Are you getting ripped off by your Oracle ECM consultant?

Its absolutely maddening! A couple of days ago I've got a call from Alex. He was too busy to help out a client and wondered if I could help them out. I asked what do they need done. Guess what? Yet another new Oracle ECM client was badly burnt by a large consulting shop.

First they paid $250/hr plus travel and accommodation for a consultant to come on site for two weeks and "design an implementation approach". What they ended up getting for over $25,000.00 is a copy of their own technical architecture document with a few pages of Oracle "Planning and Implementation Guide" plugged in. That's all! Like that wasn't enough?

The client proceeded anyways. They invested in the Content Server licenses and needed ECM up... Another month and a 25% of their budget later they had a few requirements workshops done and a requirements gathering template partially filled in. They've seen a PM, BA, an ECM consultant and an architect. No results! Isn't that NUTS?

That amount was sufficient to have their environments rolled out and users trained in ECM but all they got is a couple of useless documents. What a rip-off!

I understand that replying to an RFP costs money but why the client has to pay for it?

If any one of you tells me another story like this - I'll be banging my head against the wall and screaming until my neighbour comes back from their night shift and stops me! I cannot take it anymore! Can't you guys see who you hiring?

OK, I understand that frustration doesn't help much so let me give you a few red flags look for

• Forced methodology. When consultant "recommends" very insistently that you have them produce a document or other "artefact" because its required by their methodology - be sure to question that and get your own independent assessment of what kind of return will you'd be getting on this investment.
  
  

• Withholding knowledge. Unless you plan on retaining the consulting shop indefinitely, put very specific controls in place regarding the knowledge transfer. Be sure that consultants are ready and willing to explain every step they take and help your full time staff to follow by their footsteps. Verbal promises on behalf of the sales team are usually not enough to get that in place.
  
  

• Unnecessary consultants. Before authorizing a team of consultants to start working on your project - are you sure you understand what every one of them is doing? Are you sure you will be getting value for what you pay for EACH ONE of them?
  
  

• Inflated estimates. This one hardly needs any explanation. As long as you don't have in-house Oracle ECM expertise - you are completely at they mercy as far as the estimates are concerned. They are free to double and triple the time things actually take and you won't even know when to object.
  

• Weak or no guarantee. Typical 30 days guarantee when consultants fix the bugs you find after the project is complete - is not much help:

  • Does it protect you from the project taking five times longer then they promised?
    

  • What about the one that delivered five times less then you expected where everything over and above the out-of-the-box Content Server deployment is a "Change Request" and costs extra?
    

  • Also - do you seriously expect them to fix bugs FOR FREE at the same pace they did when they were paid? Come on! Those developers were reassigned to another project a week before your last payment came out!
    

Hope those will make you a little more prepared to deal with not-so-honest consultants or minimize your losses if you already have one of these by your side.

Can they still cheat you?

Well, now that you will be noticing the "tricks of the trade" it will be harder for them to do but many will continue to get away until you have an in house Oracle ECM expertise ... and - despite of what they tell you

- you actually can get good working knowledge of Oracle ECM in just a few days and

- NO - it won't require sending your people for an expensive several day course... Street-Smart clients choose Guerrilla Training Tactics - check out http://www.stellentexperts.com/ for world's fastest Oracle ECM education.

That's all for now,

Best,
Dmitri

Fastest way to understand security model I know about

At last! After years of struggling to explain Content Server security model to my clients - I finally got it!

A while back when I was first learning it myself - it took me about an hour to understand how Role-based component alone is used. But when I tried to add on accounts... Later in that day there were five of us desperately trying to cut through the mess of multiple dimensions and confusing terminology. It took us several hours of screaming around a white board just to begin seeing some light at the end of the tunnel...

It always bothered me greatly to look at my customers suffer through trying to get their head around it. Many just gave up and were forced to rely on consultants for explanation... Not any more!

So here it comes

I finally realized that most humans are not good at piling on multiple dimensions ... and I see no benefit of looking at all the components of security model at once! When clients were introduced only one component of the model at a time and asked to keep them separate in their heads (and their diagrams) - the confusion quickly subsided or didn't appear in the first place!

