How to use Item Level security
I am working on portal 9.0.2.6.18.
I have a folder with 1000 items. I want to grant groupA
access to 997 items and
(Group B,GroupA) access to 3 items.
How do i do this.
Here is what i tried:
1.enabled item level security on folder
2.granted folder level access to groupA and groupB
3.Changed access of 997 items to grant access to GroupA
4.Did nothing to the 3 items which i wanted to give access to GroupA,GroupB
Is there a better way of achieving this?
I am not really comfortable granting folder level access to groupB, because if i miss overwriting privileges of an item (in step 3), then groupB will have access to that item. I would love to change just 3 items because they are the exception.
How is this feature supposed to be used?
Thanks
Harish
Martin,
Thanks for the reply. I just cited 1000 items folder as an example. We have various complex combination of security requirements for folders and items. So creating sub-folders for each combination will not work for me.
Everytime the security requirements change we have to move the items around, which can confuse users. And sometimes we have to create sub-folders to workaround the item-level security problems even when there is no logical business classification to a set of items.
Harish
Similar Messages
-
Change item level security using wwsbr_api.modify_item
Hi.
Im using wwsbr_api.modify_item for change item level security.
Its code for change type access for item of my procedure
l_masterid := portal30.wwsbr_api.modify_item(
p_master_item_id => 7061,
p_item_id => 7062,
p_caid => 136,
p_folder_id => 1,
p_display_name => 'test',
p_region_id => 5,
p_access_level => portal30.wwsbr_api.item_access,
p_text => 'test change item security',
p_addnewversion => true, -- My content area have item versioning
level is audit
After execute my procedure access type = folder.
I see in wwv_things table new record
masterthingid = 7061,
id = 7064,
security = 'folder'
How to change item level security programmatically?
ThanksJerry,
Please forgive me for persisting with this, and thankyou for your continued patience, but let me try to explain the issue I'm having in another way...
I have a function that calls wwsbr_api.modify_item to change, say, the description. In this case "description" is the one and only thing I want to change about the item. As you've described above, I am able to query most things associated with the item (via wwsbr_all_items, wwsec_api.grantee_list, etc) so that I can pass current values to the wwsbr_api.modify parameters. However, I haven't found a way to query the current level of access control for a given item (i.e. wether it is currently set to ITEM_ACCESS, FOLDER_ACCESS, or null). As documented, I can force the item to be ITEM_ACCESS or FOLDER_ACCESS. However, I don't want to force a value and as we have concluded, passing null will nullify the current state.
So, in summary, an answer to this question will solve my problem:
Is it possible to query the current access control level of an item (either directly via one of the published views or indirectly via one of the views)?
If the answer is yes - great that solves my problem. How please?!?!?
If the answer is no - this must be a bug is it would mean that it isn't possible to use wwsbr_api.modify_item without inadvertently altering the current access control level of the item.
Again thanks for your patience...
Mark -
Edit Folder link always is visible if Item Level Security is enabled
Hi,
When Item Level Security is enabled in a folder, it show the 'Edit Folder' link, instead if the user is not authenticated.
Does anybody know how to remove this link???
Thanks.We to have experienced this behavior. Is this a bug?
The Edit Link generated does not allow the user to "edit" any items, but shows the Administration link. This is not a good thing. This makes using Item Level Security very difficult, from the standpoint of User Interface and confusion.
We are looking into creating a portlet to dynamically generate an "Edit Folder" link to replace the current one. However, we have doubts this will work.
Dean
- Solaris
- Portal 3.0.9.8.2
- 8.1.7.3
(Awaiting Release 2!) -
How to implement row level security?
Hi all,
There is a database which is for 3 companies to use it and how to use row level security to make sure that they can only manipluate their own data? For example, "employee" table, for each company they just can see their own employees information. How to use dynamic view to do it?
Many Thanks
AmyHere are two options to achieve what you want.
A. You can do this by coding, that's if you are ready to. Are you? If yes then try the steps below:
1. create a security codes table. Say for example
001 - company a
002 - company b
2. create a security table that will list all users and which company they should have access to. You can also implement this by roles.
