User Management Guide

     Previous  Next    Open TOC in new window    View as PDF - New Window  Get Adobe Reader - New Window
Content starts here

Adding and Managing Users

Portal administrators can use the WebLogic Portal Administration Console to add other administrators and portal end-users. Developers might prefer to perform these tasks with JSP tags and controls in Workshop for WebLogic if the portal will have a large number of users. See Adding and Updating Users with JSP Tags and Controls for instructions on adding users with JSP tags and controls. You should set up groups before you add users.

Note: See the Interaction Management Guide for instructions on setting up Personalization. See the Security Guide for instructions on setting up Delegated Administration and Visitor Entitlement.

Administrators with full user management rights can use the following tools to create and manage a small number of users:

Developers can use the following tools to create and manage a large number of users:

Adding a user with any of these methods (except the Java API) adds the user to the user store and creates a basic User Profile that contains the user’s identity (name and password). The Java API does not automatically create a User Profile when you add a user. You can use other user properties (such as address, phone number, e-mail, and so on) to set up Personalization and define rules for Delegated Administration and Visitor Entitlement.

This chapter includes the following sections:

 

Creating Users

This section contains the following topic:

You can add users to WebLogic Portal through internal or external user stores. The default SQLAuthenticator authentication provider and RDBMS user store is included when you install WebLogic Server. You can also access other user stores, such as openLDAP, that already contain your users.

If you have a large number of users stored in a user store, you might want to use the WebLogic Scripting Tool to retrieve those users. You can also use Workshop for WebLogic to programmatically get access to the users. Use the Administration Console if you want to add a small number of administrators with special privileges to manage portal content and users.

Tip: You can use WebLogic Portal’s internal RDBMS user store for large numbers of users and groups. The internal LDAP is sufficient for storing policies for roles and entitlement.

Adding a User

The WebLogic Portal Administration Console lets you access more than one user store, so you can select users and groups from multiple user stores. The Administration Console contains a list of available user stores. For instructions on adding a new external user store, see the Security Guide.

Perform the following steps to create a new user:

  1. In the Administration Console, choose Users, Groups, & Roles > User Management.
  2. Select an authentication provider from the drop-down list above the User tree.

    3. If you are storing users, passwords, and groups in a user store outside of WebLogic Server (such as an OpenLDAP server or Novell NDS), you can connect that provider to WebLogic Server (assuming it is a supported type), and the users in that external provider can log into your portal. In addition to the default RDBMS user store, you can use multiple external user stores in WebLogic Server and WebLogic Portal.

    Tip: WebLogic Portal does not support multiple RDBMS authenticators under a single Security realm.
  3. In the User tree, select Everyone. You can now create a user without assigning the user to a group or you can select a group to which you want to add the user.
    4. Note: If you do not see a list of groups, verify that you built a group hierarchy tree for the user store. If you built a group hierarchy tree and still do not see a list of groups, the user store probably does not allow read access. You can enable read access to the user store by following the instructions in the Security Guide.
  4. Click Create New User.
  5. In the Create New User dialog, enter the new user’s Name, Password, and a Description. The name cannot contain special characters, such as \, <>, #, |, &, ~, ?, (), {}, %, or *. The password must be at least eight characters and is encrypted later. See Figure 9-1.
    6. Figure 9-1 Complete the Fields in the Create New User Dialog Box


    Complete the Fields in the Create New User Dialog Box

  6. Click Create User.

After you create a new user, you can create a User Profile to capture more information about the user. See Editing User Profile Property Values for more information.

 

Accessing Users in an External User Store

If you decide to use multiple user stores (not the default RDBMS user store built into WebLogic Server), most of the effort is setting up and configuring those providers and then connecting WebLogic Server to those providers. You can configure that repository to be writable in the WebLogic Server Administration Console. See the Security Guide for instructions on setting up a single user store or multiple user stores.