My free Content Server Course provides an easy and detailed explanation. Subscription is at the bottom of this article

Gain Complete Working Knowledge Of Content Server In 5 Days Or Less In Just Minutes A Day - 100% GUARANTEED

Content Server Running Start Course is now available!

I did my best to put everything you'll need to stand comfortably on your own two feet, so you won't have to spend a single penny on consulting or other Content Server education... and this is the easiest course to follow that I know about...

Seasoned Professionals - don't be so quick to dismiss it! Are you sure you're crystal clear on all the topics I cover like building a portable virtual testing environment and my own approach to security model?

Check it out at http://www.stellentexperts.com/se/running_start.htm

Are you crystal clear on Stellent security model

Last week I was doing one of my presentations on Stellent security model. Its stunning how after all these years this of all Stellent aspects, still manages to confuse even most experienced admins. ARE YOU CRYSTAL CLEAR ON STELLENT SECURITY MODEL? If not – here's your magic bullet – it requires a paradigm shift.

Start with the basic terminology. You will need to understand what Stellent means by such commonly used terms such as "group" or "account". Believe me – its' not what everyone's thinking!

When you get comfortable with the glossary – draw a diagram how all of this fits together. Drive home how content is assigned into groups, how group access is controlled by roles and how account hierarchy works.

Once you get that down – check how Folders are used to impose virtual hierarchy on otherwise flat repository.

Check out my presentation below. It covers the same ground in a little bit more details and may become a good road map for you…. Good luck

Oracle Stellent
SECURITY model

Lessons learned

Dmitri Khanine

dk at stellentexperts dot com

Oracle Stellent Security

• Powerful but can be confusing

• Requires careful planning

• Professional help is not always an answer

– Why? Explained later in this presentation….

Security Model Overview

• Any security model made of:

– Authentication

– Authorization

• Authentication

– Stellent

– Windows

– Active Directory

– LDAP

– Custom

• Authorization

– Groups

– Roles

– Accounts

• Authentication and Authorization combo:
(LDAP, Active Directory, Custom)

– Allows mapping of existing org structure to Stellent security principals

– Stops the agony of maintaining permissions of the same user in multiple places

– Covered in detail later in this presentation

Security planning

• Long ranging implications of overly complex and under-designed models

– Users will be able to do more then it is mandated or even safe for them to do

– Access may be denied in unpredictable situations

– Hard to debug user access issues

– New content will follow the model and increase the cost of correcting the model

On Content Revisions

• Major benefit of content management…

• Each revision can have different metadata

– To update security on a content item all revisions need to be updated

– Even if you don’t add new content – changing of security gets more expensive over time

Security planning

• Long ranging implications of overly complex and under-designed models

• Easier to start with a good model then change later

BUT

• Security model can be changed at any time

… How to plan a security model – later in this presentation

Basic terminology:Major source of confusion

• Groups –

– Windows: a set of users

– Stellent: a piece of metadata

• Accounts –

– Windows: user record

– Stellent: a piece of metadata

Security at a glance

• Groups and accounts used together

Why is it so confusing?

• Robust, time tested system

• Hundreds of customers worldwide

• Is it just terminology?

Paradigm shift

• Single flat repository instead of conventional taxonomy

– No permission inheritance in the base system

– Optional Folders components required for some of support hierarchies BUT

– Folders are no longer synchronized with web site navigation (as of v. 7.x)

Groups

• A “tag” on a content item

• Helps to group items with same security level

• Used verbatim

• Limited to 30 characters

• Access to groups specified by user role membership

Roles

• Specifies user access level to various groups

• User can belong to multiple roles

Accounts

– Another “tag” on a content item

BUT

– Supports hierarchy

– User access to accounts specified directly

• Accounts support hierarchy, based on a “Starts with” substring rule

• RW on ca/on will give Read and Write access to

• ca/on/montreal

• ca/on/toronto

• ca/on/Ottawa

– Slashes are optional

• RW on ca,on will give Read and Write access to

• ca,on.montreal

• ca,on-toronto

• Ca,on=>ottawa

– Length limited to 35 characters

– Can be created on the fly…

Ignore these and get in trouble:

• Account text box lets people create ad-hoc accounts that others can not access

How I plan Stellent security

• Name all types of people who will at any time access the system

• Will they be authenticated? How?

• What will they do on the system?