3. alter all tables in the application schema to add a security code column. This will be a foreign key reference to table created in 1 above.
4. update all data in the tables according to which company they belong to.
5. write a procedure or package that does a validity check whenever a user requests for data. This procedure/package determines which company data the user has access/rights to.
With this, you should be able to achieve what you want if you do not want to spend on VPD and FGAC. The problem comes where there are users who would have cross access to data from both companies. In this regard, then you have to modify your security table a little bit to handle this.
B. This option i will admit is not so clean. You can also achieve this by two different views for every table in the application schema. And on each of these views, create a private synonym for every user. For illustration purposes:
Table name = Employee.
Create a view employee_a on employee
create a view employee_b on employee
Let's say you have users x and y. X has access to employees of company a and y has access to employees of company b. You can now create private synonyms for each of these users as follows:
create synonym employee on employee_a in x schema.
create synonym employee on employee_b on y schema.
This i have not tried but believe should work.
Hope one of these options serve your purpose. -
WWSBR_ALL_ITEMS and item level security - BUG?
Hi,
View WWSBR_ALL_ITEMS does not seems to work correctly when using item level security on a folder.
If I add an item to a folder with item level security enabled and do NOT define any special access settings for this item, ie the item setting is "Inherit Parent Folder Access Privileges", then the view does not return the item.
Has anyone else run into this? Is it a bug?
Any help appreciated.
Portal 3.0.9.8.0
Oracle8i Enterprise Edition 8.1.7.0 - 64 bit
IBM AIX 4.3.3I've been informed that patch 3.0.9.8.2 will solve the problem. Sorry about the double post.
-
Item Level Security - Performance impacts
We are planning to use Item Level Security but have read in the help that this means folder caching is not used. This will mean a performance degradtion.
Has anyone used Item Level Security and ran into performance problems ?
If so any guidelines on what is an acceptable limit in turns of size of content areas, number of items etc.
Thanks
Simon.I'd appeciate a reply as well. For now I've been using content as a PL/SQL stored procedure in a package and then wrapping is_logged_in code around it. It works but isn't cusomizable.
-
How programmatically "enable" the Page to have Item level security
Some body known how do we programmatically "enable" the Page to have
Item level security. - analogous to checking the box in the Page edit mode for "Enable item level security"Hi, I only know portal.wwsbr_api.enable_ils_for_item.....
You can perform actions on multiple objects simultaneously.
Navigator > Page Groups(TAB) > PageGroup > Page > actions(link)
Click on actions link and in LOV, select "Enable ILS".
Hope this help. -
How can I enable item level security on a menu?
I would like different users to see only parts of a menu.
Portal 3.0.8.9.2
I unchecked the "Inherit from Component" checkbox and can grant security to the menu as a whole, but not to a submenu or item. Is this possible?
Thanks,
GaryHi Gary
Although we are using version 3.0.9.8.1 I don't think that this makes the difference. For me there is a certain contradiction between your basic question and your actual answer.
My conclusion: In the matter of fact you didn't uncheck the 'inherit from component' checkbox in the develop tab, but the 'inherit from application' one in the access tab,
what is wrong and doesn't help to solve your problem!
Find the 'inherit from component' checkbox - by editing the top level menu - near checkboxes like 'inherit from component' under COMMON OPTIONS like e.g. 'Show Timing' or 'Log Activity' and uncheck it. The SECURITY 'multi select box' is shown immediately.
Hope this helps!
Thanks
Peter -
Hello:
Requesting clarification on a Content API question in 10G
Using the APIs, I have created a Page and an item heirarchy in the same page. Now in order to assign item level security, I need to call the following API to "enable" item level security on the specified item -
wwsbr_api.enable_ils_for_item(
p_master_item_id => v_category_id2a
,p_caid => v_page_group_id
,p_folder_id => v_new_page_id);
However, this throws an exception wwsbr_api.ILS_DISABLED
meaning -
"The page does not allow Item Level Security.
Cannot add item specific privileges."
