Enabling Role-based security management in Oracle Designer 6i/9i/10g through the Repository Object Browser

Managing users and privileges on countless folders and application systems, configurations and workareas as is the job of the Repository Administrator can be quite a task. Each privilege on every container-object needs to be manually assigned and revoked. If a new developer enters the project, with exactly the same set of privileges as his or her neighbour, you still have to grant all privileges from scratch, there is no way to copy a user or apply a template of privileges. Well that is, unless you are using the Oracle Designer Web Assistant 6i or 9i (ODWA, part of the iDeveloper Accelerators Suite that also contains Headstart and RuleFrame) or you have the Repository Object Browser (ROB) installed

Oracle Designer product development adopted the Oracle Designer Web Assistant in 2002. It simply took over all ODWA source code from the Netherlands-based Center of Excellence for Custom Development (the team behind stuff like CDM, JHeadstart, RuleFrame, Headstart etc.). This code was somewhat – marginally – modified; centralization of boilerplate text in a single package was the most important modification. The support for Roles in Designer was temporarily disabled until product management could find the time to properly assess its impact. Although the Repository infrastructure is prepared for role – the Role PUBLIC is part of every Oracle Designer 6i/9i/10g Repository – it was never fully worked out in detail by Product Development itself. And even though dozens of customers had been using Oracle Designer Web Assistant with Role Management enabled for some time, a careful study was deemed in order. Unfortunately, Oracle seems to have forgotten about this functionality or at least its very low on the list of priorities. So here we are: we have the ROB, we have all the code for Role based privileges management but we cannot use it. Or can we?

Switching on support for Roles in the Repository Object Browser

When adapting ODWA for its ROB incarnation, the Role Management was stripped away in a very simple manner. In the package odwapred (the source for which is found in ORAHOMErepadm61robddlodwapred.pkb) the relevant code is still there. However, the functionality can no longer be accessed because of the commenting out of four blocks of code. These blocks are marked by the (bug) number 2616764. To switch back on support for Repository Roles (and strictly speaking switch off product support), uncomment these four blocks of code. The immediate effect is that you will see additional icons that provide access to role related functions. Download the edited odwapred.pkb package body here. You can easily install it: start SQL*Plus, connect as Repository Owner and run the script.

The ROB Online Help contains the explanations and descriptions necessary to work with Roles in your Repository. The following is largely an excerpt from the ROBs on-line help.

Working with Roles

The Repository already contains a role-architecture. When you install a new Designer 6i/9i/10g repository, it will contain a single role: PUBLIC. With the ODWA/ROB we have taken this one step further and allowed you to define multiple roles and allowed you to grant privileges and even roles to roles as well as roles to users. Roles you define in the ROB are visible in the Repository Object Navigator along with all users and the PUBLIC role. You can assign privileges to and revoke privileges from roles just as you do with users.

It is important to realize that the roles are not dynamic. That is: granting a privileges to a role does not immediately cause all grantees of the role to have that privilege. For performance reasons, the role mechanism in Designer is indirect. Roles are administrative tools to bundle privileges but have no meaning themselves at run-time. You must ‘reconcile’ roles or users to synchronize the actual privileges of individual users with their roles.

Creating a role

Select the Roles Node in the navigator of the Repository Security Manager (click on the string Roles). On the right side of the screen, you should see a green plus-sign. If you click on it, a propery palette appears that allows you to enter details (name, description) for the new role. When you press the Save button, the role will be created in the Repository tables. From that moment on, you can start granting privileges to this new role, either in the ROB or in the RON.

Granting Privileges

There are three element types to which you can grant access privileges: Workareas, Configurations, and Folders. There are two ways to do this:
1. through the Grant Access Privileges dialog in the Repository Object Navigator (RON) of Oracle Repository
2. through the Security Manager of Repository Object Browser
In both cases you need to have the Admin privilege on the relevant Workarea, Configuration or Folder.

Here we will describe the second method: using the Security Manager. You can use this method both for granting privileges to Roles, and for granting privileges directly to Repository Users. For each element type the Security Manager offers two ways to grant the privileges:
1. starting at the role or user, to grant multiple elements to one role/user: After navigating to the user or to the role (or right after creation of the role), you will see in the upper right corner a folder icon . If you click on it, you will get a list of root folders. Note that for granting a subfolder, you can use the Browse button. In the list of root folders you can choose one or more folders (by using shift- or ctrl-click). Specifiy the grant options for these folders (and decide if you want to recurse through the subfolders) and press save.
2. starting at an individual workarea, configuration or folder, to grant this element to multiple roles/users:After navigating to a certain folder or subfolder (either via a workarea or configuration, or via All Containers), you will see the icon in the upper right corner if you have Admin privilege on this folder. If you click on it, you will see a list of roles and users. In this list you can choose one or more grantees (by using shift- or ctrl-click). Specifiy the grant options for these roles/users and press save.

