Portal Security Administration
Along with a comprehensive development environment, Oracle Portal provides a
centralized administration for the enterprise Portal.
Within the Administer tab you will find the Portal, Portlets and Database sub tabs.
Portal administration will be able to perform the following tasks from these sub
One of the functions available to the Portal administrator under the administer tab
is the login server administrator. The login server administrator can execute a
number of tasks:
SSO user accounts Maintain and edit user accounts
(passwords, email addresses,
login privileges). Database or
Portal administrators should only
carry out this function.
Login server Editing the login server
configuration configuration settings.
Partner applications Edit the settings necessary to
access partner applications. This
may include URL's, logins, and
External applications Edit the setting necessary to
access external applications.
This may include URL's,
Access to Oracle Portal and Oracle database objects are controlled by user
authorization. When a user logins into Oracle Portal, the authorization method
either accepts or denies the user based on the combination of his or her
username and password.
Since Oracle Portal has mechanisms to web enable an Oracle database, there
must be database authorization. Grants allow for users to access database
objects that are used to define and build Portal components. The modplsql
gateway controls access to the PL/SQL code that is generated from the
development of Portal components. Portal verifies user’s credentials to ensure
that privileges are set to allow for access to modplsql components.
Keep in mind that every object within Portal must be accessed based on a
set of privileges.
Portal security - Users
When developing an enterprise Portal site, security must be maintained to
provide data protection.
Oracle Portal has built in security features that ensure site integrity at multiple
levels. Security features exist at both the user level and underlying architectural
Oracle Portal maintains security for users, groups, privileges associated to
applications, and objects. The login server is used to authenticate all users
accessing the Portal environment. The functionality of the single sign-on allows
for authentication across the entire enterprise, without having to login multiple
Oracle Portal provides for several different types of users to be created including
the Database, Portal, and Single sign-on users as described below.
The database user is created to own database objects, components, and
The Portal user is created to access Oracle Portal. When the Portal user account
is created, details, preferences and privileges are established with the Portal
framework, for development and administration.
Keep in mind that Portal users are created to access non-public information
within the Portal development environment.
The Portal user account does not hold express privileges to the database, but
rather only to the Portal environment. This is unlike earlier versions of the
product, like WebDB, where a user would have privileges to not only the
development environment, but also to the database. With this in mind, each
Portal user must be associated to a database schema and have privileges to
view and manage pages.
Single sign-on user (SSO)
The single sign-on user has access to all registered applications.
User Type Attributes
Database user Database objects and components
Portal user Portal privileges
Access to applications
To create Portal users, click on the Administer tab then the Portal tab. Click on
the Create New User link. Fill in the information about this user. Mandatory
fields have an asterisk * beside them.
Role assignments and privilege assignments are specified here. If user is not
going to be part of a group, all privileges must be selected here. If user is part of
a group, additional privileges can be set.
Portal administrators can manage the user from the Portal User Profile portlet.
When a user is created, the administrator must designate preferences. One
would be whether or not the user is allowed to login to Portal. The check box
Allow User to Log On gives the user the ability to login to Portal as an authorized
user; if it's unchecked, the user will be considered a public user. Other
preferences are given here also.
Once Portal users have been created, privileges can be set for different types of
objects available in the Portal environment.
Groups are a collection of users who hold the same privileges. When Oracle
Portal is installed, five default groups are created:
The first three are the standard Portal Groups. Assigning users to become
members of these groups are a good way to control access to Portal components
by bringing together users that have common privileges. Review page 325 of
your book for specific privileges on these groups.
To create groups, navigate to the Group portlet and click on the Create New
Keep in mind that when users are added to groups, they can be classified as
group owners. Group owners have the authority to modify or delete the group, or
to change the group's membership. A group owner must be a member of the
When you assign an Oracle Portal user to a group, the user is automatically
granted all the privileges of the group.
To create an Oracle Portal application, you must be a member of the
PORTAL_ADMINISTRATORS or PORTAL_DEVELOPERS groups depending
on your role. To build a new database schema, you must be a member of
the DBA group or be assigned these privileges specifically.
When creating or editing a group you will get this screen:
You see that you are automatically the owner of the group. You can then add users to
your group. The bottom of this page is similar to the user’s individual roles and
privileges. However by giving the entire group these privileges, each user automatically
Authenticated users are not to be confused with other types of groups. An
authenticated user is anyone that logs into Oracle Portal successfully by
providing a valid username and password.
The services portlet provides a number of different options that are useful in
The Global Settings link is perhaps one of the most important pages under the
Administer Portal tab. Here you can define or edit everything from the default
home page to Portal behavior.
Administer Database Tab
The Administer Database tab is designed to provide Portal Administrators with
the ability to interact directly with the database.
The tab can be viewed as two parts:
1. Create schemas
2. Create roles
Interaction with the database
View database information by report
Administer Portlets is access to viewing all available portlets within the portlet
repository. You can also register remote providers or provider groups. This will
allow excess to portlets outside of the current portal environment.
Access to Objects
Controlling access to Portal objects can function on several levels. Portal objects
can be classified in two ways, public and private. Public objects are accessible by
anyone, even to those users that are not logged into Portal.
Private objects are controlled. Privileges determine to what extent a user or
group of users can interact with the object. Only the creator of the object or
someone with managerial privileges can grant access to the object. In addition,
the global privilege allows complete access to objects of a given type.
Allowing Application Objects to be exposed as a
To allow forms, reports, charts, etc…. to be inserted into a page, you must grant
privileges (check expose as provider) to your application first, then to each
component built within the application. To do this:
1. Select the ‘Grant Access’ option listed beside your application.
2. With 10g the ‘Expose as Provider’ option and the Inherit Privileges is
checked as the default. Verify this.
3. Go into your application by selected the name of the application.
4. Repeat steps 1-3 for each object within the application that you would like
to be able to put on a page.
Object within Provide page:
Provider Grant Access page
Testing your Access
1. Select ‘My Pages’ from the Pages tab.
2. Select ‘Edit’ from one of your test pages.
3. Select the ‘add portlet’ icon from one of your portlet regions.
4. Select Portlet Repository.
5. Select Portlet Staging area.
6. Select the name of your Provider/Application
7. Select some of the objects listed in your provider.
8. Make sure they show up in the ‘Selected Portlets’ region after being
9. Select OK, then Close.
10. Now, select your page (view page) to make it run.
11. Verify that the objects you selected show up on the page.