Lotus Web Content Management 6.1: The enhanced security model simplified

 

 

Noushad Nazmi

IBM Software Group

Staff Software Engineer,

WebSphere Portal and Lotus Web Content Management

Pune, India

 

 

September 2009

 

 

Summary: Using IBM® WebSphere® Portal and Lotus® Web Content Management, you can restrict access to selected users and groups to the views within an authoring portlet, the items managed by the authoring portlet, and to elements and pages displayed within a Web site.

 

This article describes how to simplify the use of the enhanced Web Content Management security model introduced in WebSphere Portal and Web Content Management 6.1.

  

Contents

 

1 Security model enhancement overview 
  1.1 Security inheritance 
  1.2 Setting Access on Root node 
      1.2.1  JCR security hierarchy 
  1.3 New virtual users (author, owner, creator) 
      1.3.1  How to use new virtual users 
  1.4 User/Contributor role separation 
2 Library-level access controls
  2.1 Assigning access permissions to a library 
3 Item-type access controls 
  3.1 Set access permissions to the different library item types 
4 Item-level access controls 
  4.1 The updated item security matrix 
  4.2 Setting item security (Web Content Management 6.0) 
  4.3 Setting item security (Web Content Management 6.1) 
5 Conclusion 
6 Resources 
7 About the author 

 

1 Security model enhancement overview

Let’s begin with an overview of the enhanced security model in WebSphere Portal and Web Content Management 6.1.

 

1.1 Security inheritance

 

The introduction of security inheritance means that users don’t need to worry about setting security for every item, since it can be inherited. This means the following to the user:

 

·         Migrated libraries do not need to do anything to continue operating as they did in 6.0.x for authoring new content or rendering the existing site:

 

o        Inheritance will not be turned on for existing data

o        Customers can change their existing data to use inheritance

 

·         New items (not including content created from existing Authoring templates) will have inheritance turned on by default.

 

• This means the access control for the library needs to be setup correctly (not giving people to much access at the library level)
• OPTIONAL: For consistent backwards compatibility inheritance can be turned off by default (default.inherit.permissions.enabled=true in WCMConfigService.properties)

 

·         Inheritance can be enabled by the using the “Edit Access” UI command

 

1.2 Setting Access on Root node

 

In version 6.0.x, Java Content Repository (JCR) root access to all the Web Content Management libraries could be set through the Portal Document Manager Admin portlet. This portlet is gone in 6.1, but you can now do the action through the Web Content Management Admin portlet (see figure 1).

 

Figure 1. Setting access on JCR root

1.2.1  JCR security hierarchy

·         Web Content Management 6.1 relies on Portal Access Control (PAC) for security, for both Library level and Item level (see figure 2).

·         Library-level security allows control of the entire library as well as per item type.

·         Item-level security relies on JCR node security; however, Web Content Management security information is still stored for each item.

 

Figure 2. JCR Security hierarchy

 

 

1.3 New virtual users (author, owner, creator)

 

There are two different virtual users and one virtual group. These predefined virtual users and groups allow for access control configuration that applies to abstract sets of users.

 

These virtual users and groups are not stored in the user registry. They exist only within the access control context. You cannot change group membership or other attributes of these virtual users and groups:

 

• Anonymous Portal User
• All Authenticated Portal Users
• All Portal User Groups

1.3.1 How to use new virtual users

You can specify authors, owners, or a creator for access in the permissions table (see figure 3).

 

Figure 3. Using virtual users

 

 

Table 1 lists the details for each user and group.

 

Table 1. Users and groups

User or group	Details
anonymous portal user	Select this user to grant access to anonymous users
[all users]	Select this group to grant access to all users, anonymous and authenticated.
[all authenticated portal users]	Select this group to grant access to all authenticated users.
[all portal user groups]	Select this group to grant access to all user groups.
[creator]	Select this to grant access to the creator of the item.
[authors]	Select this to grant access to users who have been selected as an "author" of the item.
[owners]	Select this to grant access to users who have been selected as an "owner" of the item.