After your external user stores are connected to WebLogic Server, you can view its existing groups by building a group hierarchy tree in WebLogic Portal. A tree view of groups provides a convenient visual way to change profile values, find users in groups, and add users and groups to rules for Delegated Administration and Visitor Entitlement. See Building a Group Hierarchy Tree. After you build the group hierarchy tree, you should see the provider’s users and groups in WebLogic Portal.

This section contains two topics that explain how to add additional users to an external user store (such as openLDAP):

Adding a User Directly to an External User Store

See the Security Guide for instructions on setting up a user store and connecting it to WebLogic Server. The default configuration for supported external user stores is read-only access to users and groups from the WebLogic Server Administration Console. If the provider does not allow write access, you must add users in the user store itself.

Perform the following steps to add a user directly to the external user store:

  1. Open the WebLogic Server Administration Console.
  2. In the left navigation pane, select Security Realms.
  3. Click the name of the security realm.
  4. Select the Providers tab and then select the Authentication tab.
  5. Select the user store and select the Provider Specific tab.
  6. Review the settings in the Create User field for the user store. If the Create User field does not appear or it is set to No, you cannot use WebLogic Portal to create a user in this user store. You must create the user or group directly in that provider. (If the User Provider field is set to Yes, you can use WebLogic Portal to create a user.)
  7. Add the user to the user store itself. You might need to contact your development team to determine the best way to do this.

If your external user store contains additional properties for users and groups (for example, e-mail and phone), accessing those properties involves separate development steps for creating a UUP. See Configuring a UUP for instructions.

Adding a User to an External User Store with an Outside Tool

See the Security Guide for instructions on setting up a user store and connecting it to WebLogic Server. The default configuration for supported external user stores is read-only access to users and groups from the Administration Console. If the provider allows write access, you can add additional users to an external user store (such as RDBMS) by adding users in the user store itself.

Perform the following steps to use an outside tool to add a user to an external user store:

  1. To verify that your user store supports using an outside tool to add users, open the WebLogic Server Administration Console.
  2. In the left navigation pane, select Security Realms.
  3. Click the name of the security realm.
  4. Select the Providers tab and then select the Authentication tab.
  5. Select the user store and then select the Provider Specific tab.
  6. Review the settings in the User Editor field for the user store. If the User Editor field appears and is set to Yes, you can use WebLogic Server or WebLogic Portal to create a user in this user store. If you need to make the user store writable, follow the instructions in the Security Guide. (If the User Editor field does not appear or is set to No, you cannot use WebLogic Portal to create a user.)
  7. In the Administration Console, create the new user. Follow the instructions in Adding a User.

Do not store identical user names or group names in more than one user store.

If your external user store contains additional properties for users and groups (for example, e-mail and phone), accessing those properties involves separate development steps for creating a UUP. See Configuring a UUP for instructions.

Tip: If you make changes to any user store configuration setting in the WebLogic Server Administration Console, restart the server. Restarting the server prevents exceptions in the WebLogic Portal Administration Console.

Removing a User Store

If you remove a user store in the WebLogic Server Administration Console, you must also remove the provider from the WebLogic Portal Administration Console.

Perform the following steps to remove a user store from the Administration Console:

  1. In the Administration Console, choose Configuration Settings > Service Administration.
  2. In the Resource Tree, select Security.
  3. In the Browse tab, click Authentication Hierarchy Service, as shown in Figure 9-2.
    4. Figure 9-2 Click Authentication Hierarchy Service to Change Its Settings


    Click Authentication Hierarchy Service to Change Its Settings

  4. Click Configuration Settings for: Authentication Hierarchy Service.
  5. In the Authentication Providers to Build field, select the check box next to name of the provider you want to remove and click Remove Selected.
  6. Click Update.

 

Placing Users in Groups

You can add a user to one or more groups. If your user store does not allow write access to users and groups, you will not be able to add users to groups with the Administration Console. You must add users to groups in the user store directly. See Planning a User and Group Strategy for more information on planning users and groups.