Case study

• Model features after security redesign:

– Roles follows user’ job function, not organizational unit

– Groups describe access level

– Accounts segment content by organizational unit and web site section

Oracle Stellent Security:

• Requires careful planning

– Authentication

– Authorization

- Groups, Roles, Accounts

BUT

• Bad model can be corrected at any time

• Requires paradigm shift in thinking and can be confusing

• Professional help is not always an answer

– Must have experience implementing Stellent security models

Must be able to explain Stellent Security concepts without mystifying them

• Questions?

How to remove account text field

Content Server 7.x as well as 10G includes an editable text box next to Account field on content check in form. Allowing users to type in arbitrary accounts increases the risk of newly checked in content becoming inaccessible to others and has a potential of causing performance problems due to proliferation of account-related directories in weblayout. Many people wonder if they can remove it so users can only pick from the list of pre-defined accounts.

Here is how to accomplish that in just a few minutes without resorting to custom component development.

1. Start Configuration Manager

2. On the Tables Tab go Add table

3. Select DocumentAccounts table, Click OK

4. On the Views Tab go Add…

4.1 Pick DocumentAccounts as your table and select dDocAccount field so it will be shown

4.2 On Security Tab uncheck the Publish view data and select “Use standard document security” as shown below

4.3 Hit OK to close Edit View dialog

5. On Information Fields tab hit Add…

5. 1 Type field caption such as “SecurityAccount” , pick desired field order

5.2 Check the Enable Option List checkbox as shown below and click Configure button besides it

5.3 Select the Use View option as shown below. Select the view you’ve created on step 4 as shown below

5.4 Click OK to close the Configure Option List dialog

5.5 Click OK to close Edit Custom Info Field dialog

6. Click Update Database Design button (right side on the Information Fields tab on Configuration manager)

7. Select the Rules tab and click Add…

7.1 Type in a name for the new Global Rule you will be creating

7.2 On the Edit Rule dialog make sure that “Is global rule with priority” box is checked

7.3 Select Fields tab (see below)

7.3.1 Click Add to add a new filed

7.3.2 Select the filed you’ve created on step 5

7.3.3 Change Type to required or leave as Edit depending on your preference

7.3.4 Add dDocAccount field as you did on step 7.3.1 but this time mark is Hidden

7.3.5 Make sure that “Is derived field” box is checked and click “Edit…” as shown below

7.3.6 Switch to Custom tab on the Script Properties dialog as shown below

7.3.7 Check “Custom“ check box and paste the following text into it:

<$dprDerivedValue=getFieldViewValue("xSecurityAccount",#active.xSecurityAccount,"dDocAccount")$>

7.3.8 Click OK to close Script Properties dialog.

7.3.9 Click OK to close Edit Rule Field dialog

7.4 Click OK to close Edit Rule dialog

8. Select Options -> Publish Schema and Options -> Publish Schema Base so that your changes are visible on the check in form

WARNING : The global rule created on step 7 will hide the built in Account filed on content information, search and update screens to above steps will only be sufficient if you perform them on a new instance of content server. If you are working on an instance with existing content – follow the steps below:

9. Under Rules tab of Configuration Manager select the rule you’ve added on step 7 and hit Edit…

9.1 Select “Use rule activation condition” as shown below

9.2 Click Edit… and Add… to add a rule condition as shown below.

This will ensure that the original Account field is still visible and none your users are affected when they perform and update. You might want to add another rule to hide your newly created filed on search and content information pages…

Who else didn’t upgrade to 10G R3?

We’ve recently upgraded our instances of Stellent Content Server 7.5.1 to the latest Oracle release 10G R3. Upgrade procedures, as most of the things in Stellent, are fully documented but we still hit a few bumps on the road. Here are the notes for which I was ready to walk to the top of the mountain in a blizzard if I only knew they existed.

What was missing in the manual

We slightly disagree with Oracle when they say in Windows Install Guide

“It is recommended that you disable all installed components before the upgrade and enable them one by one after the upgrade. This is a good strategy because it allows you to determine which components may have been broken by the upgrade. Please note that this is not necessary for the software upgrade as such to succeed; it is merely a useful customization upgrade strategy.”

This is the only way we got our servers to come up after the upgrade so in our case it was required.