 

1.4 User/Contributor role separation

 

The security roles in Web Content Management 6.0.x releases are Read, Edit, and Delete. The new security roles in version 6.1 are the same as the WebSphere Portal roles:

 

·         User (new role for Web Content Management – similar to ‘Live’ in version 5.x)

·         Contributor (maps to Read)

·         Editor (maps to Edit)

·         Manager (maps to Delete)

  

Table 2. Roles and access rights

Roles	Rendering and authoring portlet access rights
·         User	Users and groups assigned to this role can view items in a Web site or rendering portlet to which they have been assigned at least user access.   TIP: The simplest way to assign users to this role is to select any of the default user groups such as "All Authenticated Portal Users" or "Anonymous Portal User". Users will still require "user" access to an item before it will be rendered in a Web site or rendering portlet.
Contributor	Users and groups assigned to this role can: view items in a rendering portlet or servlet-rendered Web site that they have been assigned at least user access to. view libraries the they have been assigned contributor access to in an authoring portlet. access the "My Items" and "All Items" views in an authoring portlet for libraries that they have been assigned contributor access to. access the item type view within the authoring portlet for item types that they been assigned at least user access to.
Editor	Users and groups assigned to this role can: view items in a rendering portlet or servlet-rendered Web site that they have been assigned at least user access to. view libraries the they have been assigned contributor access to in an authoring portlet. access the "My Items" and "All Items" views in an authoring portlet for libraries that they have been assigned at least contributor access to. for library item types that user and groups have been assigned at least editor access to, editors can access the following actions in the authoring portlet: access the item type view create a new item add/remove links apply authoring template copy delete edit link to move restore a version edit version labels
Manager	Users and groups assigned to these roles can: view items in a rendering portlet or servlet-rendered Web site that they have been assigned at least user access to. view libraries the they have been assigned contributor access to in an authoring portlet. access the "My Items" and "All Items" views in an authoring portlet for libraries that they have been assigned at least contributor access to. for library item types that they have been assigned manager access to, managers can access the all of the actions available to editors and also the following actions in the authoring portlet: edit access settings next stage purge unlock edit user profile
Administrator	Users and groups assigned to these roles can: view items in a rendering portlet or servlet-rendered Web site that they have been assigned at least user access to. view libraries the they have been assigned contributor access to in an authoring portlet. access the "My Items" and "All Items" views in an authoring portlet for libraries that they have been assigned at least contributor access to. all actions in the authoring portlet for library item types that they have been assigned administrator access to.
Security Administrator Delegator Privileged User	These roles have no access to Web Content Management items.

 

 2 Library-level access controls

Library-level access controls determine access to the library as a whole. If granted, it provides an entry point to the library. A user needs at least Contributor access to a library in order to have access to it on the Authoring portlet.

 

2.1 Assigning access permissions to a library

 

To do this, follow these steps:

 

1. Open the Administration portlet.

 

2. Go to Portal Content > Manage Web Content Libraries, and click the Set Permissions icon for the library you would like to edit (see figure 4).

  

Figure 4. Web Content Libraries

 

 

3. Click the Edit Role icon on the role you would like to edit (see figure 5).
4. Click Add and search for any users or groups you would like to assign to a role.
5. Click OK and then click Resources to return to the previous view.
6. Click Done.

 Figure 5. Resource permissions to a library

 

3 Item-type access controls

Item-type access controls define the item-type views and tasks a user can access within the Authoring portlet for particular library. The permissions set for item types in a library do not automatically give you access to individual items. They only give you access to specific tasks and views within the Authoring portlet.

 

3.1 Set access permissions to the different library item types

 

To define the views and actions that are available from within the authoring portlet, follow these steps:

 

1. Click the Library resources icon for the library you would like to edit (see figure 6).

 Figure 6. Access permissions to the different library item types

 

2. Click the Set permissions icon for the role you would like to edit (see figure 7).
3. Click Add and search for any users or groups you would like to assign to a role.
4. Click OK and click Resources to return to the previous view.
5. Click Done.

 

Figure 7. Access permissions to the different library item types

4 Item-level access controls

You use access controls to determine what level of access a user or group has to an item, and who has access to an item on the live Web site. You assign item-level access by assigning users and groups different roles for each item. The role you assign determines what actions a user has access to for each item.

 

4.1 The updated item security matrix

 

Figure 8 shows the updated item security matrix for Web Content Management 6.1.

