Mixed authentication and authorization in UCM 11g

I recently learned that one of the side benefits of moving to the WebLogic Server architecture in UCM 11g is the ability to run in a mixed authentication and authorization model. What I mean by that is the ability to be authenticated through WebLogic Server (which has its own internal store or hooks up to LDAP/Active Directory) but have your authorization (Roles and Accounts) come from UCM.

This means that you don’t have to create groups in LDAP/Active Directory and assign them to your users in order for them to inherit those Roles and Accounts in UCM. Instead, you are able to assign them directly in UCM through the User Admin applet.

In order to do this, the only requirement is that the username used for authentication in WebLogic Server must match the username defined in UCM. Then in UCM, you have that user defined either as a Local or Global user.

When you log into UCM 11g for the first time, a user record will get added to the database which defines the user as ‘external’. User information like full name and email is stored, but authentication and authorization would still be done by WebLogic Server. But all you need to do is highlight the user, click the Change button, and change them into a Local or Global user. Once you do that, then you can now do the Role and Account mapping for the user.For a more automated way, you can use a spreadsheet like I blogged about in thisprevious post to quickly populate your UCM instance with the users and their account information. Again, simply make sure the username matches between LDAP/AD and UCM.