This section contains the following topics:

Adding a User to a Group

Perform the following steps to add a user to a group:

  1. In the Administration Console, choose Users, Groups, & Roles > Group Management.
  2. Select an authentication provider from the drop-down list above the Group tree. The provider should contain the users you want to add.
  3. Select the group to which you want to add the user.
  4. Select the Users In Group tab.
  5. Click Add Users to Group.
  6. Select the check box next to the user you want to add, and click Add. The user you selected now appears in the Add Users To list, as shown in Figure 9-3.
    7. Figure 9-3 Select the User You Want to Add to the Group and Click Add


    Select the User You Want to Add to the Group and Click Add

  7. Click Save. After you add the user to the group, the user will inherit any Delegated Administration or Visitor Entitlement rights that the group already has.

Adding a User to Multiple Groups

Perform the following steps to add a user to more than one group:

  1. In the Administration Console, choose Users, Groups, & Roles > User Management.
  2. Select an authentication provider from the drop-down list above the User tree. The provider should contain the user you want to add.
  3. Select the user you want to add (see Finding a Single User for instructions).
  4. Select the Group Membership tab. The groups to which the user belongs are listed.
  5. Click Add Groups.
  6. In the Search Results list, select the check box next to each group to which this user should belong and click Add. The groups you chose appear in the Groups To Add list. See Figure 9-4.
    7. Figure 9-4 Add a User to More Than One Group


    Add a User to More Than One Group

    To remove a group from the Group to Add list, select the check box next to the group and click Remove Selected.

  7. Click Save.

Viewing a User's Group Membership

A user can belong to more than one group. If you are using an RDBMS user store, be aware of case sensitivity when looking up users and groups. For example, Bob is different than bob.

Perform the following steps to see a list of groups to which a user belongs:

  1. In the Administration Console, choose Users, Groups, & Roles > User Management.
  2. Select an authentication provider from the drop-down list above the User tree. The authentication provider’s user store should contain the user.
  3. Find the user you want to view (see Finding a Single User for instructions).
  4. Select the user’s name. The groups to which the user belongs are listed.
Note: If a list of groups is not displayed, verify that you built a group hierarchy tree for the user store. If you still do not see a list of groups, the user store probably does not allow read access. See the Security Guide for instructions.

Deleting a User From a Group

A group does not own a user, so you can add and remove users from groups without affecting the user's properties. Removing a user from a group removes the user from any Delegated Administration or Visitor Entitlement roles based on that group. For example, if you remove a user from the Administrators group, that user might no longer have full administrative access to the Administration Console.

Removing a user from a group does not delete the user from the system or change the user's profile properties. You can remove multiple users from one group, or remove a single user from multiple groups.

Removing Multiple Users From a Single Group

Perform the following steps to remove multiple users from a single group:

  1. In the Administration Console, choose Users, Groups, & Roles > Group Management.
  2. Select an authentication provider from the drop-down list above the Group tree. The provider’s user store should contain the users you want to manage.
  3. Select the group that contains the users you want to remove.
  4. Select the Users In Group tab.
  5. Select the check box next to each user you want to remove from the group, as shown in Figure 9-5. (If you do not see the user listed, type the user’s name and click Search.)
    6. Figure 9-5 Remove a User From a Group


    Remove a User From a Group

  6. Click Delete.

Removing a Single User From Multiple Groups

Perform the following steps to remove a single user from multiple groups:

  1. In the Administration Console, choose Users, Groups, & Roles > User Management.
  2. Select an authentication provider from the drop-down list above the User tree. The provider’s user store should contain the user you want to manage.
  3. Find the user you want to remove from the groups and select that user. See Finding a Single User for instructions. Groups to which the user belongs are listed.
  4. Select the Group Membership tab.
  5. Select the check box for each group to which the user should not belong.
  6. Click Delete to remove the user from these groups.

 

Managing Users

You can search for a user or update a user’s password in the Administration Console.

