About the Security Script Wizard

The Security Script wizard allows you to assign security roles to user and group accounts in order to create security principals for the objects in an object store. The security roles to be assigned are defined in an XML information file, which also identifies the VBS security script file to run on the selected accounts. The XML file establishes communication between the wizard and the security script, by enabling the wizard to understand how to apply the defined security roles to the selected user and group accounts in order to create the security principals.

When running the Security Script wizard, you will query your directory service and assign the security roles defined in the XML information file to specific users and groups. The Security Script wizard will then add these accounts to the objects identified in the security role definitions contained in the VBS security script, and thus create the security principals for the object store. The set of objects affected by this operation will be those in the object store in which the Security Script wizard is being run.

The input requirements for the Security Script wizard are (1) a properly formatted XML information file which references (2) a properly formatted VBS security script file. The Content Engine installation program installs examples of each of these (WorkplaceScript.xml and WorkplaceSecurity.vbs) which are listed as a required post-installation configuration step in the IBM FileNet P8 Platform Installation and Upgrade Guide.

See also Update an object store with new users and groups for a specific example of running the Security Script Wizard.

Example of a properly formatted XML information file

A properly formatted XML information file contains the following elements:

The following code fragment demonstrates how these elements appear in workplacescript.xml:

<SecurityScriptInformation>
  <SecurityScriptFile>workplacesecurity.vbs</SecurityScriptFile>
  <SecurityRoleMap>
    <VariableName>strUsrPWDesigner</VariableName>
    <RoleName>Workflow Designer</RoleName>
  </SecurityRoleMap>
  <SecurityRoleMap>
      ...
  </SecurityRoleMap>
</SecurityScriptInformation>

Example of a properly formatted VBS security script file

The following code fragment from WorkplaceSecurity.vbs demonstrates a properly formatted VBS security script file. This particular script adds the Workflow Designer role via the strUsrPWDesigner permissions to the Workflow Subscription Class, where:

Public Sub ScriptWizardEntry(CELib)
    'MsgBox strUsrPWDesigner
    PostImportScriptMethod CELib
End Sub

Public Sub PostImportScriptMethod(CheetahLib)
'On Error Resume Next
    Dim oClassDef
    Dim nCount
    nCount = UBound(strUsrPWDesigner, 1)
    Dim ap

    CheetahLib.Refresh

    'Class Workflow Subscription Class (View + Link + Create Instance)
    'Notes: CEMP does not show Link access right for Workflow Subscription Class.
    'After this code is ran, viewing from Enterprise Manager, you'll see that View, Create Instance, and Read access rights
    'checkboxes are checked.
    Set oClassDef = CheetahLib.GetObject(1027, "{5763CE24-8D28-47F3-84AB-5F1FBC2BB24A}")
      'vbscript indexing starts from 0 but in this particular script, entry 0 of strUsrPWDesigner array
      'does not have any value. The user/group name starts from entry 1.
    For I = 1 To nCount
      Set ap = CheetahLib.CreateObject(2012)
      ap.GranteeName = strUsrPWDesigner(I)
      ap.AccessMask = &H20111
      ap.AccessType = 1 'idmAccessAllow=1, idmAccessDeny=2
      ap.InheritableDepth = 0
      oClassDef.Permissions.Add ap
    Next
    oClassDef.Save
    'MsgBox "updated Workflow Subscription class"

...

How to run the Security Script Wizard

To run the Security Script wizard using Enterprise Manager

  1. Right-click the domain root node or the object store node and select All tasks > Run Security Script Wizard.
  2. Follow the instructions in the wizard. The security assignments you make in the wizard will be applied to the objects defined in the VBS script file.

Troubleshooting

When encountering errors with the script, turn on tracing within the script by setting the bEnableTracing flag to TRUE. Then examine the trace log.