Configure security inheritance

This topic describes the following ways to configure security inheritance between objects:

Run these procedures as part of your initial security configuration, after you have created document classes and configured their default security instance tabs. It is best to establish security inheritance before putting an object store into production.

For more information about inherited security see:

NOTE  You can use this procedure for custom objects also. Just substitute "custom object" wherever you see "document".

Use Enterprise Manager to designate a folder as a security parent, using Security Parent

You can configure a document to inherit permissions from a folder. The folder can contain the document, but this is not required. (Earlier versions of Content Engine did require that the security parent folder contain the document, but this requirement has been removed with the introduction of the SecurityFolder property.)

  1. Log in to Enterprise Manager as object store administrator.
  2. Open the Object Store node, select the Root Folder, and navigate to the folder containing the document whose security inheritance you are configuring.
  3. Click the folder's Security tab. Make sure the folder has ACEs whose Apply to setting is either This object and immediate children or This object and all children. See Configure a folder's security inheritance for reference.
  4. Click OK to close the folder's property sheet.
  5. Right-click the document, select Properties, and then select the property sheet's General tab. You will see the following fields:
    drop down list for the possible folders to choose from
  6. Select the Inherit Security from folder check box. Then select a folder from the list. (All folders containing the document will appear in the list. If the folder you want is not in the list you will need to stop this procedure, file the document in the folder, and then start again.)

    NOTE  After the upgrade to Content Engine 4.0.1, this check box appears exactly as it did in earlier releases. However, selecting it actually sets the new SecurityFolder property and not the SecurityParent property as it did formerly and which is being deprecated. However, because the SecurityParent feature is still supported, the dropdown box will display only those folders that contain the document. This Enterprise Manager behavior therefore mimics the SecurityParent behavior which depends on containment, even though it is in fact using the SecurityFolder property which does not require containment of the document by the folder. Custom applications that have been coded using SecurityParent will continue to function without change.
  7. Click Apply or OK.
  8. Click the document's Security tab and confirm that it has inherited ACEs from the security folder. The inherited ACEs will show a Source type of Inherited. If the required rights do not appear, make sure that they are configured to be inheritable on the folder. See Configure a folder's security inheritance.

Use Enterprise Manager to designate a folder as a security folder, using Security Folder

Similar to the SecurityParent procedure above, this procedure uses the Security Folder property, a standard property of every document and custom object class.

  1. Log in to Enterprise Manager as object store administrator.
  2. Open the Object Store node, select the Root Folder, and navigate to the folder that will serve as the Security Folder.
  3. Right-click the folder and select Properties. Click the folder's Security tab. Make sure the folder has ACEs whose Apply to setting is either This object and immediate children or This object and all children. See Configure a folder's security inheritance for reference. Click Cancel or OK to close the folder's property sheet. You should see the folder's icon listed in Enterprise Manager's tree view.
  4. Right-click the folder and select Copy Object Reference.
  5. Now navigate to the folder containing the document whose security inheritance you are configuring.
  6. Right-click the document and select Properties. Select the property sheet's Properties tab.
  7. Scroll down the list of properties and find Security Folder. Its Property Value cell will display <Value Not Set> if there is no value yet for this property.
  8. Click the Property Value column. The Set Object Value dialog box will appear. Click OK to set the value. The Select Object from Paste Buffer dialog box will appear and will list the object reference you copied earlier under the Object Name column.
  9. Select the appropriate Object Name and click OK. You will see the name of the folder appear as the Property Value for the Security Folder property.
  10. Click Apply to apply the changes you just made and keep the document's property sheet open.
  11. Click the Security tab, and confirm that the Security Folder's inheritable ACEs appear, with Source type of Inherited.

Use Enterprise Manager to configure security inheritance using a custom object-valued property

In addition to the methods explained above, you can also create pairs of security-passing and security-inheriting objects, as follows:

  1. Log in to Enterprise Manager as object store administrator.
  2. Copy the object reference of the object whose security will be inherited. (This object will become a security parent as a result of this procedure.) This object must have at least one inheritable ACE (one whose Apply to setting is either This object and immediate children or This object and all children). For reference, see Copy object reference.
  3. Start the Create a Property Template Wizard to create the property that will establish the connection between the two objects. For reference, see Create a property template.
    1. Give the new template a name.
    2. Select Object for the data type.
    3. On the Single or Multi-Value? step of the wizard, select Single. Click the More button.
    4. On the More tab of the dialog box that displays, for Security Proxy Type select Inherited. (This value will appear as the integer 2 when viewed in the document's property grid.) Click OK.
    5. Click Next and Finish to complete the wizard.
  4. Assign the new property template to a new or existing class. The following procedure assumes the class already exists. For reference see Assign properties to a class.
    1. Right-click the class and select Add Properties to Class. This opens the Add Properties to a Class Wizard. Click Next.
    2. In the Select Properties panel, select the Show Object Type check box and in the Available column select the property you just created above. Click Add>> to add the property to the Selected column. Click Next.
    3. In the Select Property Attributes panel, select the property you just added to the class and then click More. The property template's property sheet opens.
    4. In the property template's property sheet, click the More tab.
      1. For Required Class, use the list to select the class of the object whose object reference you copied above. For example, if that proxying object is a document, you would select its exact class or subclass.
    5. Click Next and then click Finish to finish the Wizard.
  5. (Optional) Assign a default value to the object-valued property. This step is optional but can be used, if appropriate, to automate the process of establishing the connection to the object providing security inheritance. If you do not set a default value, Enterprise Manager will request an object reference each time you create a new object that references that object-valued property for its inherited security. (This step assumes that there is a single inheritance-providing object for this particular custom property.)
    1. Right-click the class you used in the step above and select Properties. Select the Properties tab.
    2. Scroll down and find the Property Definitions row. (This is not the same as selecting the Property Definitions tab of the property sheet.)
    3. Click the down arrow in the Property Value column. The list of all custom properties drops down.
    4. Select the object-valued property you just created. Its property sheet will display. Click the Properties tab of that property sheet.
    5. Scroll down and find the Property Default Object row and click its Property Value cell. If you have not yet set the value, you will get a dialog box asking you to select OK to set the value. Click OK and the Select Object from Paste Buffer will appear.
    6. Select the object that will be supplying the inherited security and click OK. Click Close and OK to close the class property sheet.

      If the object you need is not in the list, click Cancel and start this procedure again, being careful to follow the step describing how to copy the object reference of the object whose security will be inherited.

      If the Propagate Metadata Changes dialog box opens, you must decide, based on the requirements of your security design, whether the new property you just added to a class should be propagated down to all subclasses. We will not propagate for this procedure; therefore in the Updated Property Definitions box do not select the property definition we just created. Click OK to return to Enterprise Manager.
  6. Create a new document using the class we have been using in this procedure. (If you have not assigned a default value as optionally described above, you will be prompted for an object reference. Set the reference using the object reference you copied.)
  7. Examine the new document's Security tab and confirm that it has inherited ACEs from the security parent object. The inherited ACEs will show a Source type of Inherited. In order to change the access rights of this inherited ACE, you would change it on the source document; the changes will automatically be updated on the target document.
  8. Repeat this procedure as many times as required by your security design.