This section contains the following topics:

Searching for a User

The WebLogic Portal Administration Console provides a way for you to locate users that are not already members of a selected group. If you need to perform administrative tasks, such as editing User Profiles, removing users from a group, or deleting users from the system, you must first locate those users in the system.

The Delegated Administration and Visitor Entitlement features also provide tools for user lookup when adding users to roles.

WebLogic Portal support two ways to locate users by username:

Finding a Single User

Perform the following step to search for a user by username:

  1. In the Administration Console, choose Users, Groups, & Roles > User Management.
  2. Select an authentication provider from the drop-down list above the User tree. The provider’s user store should contain the user you want to locate. If you know the group that contains the user, select the group. (If you do not see a list of groups, see the Note in Finding Multiple Users.)
  3. Select the Everyone group.
  4. Enter the username and click Search as shown in Figure 9-6.
    5. Figure 9-6 Search for All Usernames that Begin with John


    Search for All Usernames that Begin with John

  5. The user appears in the Browse Users section. If you want to edit the user’s properties or User Profile, click the user’s name.

Finding Multiple Users

Perform the following step to search for users by username:

  1. In the Administration Console, choose Users, Groups, & Roles > User Management.
  2. Select an authentication provider from the drop-down list above the User tree. The provider’s user store should contain the users you want to locate. If you know the group that contains the users, select the group.
  3. If a list of groups does not appear, verify that you built a group hierarchy tree for the user store. If you still do not see a list of groups, the user store probably does not allow read access.
  4. Enter the username and click Search.
  5. The user appears in the Browse Users section. Click the user’s name, as shown in Figure 9-7.
    6. Figure 9-7 Click the User’s Name to Edit User Profile Properties


    Click the User’s Name to Edit User Profile Properties

Tip: If you are using an RDBMS user store, be aware of case sensitivity when looking up users and groups. For example, Bob is different than bob.

Changing a User’s Password

You might need to reset a password if a user lost or cannot remember a password. If you have the appropriate Delegated Administration rights, you can change any user’s password. See the Security Guide for instructions on setting up Delegated Administration.

Ensure that your user knows the new password, because once the password is changed there is no way to find out what it is. If a user forgets a password, a portal administrator must change it again.

Perform the following steps to change a user's password:

  1. In the Administration Console, choose Users, Groups, & Roles > User Management.
  2. Select an authentication provider from the drop-down list above the User tree. The provider’s user store should contain the user whose password you want to change.
  3. Find the user whose password you want to change. (See Finding a Single User for instructions.)
  4. Select the user’s name.
  5. Click Change Password.
  6. Enter the new password in the Password and the Confirm Password fields, and click Update.

 

Removing Users

When you delete a user, you remove the user from the user store. The deleted user is no longer available in any other group or subgroup, and the user will not be able to log into your portal. To get the user back in the system, you must create the user again.

If you want to remove the user from a group without removing the user from the entire system, see Deleting a User From a Group.

If you are using an external user store to store users and groups (one that is not the default RDBMS user store built into WebLogic Server), and you want to remove a user from that provider, the provider might be configured to prevent user removal from an outside tool, such as the Administration Console. See the Security Guide for instructions.

If the User Remover field for the user store is set to No, you cannot remove users from that provider with the Administration Console. You must remove users directly from that provider.

Perform the following steps to delete a user from WebLogic Portal:

  1. In the Administration Console, choose Users, Groups, & Roles > User Management.
  2. Select an authentication provider from the drop-down list above the User tree. The provider’s user store should contain the users you want to remove.
  3. In the User tree, select the user you want to delete. (See Finding a Single User for instructions.)
  4. Click Delete.
Note: You can also delete a user by selecting Everyone in the User tree, selecting the check box next to the user’s name in the Browse Users tab, and clicking Delete.)

If the user is explicitly listed in a Delegated Administration or Visitor Entitlement role, remove that user from the role definition on the Delegated Administration or Visitor Entitlement pages. See the Security Guide for more information.


  Back to Top       Previous  Next