 

Figure 8. Updated item security matrix

 

4.2 Setting item security (Web Content Management 6.0)

 

In the previous version’s (v6.0) Access section (see figure 9), each “Grant…” button takes the user to the old people search dialogs, a tedious process with many page refreshes needed to perform simple and repetitive tasks.

 

Figure 9. Setting item security in v6.0

 

Old

Clicking a grant access button launches the “old” people search dialog. To fill each access level would take a minimum of 24 page refreshes for both user- and system- defined access.

Old

Clicking a grant access button launches the “old” people search dialog. To fill each access level would take a minimum of 24 page refreshes for both user- and system- defined access.

 

 4.3 Setting item security (Web Content Management 6.1)

 

For item security in version 6.1, the layout for the Access section has been simplified and now exposes the inheritance options (see figure 10).

  

4.3.1   Read mode for non-workflowed items

 

The Access section in figure 10 shows the Read mode or non-workflowed items.

 

 Figure 10. Read mode for non-workflowed items

 

 

4.3.2   Edit mode for non-workflowed item

 

The Access section in figure 11 shows the Edit mode for non-workflowed items.

 

Figure 11. Edit mode for non-workflowed item

 

 

4.3.3   Edit mode for workflowed item (set inheritance on the stage)

 

Figure 12 shows the Workflow Security dialog for Edit mode for a workflow stage.

 

Figure 12. Edit mode for workflow stage

 

The Access section in figure 13 shows the Edit mode for a workflowed item.

 

Figure 13. Edit mode for workflowed Item

 

Table 3 lists the security settings and their descriptions.

                       

Table 3. Security settings defined

Section	Details
User defined	If the item is not participating in a workflow, the user can edit the access under user-defined.
Workflow	If an item is participating in a workflow, then the user-defined option does not appear, and the workflow settings are displayed. This cannot be edited. Workflow-defined access is set in workflow stages.   NOTE: Published items and workflow-defined item security: If you grant a user editor access to an item in a workflow stage that uses a publish action, then those users are able to edit the published item directly. No draft is created. The same is true for administrator defined security when applied to published items. If you grant a user manager access to an item in a workflow stage that uses a publish action, then those users are able to edit and delete the published item directly. No draft is created. The same is true for administrator defined security when applied to published items. If you grant a user approve access to an item in a workflow stage that uses a publish action, then those users are able to create drafts of the published item.
Administrator defined	Administrators can edit user access to an item at any time by changing the administrator defined settings.
Inheritance	You can also choose to inherit access assigned in the current Web content library, or from an item's parent. Inheritance for all user roles is enabled by default.

 

4.3.4   Use of batch security

You can specify to ignore, inherit, or don't inherit for each of the Security roles for batch access (see figures 14 and 15). This is an effective way to apply inheritance to existing items.

 

Figure 14. Using batch security

 

 

Figure 15. Using batch security, continued

 

5 Conclusion

This document has detailed how Web Content Management 6.1 securities can be used in a simplified manner and what aspects have changed from previous versions.

 

6 Resources

·         IBM WebSphere Portal, Version 6.1 Information Center:

http://publib.boulder.ibm.com/infocenter/wpdoc/v6r1m0/index.jsp?topic=/com.ibm.wp.ent.doc_v6101/wcm/wcm_security_items.html

 

·         IBM Support Technote, “MustGather: Web Content Management (WCM) Version 6.1 Security”:

http://www-01.ibm.com/support/docview.wss?rs=688&uid=swg21326269

 

·         WebSphere Portal family wiki article:

http://www-10.lotus.com/ldd/portalwiki.nsf/dx/3.4.1.1-understanding-security#securitylevelsinwcm

 

7 About the author

Noushad Nazmi is a Staff Software Engineer for the WebSphere Portal and Lotus Web Content Management team in the IBM Technical Support Center in Pune, India. He is a Web Content Management certified developer and worked extensively with other Portal Server (WebLogic) and Web Content Management software (Interwoven TeamSite) before joining IBM in 2006. He holds a degree in Mathematics and a Master of Computer Applications with honors. You can reach him at noushad.nazmi@in.ibm.com.