Understanding security inheritance

Security inheritance refers to the passing of permissions from a parent object to a child object. For instance, a folder could be the parent of a subfolder or a document; a document could be the parent of an annotation. The child object can inherit the security permissions from its parent object. Because of inheritance, the security administrator can apply security updates to many objects in one operation by setting the permissions at the parent level which can then be inherited by the children at all levels.

Some important characteristics of inherited permissions are:

Inheritable depth (Apply to)

Each ACE has an inheritable depth setting that is invoked if the ACE is configured to be inherited by a child object. The inheritable depths are:

The Enterprise Manager security editor lets you set inheritable depth in its Apply to section:

Enterprise Manager's security editor lets you set inheritable depth in its Apply to section

See Configure inheritable depth for more information.

NOTE  The setting for inheritable depth does not apply to situations where the ACE is being applied in non-inheritance conditions. For example, an ACE on a Default Instance Security ACL of a class will be applied to an instance of that class, even if the ACE has an inheritable depth of This object only, because the application of security from a Default Instance ACL is considered default security and not inherited security.

Security Parent, Security Folder, Security Proxy Type

You can configure the relationship between a parent and child object in several ways, described below.

Security Parent

When a folder's Security Parent property is configured, that folder becomes a Security Parent for the documents and custom objects contained within it. That is, inheritable permissions are inherited by the Security Parent folder's documents and custom objects.

NOTE  This feature has been deprecated as of 4.0.1, although it is still available for compatibility with earlier versions. Any existing applications that use this feature will continue to work as before, without change.

You can see the Security Parent property on all documents and custom objects: in Enterprise Manager, right-click the document or custom object, select Properties, then click the Properties tab and scroll down the list of properties.

Security Folder

A Security Folder is a folder from which an object inherits security, but there is no requirement that its security children be filed in the folder. You can see the Security Folder property on all documents and custom objects: in Enterprise Manager, right-click the document or custom object, select Properties, then click the Properties tab and scroll down the list of properties.

Security Proxy Type

Content Engine provides extensible security parent relationships by means of the Security Proxy Type property placed on the metadata of custom object-valued properties. This property acts as a security parent. You can add this property to any class of objects as required by your security design. An object can have many such Security Proxy Type properties—that is, many security parents—with the inherited ACEs from each being merged together and contributing with equal priority to the access check that produces the final security mask.

You can apply the Security Proxy Type property to objects other than folders. For example, you could use the Security Proxy Type property on a custom object so that it was the security parent to a document. You can see the Security Proxy property on all objects: in Enterprise Manager, right-click the object, select Properties, then click the Properties tab and scroll down the list of properties.

See Configure security inheritance to configure these security inheritance features.

Configuring inheritance

For configuring inheritance on documents and custom objects, see Configure a document's security parent and Configure a folder to be a security parent.

Folders have an Inherit parent permissions check box on the General tab of their property sheets in Enterprise Manager.

Inherit parent permissions This check box governs inheritance between folders. When you select it, the folder will inherit permissions from its parent folder if the parent folder has inheritable permissions (see Inheritable depth above). This option is selected by default. Clearing the check box removes any ACEs that were formerly inherited from the parent folder.

Subclassed permissions are copied, not inherited

When you make a new subclass from a class, permissions are passed from the parent class to the new child class in a manner that is not inheritance. When you make a new subclass, those permissions of the originating class that have a Source type of Default or Direct are exactly copied to the new subclass with no change in source type or inheritable depth.

During subclassing, the child class receives the ACEs of its parent as described in the following table. Notice that Default permissions with inheritable depth of This object only are not inherited by the child; rather they are copied without change and are therefore modifiable on the child object.

If the ACE on the parent class is marked… … then the same ACE on the subclass will be marked… Inheritance or copy?
Source = Default
Inheritable depth = "This object only"
Source = Default
Inheritable depth = "This object only"
Copy

Source = Direct
Inheritable depth = "This object and immediate children"

Source = Inherited
Inheritable depth = "This object only"
Inheritance
Source = Direct or Inherited
Inheritable depth = "This object and all children"
Source = Inherited
Inheritable depth = "This object and all children"
Inheritance
Source = Direct or Inherited
Inheritable depth = "This object only"
Does not appear. Inheritance is stopped by the inheritable depth. Not applicable 

For a discussion of property inheritance between classes, see Inheritance between classes.

Summary of security sources

The table below summarizes how classes receive default security. Security inheritance takes place only if the source class or object has inheritable permissions:

Object Initial security comes from... Inherits additional security from... Its security can be inherited by...
Folder

Its class.

Security policy, if configured.

Its parent folder (the folder immediately above), if the Inherit parent permissions check box is selected on the child folder.

Child folders, if Inherit parent permissions is enabled on those child folders, and if there are inheritable ACEs.

Documents or custom objects that consider the folder its security folder, if the folder has inheritable ACEs.

Document Its class.

Security policy, if configured.

Security folder, if configured using Security Parent or Security Folder properties.

Custom object-valued properties with Security Proxy Type set. See Configure security inheritance.

Any annotations assigned to the document version, if the document has inheritable ACEs.
Custom object Its class.

Security policy, if configured.

Same as Document.

<none>
Annotation Its class. Document. <none>
Other Classes Its parent class. Any additional parent classes up to the top of the class hierarchy. Child classes, if there are inheritable ACEs.