WCM Security Settings
If the item is not participating in a workflow, the user can edit the access under user-defined.
If an item is participating in a workflow, then the user-defined option does not appear, and the workflow settings are displayed. This cannot be edited. Workflow-defined access is set in workflow stages.
NOTE: Published items and workflow-defined item security:
Administrators can edit user access to an item at any time by changing the administrator defined settings.
You can also choose to inherit access assigned in the current Web content library, or from an item's parent. Inheritance for all user roles is enabled by default.
1. Security at the Library level, determines who can access the library
2. Security at the Library Resources Level (i.e.components, content, authoring template…etc.) determines what they can see and what functions (read, edit, delete, purge , etc) they can do.
3. User or group who have access to create the content should be able to do New->Content for the library to initially create the content. Then, depending on how the workflow is set up for the content, that user may or may not be able to edit the content because they may not included in the access control for the next workflow stage the content moves to.
4. Element level Security :
a. Content Elements inherit the permissions from the content resource type.
b. In WCM, it is possible to filter who see a content element. To set permissions, go to the default content settings, expand the content element, and click Select editors or Select viewers. Content Elements inherit the permissions from the content resource type.
5. Create new item : The ability to create new items is set at the library level, not item level. You must have at least contributor access to a library and editor access to an item-type to create a new item. If you have access to create any item type, you can also create folders and projects.
6. Security Inheritance
i. Inheritance from a library is based on the role assigned to the overall library, not on the role assigned to specific item types. For example, you may not have access to the presentation template view on a library, but if you inherit the role of editor to a presentation template, you will be able to view and edit that presentation template from the All Items view
ii. Inheritance does not apply to draft items
7. Disabling inheritance :
i. By default, each role's access is automatically inherited down to each item in a library. To prevent a user or group from automatically having inherited access to an item, you will need to turn off inheritance on that item.
ii. Note: By default, inheritance is enabled for all roles and items. To disable automatic inheritance, edit the WCMConfigService.properties file located in the /PortalServer/wcm/shared/app/config/wcmservices/ directory.
iii. To disable automatic inheritance, set this value to “false”: default.inherit.permissions.enabled=false
iv. You will need to restart WebSphere Portal to enable any configuration changes made to this file
8. Work-Flow Security
i. A workflow in WCM is a process that is used to control item state and security
ii. Workflow stages determine the content security for a particular stage. (Do not confuse this with the security of the stage itself).
iii. Setting approve access is only available through the workflow stage
iv. A WCM "non-workflowed" item has only one state, which is published . A nonworkflowed item is represented by a gray icon close to the item.
v. In Draft workflow stage add the “group A” as editors on the content , so when all contents entered into this stage they automatically give access to that group.
vi. Any changes to security in workflow stage doesn’t apply to already draft content until force the content to re enter the draft stage again.
vii. If the content is in the Draft stage, and user who is moving the object (click on next stage) to approve stage should have read access on the approve stage itself. Otherwise it will throw an unauthorized exception.
viii. Similarly authors will need 'approve' access on the 'draft' workflow stage to approve the content by themselves (to move to publish action).
ix. Authors can only add Read access to items after they are published, using the Additional Viewers when published button
9. Batch-editing access controls : An administrator can apply access control settings for multiple items. To batch-edit security:
a. Open an item view.
b. Select the items you would like to batch-edit, and then click More Actions > Edit Access.
c. If you are assigning access to individual users or groups, edit the list of users or groups you would like to set security levels for.
i. To remove items, first select the required items from the item list, then click Remove
ii. To add items, click Add Search for and then select the users or groups you would like to add Security for. Click OK.
d. Select how to apply the new access levels:
i. The same access level changes the access level of the selected users or groups to the specific access level selected in step 5.
ii. Minimum access level changes the minimum access level of the selected users or groups to the access level selected in step 5. The access levels of a user can be raised, but not reduced.
iii. Maximum access level changes the maximum access level of the selected users or groups to the access level selected in step 5. The access levels of a user can be reduced, but not raised.
e. Select an access level.
f. Select inheritance options as required. If you select "ignore", no changes are applied to inheritance.
g. Select to apply these settings either to the Administrator Defined or User Defined access control settings.
h. Select Only change access for existing users or groups. Do not add any new users or groups to change the access level of users and groups have already been granted access to an item. No new users or groups are added.
i. Click OK to finish.
10. Disabling inheritance :
v. By default, each role's access is automatically inherited down to each item in a library. To prevent a user or group from automatically having inherited access to an item, you will need to turn off inheritance on that item.
vi. Note: By default, inheritance is enabled for all roles and items. To disable automatic inheritance, edit the WCMConfigService.properties file located in the /PortalServer/wcm/shared/app/config/wcmservices/ directory.
vii. To disable automatic inheritance, set this value to “false”: default.inherit.permissions.enabled=false
viii. You will need to restart WebSphere Portal to enable any configuration changes made to this file
11. WCM Virtual Users/Groups
d. Anonymous Portal users
e. All Authenticated Portal Users
f. All Portal User Groups
g. All Users