Adding & Removing Users on Oracle WebCenter Sites

Adding & Removing Users on Oracle WebCenter Sites — setup, configuration, and best practices for Oraclewebcentersites.

Oracle WebCenter Sites (WCS) manages users through a combination of its internal user database, Oracle Platform Security Services (OPSS), and integration with external identity providers via Oracle Access Manager (OAM) or LDAP directories. User management is tightly coupled with the Oracle Fusion Middleware security stack.

How Oracle WCS User Management Works

WebCenter Sites distinguishes between:

CMS Users -- Content authors, editors, and administrators who use the Contributor and Admin interfaces
Application Administrators -- Users who manage site configurations, asset types, and system settings
Visitors/Subscribers -- Front-end users managed through the Engage module or external customer databases

Users are assigned Roles (General Admin, Site Admin, etc.) and belong to Sites and ACLs (Access Control Lists) that govern what assets they can read, write, or approve.

Adding Users via the Admin Interface

Log in to WebCenter Sites Admin at https://your-server:port/cs/AdminSite
Navigate to Admin > User in the menu bar
Click Add New User
Fill in the required fields:
- Username (unique login identifier)
- Password and Confirm Password
- First Name, Last Name, Email
Under General Information, assign:
- ACLs -- Select access control lists (e.g., Browser, ElementEditor, PageEditor, SiteGod)
- Sites -- Select which sites this user can access
- Roles -- Assign roles per site (GeneralAdmin, SiteAdmin, AdvancedUser, BasicUser)
Click Save

Understanding ACLs and Roles

WebCenter Sites uses a dual-layer permission model:

ACL	Grants Access To
`Browser`	Asset browsing and search
`ElementEditor`	Template and element editing
`PageEditor`	Page creation and modification
`SitePlanner`	Site planning and navigation
`SiteGod`	Full administrative access
`TableEditor`	Database table management

Roles are site-scoped and determine the user's capabilities within a specific site.

Adding Users via WLST (WebLogic Scripting Tool)

For automated provisioning, use WLST to create users in the embedded LDAP:

# connect to WebLogic admin server
connect('weblogic', 'password', 't3://admin-server:7001')

# Navigate to the security realm
cd('/SecurityConfiguration/mydomain/Realms/myrealm/AuthenticationProviders/DefaultAuthenticator')

# Create a new user
cmo.createUser('jdeveloper', 'TempPass123!', 'Jane Developer - Content Editor')

# Add user to a group
cmo.addMemberToGroup('cs-designers', 'jdeveloper')
cmo.addMemberToGroup('cs-admin', 'jdeveloper')

# Save configuration
save()
activate()

REST API User Provisioning

If Oracle Identity Manager (OIM) is deployed, use its REST API:

# Create user via Oracle Identity Manager REST API
curl -X POST "https://oim-server:14000/iam/governance/selfservice/api/v1/users" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $OIM_TOKEN" \
  -d '{
    "usr_login": "jdeveloper",
    "usr_first_name": "Jane",
    "usr_last_name": "Developer",
    "usr_email": "jane@company.com",
    "usr_password": "TempPass123!",
    "Organizations": ["WebCenter Sites Authors"],
    "Roles": ["cs-contributor"]
  }'

Bulk User Management

Bulk Import via CatalogManager

WebCenter Sites provides the CatalogManager utility for batch operations:

# CatalogManager bulk user import from CSV
java -cp $WCS_HOME/lib/*:$WCS_HOME/futuretense_cs/WEB-INF/lib/* \
  COM.FutureTense.Apps.CatalogManager \
  -b https://your-server:port/cs \
  -u ContentServer \
  -p password \
  -x import_users.xml

The import_users.xml descriptor:

<?xml version="1.0" encoding="UTF-8"?>
<CATALOGMANAGER>
  <IMPORT>
    <TABLE NAME="SystemUsers">
      <ROW>
        <COL NAME="username">editor1</COL>
        <COL NAME="password">encrypted_hash</COL>
        <COL NAME="firstname">Editor</COL>
        <COL NAME="lastname">One</COL>
        <COL NAME="email">editor1@company.com</COL>
      </ROW>
      <ROW>
        <COL NAME="username">editor2</COL>
        <COL NAME="password">encrypted_hash</COL>
        <COL NAME="firstname">Editor</COL>
        <COL NAME="lastname">Two</COL>
        <COL NAME="email">editor2@company.com</COL>
      </ROW>
    </TABLE>
  </IMPORT>
</CATALOGMANAGER>