Granting Roles to Other Roles or Users

From the Repository Security manager you can grant the role to the Oracle Repository Users.
You are allowed to grant a role if you are the Repository Owner, the Role Owner, or you have the Grant privilege on the role.Be aware that after you have granted the role to users, this does not mean the user immediately has the access rights. You still need to perform a reconcile, see Reconciling.

Starting at the role

After navigating to the right role:

1. Click on the Grant Role icon . You will only see the Grant Role icon if you have the right privileges.
2. Select the Grantees (you can use shift- and ctrl-click). A grantee can either be a role or an Oracle Repository User.
3. Select the privileges.
4. Decide if you immediately want to reconcile the role (see Reconciling).
5. Press save.

Starting at the user

After navigating to the right user:

1. Click on the Grant Role icon .
2. Select the Roles you want to grant to this user (you can use shift- and ctrl-click).
3. Select the privileges.
4. Decide if you immediately want to reconcile the user (see Reconciling).
5. Press save.

Reconciling Roles

Repository Roles are not dynamic. That means: if you grant a role to a user, the user does not instantaneously inherit the privileges granted to the role. If the role is allowed to see a certain folder, the user will not be able to see that folder just by granting the role to the user. The Role also needs to be reconciled for that user.

Reconciling means: ensuring that a user has all the Folder, Workarea and Configuration privileges that he ‘deserves’ as a result of the role he has been granted. During the reconcile process, the user is granted directly each privilege that is granted to the role that has been granted to him. You can do that by either reconciling the role or by reconciling the user.

Reconciling a role means granting the privileges of the role to every user that has been granted this role. To reconcile a role you need to have the Reconcile privilege on the role.

1. Select the role in the left pane.
2. Click on the Reconcile icon in the menu bar .
3. Decide if you want to do this recursively, in other words: do you want to reconcile the sub roles of this role as well.
4. Press Reconcile.

Now all the Repository Users that have this role granted to them have the access privileges as specified by this role. Alternative method: check the Reconcile checkbox when granting a Folder, Workarea or Configuration to a role.

Methods for reconciling a role for one particular user:

1. Check the Reconcile checkbox when granting a role to a user.
2. Navigate to a user and then to one of its roles, and click on the Reconcile icon (can also be done recursively).
3. Navigate to a role and then to one of its Granted To users, and click on the Reconcile icon (can also be done recursively).

Reconciling a user means making sure the user gets all the privileges of the roles that have been granted to him. To reconcile a user you need to have the ‘Management of Users’ privilege, which can be assigned in the Repository Administration Utility (RAU) of Oracle Repository.

1. Select the user in the left pane.
2. Click on the Reconcile icon in the right hand menu bar .
3. Decide if you want to revoke all privileges that are not granted through roles. Warning: if you check this box, you revoke all direct access privileges given to the user that are not also granted via a role!
4. Press Reconcile

Now the Repository User has all privileges that have been granted to it through roles.

Revoking Roles

To revoke a role from a user, you need to have Grant privilege on the role.

Either navigate to the user and then to its roles, or navigate to the role and then to its ‘granted to’ users/roles.

1. Click on the Revoke Role icon .
2. Decide if you also want to reconcile. If you check this box, you revoke privileges granted to the user through this role, if they are not also granted via another role. Warning: if the privileges of this role were also directly granted to the user but not through any other role, they will still be revoked!
3. Press reconcile.

Remember that, unless you checked the Reconcile box, after the revoke of the role the user still has all the access priviliges he received from the role. he just will not get any new privileges from the role (since he does not have it anymore). To remove all privileges a user has for now obvious reason (not through any role he currently has), you could do a reconcile (see Reconciling).

Revoking Privileges

There are two ways to revoke folder / workarea / configuration privileges from a role or user:
1. through the Grant Access Privileges dialog in the Repository Object Navigator (RON) of Oracle Repository
2. through the Security Manager of Repository Object Browser
In both cases you need the Admin privilege on the Folder, Workarea or Configuration. In the second case there is an extra requirement when revoking privileges directly from users: you have to have granted the privilege yourself, to be allowed to revoke it again (this is enforced by the Repository API).

Here we will describe the second method: using the Security Manager. Either navigate to the role/user and then to one of its folders, workareas or configurations, or navigate to the folder/workarea/configuration and then to one of its Granted To roles/users.

1. Click on the Revoke icon .
2. You will be asked if you are sure you want to do this.
3. Press ok.

Remember that if you revoke privileges from a role, users with this role still have these priviliges until you do a reconcile (see Reconciling).

Deleting Roles

For deleting a role, you need to have both the Grant and the Delete option on the role.

Navigate to the role you want to delete.

1. Click on the Delete Role icon .
2. You will be asked if you are sure you want to do this.
3. Press ok.

Remember that users that used to have this role will still have the priviliges of the role, until you do a reconcile (see Reconciling).