ReadOnly
- xcelerate.deny.abstainfromvoting=ReadOnly
- xcelerate.grant.setparticipants=Editor
- xcelerate.grant.removefromgroup=Editor
- xcelerate.grant.delete=Editor
- xcelerate.grant.setnestedworkflow=Editor
- xcelerate.grant.showparticipants=Editor
- xcelerate.grant.copy=Editor
- xcelerate.grant.authorize=Editor
- xcelerate.grant.setstepdeadline=Editor
- xcelerate.grant.setExportData=Editor
- xcelerate.grant.placepage=Editor
- xcelerate.grant.abstainfromvoting=Editor
- xcelerate.grant.checkout=Editor
- xcelerate.grant.delegate=Editor
- xcelerate.grant.share=Editor
- xcelerate.grant.approve=Editor
- xcelerate.grant.build=Editor
- xcelerate.grant.edit=Editor
- xcelerate.grant.setprocessdeadline=Editor
- xcelerate.grant.removefromworkflow=Editor
- xcelerate.grant.rollback=Editor
In addition to these, if work-flow is being using, functional privileges should be configured so ReadOnly user can not edit/delete an asset. Now, any user that is assigned only ReadOnly role, will only be able to inspect, preview, and check the stats of an asset, and will not be allowed to do other functions.