What Server Install Guide didn’t mention was that if you have a Site Studio installed, none of your sites would come up if you follow that procedure. (When you navigate to the Site Studio site URL even after you reinstall the new Site Studio component – you will get “Page can not be found” error).

WARNING: Your upgrade path will change depending on which custom components you have installed! Please review upgrading instructions for new versions of all of your installed components prior to upgrade.

For instance, if you have Folders and Site Studio together – you shouldn’t uninstall or disable them prior to upgrade so that each site can be migrated from a folders-based hierarchy to a project-based hierarchy

Upgrade process overview

Here is what your upgrade task list might look like:

• Update JVM - 10G no longer works with JDK 1.4
• Make a copy of Stellent Installation directory
• Disable all components except Folders.
  Once again, see your components upgrade instructions prior to keeping or removing them! Sample list would look like that:
  
• Uninstall components except Folders
  
• The following components need to be disabled and then uninstalled:
  
• Site Studio
• Dynamic Converter
  
• tzus2007
  
• WebDAV
• The following components need to be disabled but not uninstalled :
• FoldersLocal
  
• FolderStructureArchive
• BackgroundThread
  
• Lists
  
• Helper
  
• All other components except Folders
• Disable Indexer Auto Update Cycle
  
• Restart server and make sure that there are no errors in the output after every subsequent component disabling and uninstall
• Install new Site Studio Component
  
• Perform Content Server upgrade
  
• Enable Indexer Auto Update Cycle
• Install Dynamic Converter
  
• Web sites should be fully functional including contribution mode and WebDAV
  

Tips and tricks

Here are a few more tips that may save you a few more hours

• If Verity is you search engine - set the following variable (as shown, in all caps) in the [install_dir]/config/config.cfg file:
  
  SearchIndexerEngineName=VERITY.VDK.4
  
  New Content Server will continue working with your existing Verity installation and you won’t need to wait for index to rebuild. That said, you might consider upgrading to Verity VDK6 at later date if you have content in multiple languages.

• If your database is MS SQL Server or Sybase - download jTDS JDBC Driver The old driver may not work. JDBC driver classname will be net.sourceforge.jtds.jdbc.Driver

• If you are having WebDAV problems following successful upgrade - make sure default web site in IIS Admin doesn't have two Stellent ISAPI filters as it is shown below.
  

If two filters present, remove the second one. Subsequent IIS should render WebDAV fully operational.

Good luck!

Are you in control of your Stellent Systems?

A few days ago I've got a call from my old time client. He was reading SANS' Top-20 Internet Security Attack Targets and was wondering if his Stellent installation might be vulnerable. He had all the latest patches at that time but something kept him thinking of his Stellent installation after hours.

We did an audit on his instance and found that even though the system was completely up to date with security patches, most of his contributors were in fact super admins! They couldn't find a better way to let contributors access the site continent they needed to access - there were simply too many security groups and accounts to deal with!

In my years as Stellent architect I've seen many capable sysadmins badly misconfiguring their security system. Is there anything wrong with Stellent security? Ten years of its succeess in multiple industries tells us otherwise. Stellent is simply very different when it comes to security. Here is why.

In my other post I've explained the limitations of a hierarchical folder structure which grows unwieldy over time making it difficult to find documents. Stellent overcomes this by providing a single metadata-driven content repository. This strategy is very effective for managing content but it takes away conventional files and folders where all of us are so used to set permissions! So where do we set permissions now? Just the content items themselves. There is no permission inheritance. Once the content checked in - its group and account values are set. Unlike Windows where you can specify who can do what with a file, in Stellent you specify what content group it belongs to and then you specify who can do what with your content groups.

Another major confusion point is the actual naming convention. What Stellent calls "Group" and "Account" is not always what the rest of the world calls them. Unfortunately, there is only a few simple words in English that can describe a group of content so Stellent calls it "Group". Windows users are trained that a "Group" is a group of users and "Account" is a user security record... Once again, a "Group" in Stellent is a Group of Content or "Content Group". An "Account" is another grouping of content or "Content Account". Try these names in your next security discussion and see confusion subside!

What if your system is already implemented? Is it too late to change content security? Do you have to manually update content group and account of every content item? Fortunately, in most the answer to those questions is no. Existing systems can have their security updated in just a few days. If your system is vulnerable - it can be fixed.