Bulk ACL Assignment

# WLST script for bulk group assignment
connect('weblogic', 'password', 't3://admin-server:7001')

users_to_add = ['editor1', 'editor2', 'editor3', 'editor4']
target_group = 'cs-designers'

cd('/SecurityConfiguration/mydomain/Realms/myrealm/AuthenticationProviders/DefaultAuthenticator')

for user in users_to_add:
    try:
        cmo.addMemberToGroup(target_group, user)
        print('Added %s to %s' % (user, target_group))
    except Exception, e:
        print('Failed for %s: %s' % (user, str(e)))

save()
activate()

Removing and Deactivating Users

Disabling Users

WebCenter Sites does not have a native "disable" flag on users. To effectively disable:

Remove all ACL assignments from the user
Remove all site assignments
Change their password to a random value

Via Admin Interface:

Navigate to Admin > User
Find the user and click Edit
Uncheck all ACLs and Sites
Save

Permanent Deletion

Navigate to Admin > User
Select the user
Click Delete
Confirm the deletion

What happens to their content:

Content assets retain createdby and updatedby fields as string values referencing the deleted username
Workflow instances assigned to the deleted user become stuck (reassign before deletion)
Revision tracking entries preserve the username in the audit trail
Approval routing rules referencing the deleted user must be manually updated
Published pages are unaffected as they reference asset IDs not user objects

Deletion via WLST

connect('weblogic', 'password', 't3://admin-server:7001')
cd('/SecurityConfiguration/mydomain/Realms/myrealm/AuthenticationProviders/DefaultAuthenticator')

# Remove user from all groups first
cmo.removeMemberFromGroup('cs-designers', 'jdeveloper')
cmo.removeMemberFromGroup('cs-admin', 'jdeveloper')

# Delete the user
cmo.removeUser('jdeveloper')

save()
activate()

LDAP and SSO Integration

Oracle Access Manager (OAM) SSO

For enterprise environments, Oracle WebCenter Sites integrates with OAM for single sign-on:

Deploy the OAM WebGate agent on the WebLogic server hosting WCS
Configure WebGate to protect the WCS URLs (/cs/*)
In the OAM admin console, create an Application Domain for WCS:
- Protected Resource: /cs/**
- Authentication Scheme: LDAPScheme (or FederationScheme for SAML)
- Authorization Policy: map LDAP groups to WCS roles

Configure WCS to trust the OAM header (OAM_REMOTE_USER):

Edit wcs_properties.json:

{
  "cs.sso.enabled": "true",
  "cs.sso.header.username": "OAM_REMOTE_USER",
  "cs.sso.auto.provision": "true"
}

Restart the WCS managed servers

LDAP Directory Integration

WebLogic's embedded LDAP can be replaced with an external directory:

Open the WebLogic Admin Console
Navigate to Security Realms > myrealm > Providers > Authentication
Click New and select OracleInternetDirectoryAuthenticator (or ActiveDirectoryAuthenticator)
Configure:
- Host: ldap.company.com
- Port: 636 (LDAPS)
- Principal: cn=admin,dc=company,dc=com
- User Base DN: ou=People,dc=company,dc=com
- Group Base DN: ou=Groups,dc=company,dc=com
Set the Control Flag to SUFFICIENT
Reorder providers so LDAP is checked before the DefaultAuthenticator
Restart the security realm

Users from the LDAP directory can now log in to WebCenter Sites. Map LDAP groups to WCS ACLs using the Role Mapping providers in WebLogic.

Access Audit Checklist

Review all users in Admin > User quarterly, noting ACL and site assignments
Check WebLogic Admin Console for users in the embedded LDAP who no longer need access
Audit the SystemUserAttr table in the WCS database for stale user records
Verify OAM session policies and timeout configurations
Review workflow participation rules for references to deleted or inactive users
Check CAS/SAML federation metadata certificates are not expired
Document all user provisioning and deprovisioning in Oracle Identity Manager or your ITSM tool

返回顶部