But, how do we programmatically "enable" the Page to have
Item level security. - analogous to checking the box in the Page edit mode for "Enable item level security"
Thanks
-AnanthI'd appeciate a reply as well. For now I've been using content as a PL/SQL stored procedure in a package and then wrapping is_logged_in code around it. It works but isn't cusomizable.
-
We have an out of the box solution where users can log there meeting minutes in a custom list. The security of the site consists of about a 100 SharePoint groups which are being used throughout the site collection with different permissions.
For the purpose of this solution we have each group belonging to one of four logical roles (Directors, Power Users, Employees (Internal) and Employees (External). There are about 50 groups that fit the role of Employees. We want to make sure that users can
access only the items if they belong to this logical role. That means that an item created by employee has to be accessible by 50 groups.
What would be the best practice to apply security in this situation since for item level security it would require that inheritance be broken at item level and 50 groups added to the permissions of that item.
RegardsWe are often discouraged from using folders, but security is one place they are quite useful. Create one folder for each of your top level groups (Directors, etc), break inheritance on the folder and assign your 50 groups. Upload a file to the folder and
all of the security you need has been applied. You general users don't need to know about the folders. Create view that "Show all items without folders". Keep one view with folders displayed for uploading files.
Mike Smith TechTrainingNotes.blogspot.com
Books:
SharePoint 2007 2010 Customization for the Site Owner,
SharePoint 2010 Security for the Site Owner -
Setting up item level security access
Hello,
I am new to Oracle Instant Portal and I'm trying to figure out how to set up item level security on a particular tab page. Can anyone give step by step instructions on how to make it work?
So, say that I have a tab page called HR. On that HR page, I have 3 items. For item1 and item2, I want user1 to have view access to these only, and for user2 they could have view access to item3 only.
I checked the option in the HR page's Page Access settings to Enable Item Level Security, saved the changes, and even cleared the cache, but it doesn't seem to give me any new functionality where I could specify that for item1 and item2, only user1 should have access to it, and for item3, only user2 should access it.
Can someone please help?
Thanks!Please disregard--I figured out how to do this:
1. When you are editing the page, you must click on the "Edit Item" icon next to the item.
2. Then click on the Access tab in the upper right.
3. Select Define Item Level Access Privileges and click Apply.
4. In the Grant Access section that now appears just below, select the user id you want to grant access to the item and then click Add. -
Search itens with item level security enabled
Hi,
I have a page that "item level security" enabled.
I am doing a select to get itens...
How can I get only itens that current user have view permission?
select wv.title,
wvt.numbervalue,
wv.description,
'/pls/portal/url/ITEM/'||wv.guid link
from portal.wwv_things wv,
portal.wwv_thingattributes wvt
where wv.siteid = 271
and wv.itemtype = 'basefile'
and wv.subtype = 498194
and wv.active = 1
and wv.language = 'us'
and wv.id = wvt.masterthingid
and wv.siteid = wvt.siteid
and wvt.attributeid = 1354
and wvt.attribute_siteid = 0
and wvt.valuetype = 'number'
order by wv.title;I found the view. Thanks
portal.WWSBR_ALL_ITEMS -
Categories and Item Level Security
Hi,
We have implemented item level security on our pages. We also use Categories so that a user can retrieve all content that falls into a particular category easily e.g. address books or Policies and Procedures.
The desire is that if a user clicks on a category and an item the user normally would not see because of item level security on the page where the content is located, then the user should not see that item among all the other items returned by the category search.
What is happening is either that a link to the item is returned among all the other items in the category or we get an access error for the entire category.
We have tried playing with the settings on the template used for the category and with the access on the category result page but have not found the magic bullet yet.
One other interesting behavior in the situation where the restricted item is visible in the returned category search is that clicking on the Page link (instead of showing the page group the item is on, we show the link of the page the item is on)it takes us to the page and the display link for the secured item is now visible followed by what looks like a "smudge" type of character. The item's link can then be clicked and the item's content is now available to the user.
Thanks in advance for any help,
PeterTabs don't work with Item Level Security in 9.0.2. Fixed in the upcoming 9.0.2.6 release.
