Enterprise Manager's security editor
Using Enterprise Manager, an administrator can view and modify an object's
security by opening its property sheet and going to the Security tab. (About
access rights has full definitions of these fields.)
The following shows the Security tab for a document named "ovp".
This document's security tab (technically called its "ACL", or Access
Control List) contains 2 names (technically called "ACEs", or Access
Control Entries), each identified by several fields:

- Name: authentication
provider's Display Name. If you hover your mouse above the name, you will
see the following information:
- Sun Java™ System Directory Server and Novell eDirectory: full DN. (Example: uid=shawking,cn=users,dc=filenet,dc=com)
- Active Directory: the display is constructed by the Content Engine by
taking the first part of the samAccountName, adding"@", and
then adding the domain from the actual UPN (for example, shawking@filenet.com). (This
same construction appears in the results of a search for an account when
using the Select Users and Groups dialog box.)
- Source: each ACE
in this example has a different source
type. The selected ACE is editable, which you can tell because the various
regions are not disabled, which is because
Direct permissions are editable. The ACEs whose Source is Template and Inherited
are not editable, and when selected the rest of the security editor becomes
disabled.
- Level: the possible
levels for the object type (in this case a document object) are listed with
radio buttons lower down. The users and groups who are specified as object
store administrative groups while running the object store wizard appear on
all ACLs with Full Control. You can change the level by selecting one of the
radio buttons associated with the Levels listed below.
- Apply to: also called
"inheritable depth, you can change the value using the Apply
to control box if the ACE is editable.
- Type: Displays
whether the ACE is allowed or denied, and also lets you change the value if
the ACE is editable.
- (list of) Levels: List of security levels appropriate to the object.
Different objects have different sets of security levels. The list shown is
appropriate to documents, as it includes such things as the ability to publish
and to create minor and major versions. A folder would have a different set
of security levels. Notice that when Full Control is selected all the other
"lower" levels are marked with an asterisk. The asterisk next to
a Level means that it is included in the Level currently selected; this is the
meaning of "all required bits are set".
- (list of) Rights: In this example, with Full Control selected as
the Level, all Rights will be selected. If you were to deselect just one of
them, "View all properties," for example, the Level would automatically
be changed to Custom, which simply means that the collection of all selected
Rights do not exactly match the requirements of the predefined Levels. If
you were to reselect "View all properties" so that all the Rights
were selected, the Full Control level would again be automatically selected.
- Add: Click to add
or remove users and groups.
- Remove: Click to remove the selected ACE.
(This does not remove the user or group from the authentication provider or
from any other ACLs the ACE might be present on.)
- Active Marking/Owner: Click to view
or edit the ownership
of this object.
See About access Rights for a description
of the various parts of the security editor, and Security
tab for how to use it.