Regards,
Jerry -
Hi,
We are using portal version 3.0.9. We are trying to implement security at the item level and have super-user rights. According to <http://portalstudio.oracle.com/help/sblgrapi.htm>, if you scroll all the way to the bottom it says that "You cannot enable item level security for items in the Portlet Repository content area." I am assuming that this Portlet Repository content area is referring to the Administer->Display Portlet Repository ->Seeded Providers -> Portal Content Area -> Content Areas
The items that we want to secure are currently in the folder called "other providers" but I can also access the items from within the portal repository content areas.
So far I have been specifying access to the page, the category, the folder, and the item, and when I log in as a view only user I still can see things that I shouldn't. Perhaps, it is because it is somehow still in the repository?
I think that I am missing a step somewhere. I have cleared inherit privileges and enable item level security wherever I could find that option while editing. Has anyone successfully added security to even a folder?
Thanks in advance.
Best Regards,
LindsayLindsay,
I'm not sure if this is what you are looking for, but you can secure access to portlets that are shown in the portlet repository
through the Access tab that is available when you "Edit" the portlet entry in the Edit Folder view of the Portlet repository.
[ol]
[li]Go to the portlet repository
[li]Navigate to the appropriate folder
[li]Edit the folder
[li]Click on the Edit link beside the portlet of interest
[li]Click on the Access tab
[li]Turn on access control and specify privileges on the portlet.
[ol]
See if this is what you are looking for, or let me know if I'm off base. -
Hi forum,
I have a page group in portal 10.1.4 say pagegroupA with several sub pages beneath it. Item level security (ILS) has been enabled for the page group and the option display page to public is checked. I am trying to enable ILS such that if userA posts to any page in this pagegroup, he should be able to see only his content. Similarly, userB should be able to see only the content that he posts. UserA is a member of groupA and userB is a member of groupB. I am using the enable_ils_for_item and add_item_ils_privileges API to achieve this.
<p>
Wwsbr_Api.enable_ils_for_item( p_master_item_id => masterthingid, p_caid => pagegroupA_ID, p_folder_id => someSubPageInPagegroupA_ID );
portal.Wwsbr_Api.add_item_ils_privileges(
p_master_item_id => masterthingid,
p_caid => pagegroupA_ID,
p_folder_id => someSubPageInPagegroupA_ID,
p_itemview_group =>arrayOfgroupA_ID );
This seems to work in that when the user logs out of portal, the item is not displayed to the public. However, when userA logs in, he can see items posted by userB and vice versa (userB can see userA's items). Am I missing something either in the code, page group configuration or user setup?
ThanksI recommend you using the wwsbr_api only for managing content (that includes enabling the ILS for a page). But for assigning privileges to items, pages, whatever, I recommend using wwsec_api (set_user_acl, set_group_acl, etc). It is more reliable.
PS: This would be a good post for a more specific forum: Portal Developer Kit (PDK)
Maybe you are looking for
-
Accounting for varying values in Data merging
Hi everyone, I've been asked to create a template for a degree certificate. So far I've created an InDesign document and used data merge to import the data from a .csv file. I've also used GREP styles to resize the name of the degree when it's longer
-
I have a new 21 inch iMac Applications (chrome, adium, iTunes) crash everyday After I force quit them they don't open again and... I can't do a restart without hitting the power button After I restart it that way I have to reboot in safe mode or airp
-
Hi, all, I wrote a program with multiple frames. The topist frame contains a menu1.jsp page and a content1.jsp page. The content1.jsp page cotains another frame which has a menu2.jsp page and content2.jsp page.
-
lets say theres this signal in volts. if you plot the signal it forms a sine graph. is there any way to use labview to determine the frequency of the signal? i've tried to use the "measure frequency vi" but my device is connected to a virtual channel
-
How to import nef and psd versions of the same file ?
Hi, I am new to this so please forgive any daftness. I am trying to import from a folder with nef and psd versions of the same file. Lightroom does not seem to recognise the nef if a psd exists. In fact if I specifically try to import the nef later,