This topic answers the question, "What is the security behavior if administrators and users do nothing to change it?"
Members of the groups added to the Object Store Wizard as object store administrators have Full Control of object stores and their contents, which means that while using Enterprise Manager they can perform any valid action on any item. See the Reference section for the specific actions.
When creating an object store, the administrator selects one or more groups that will have basic, nonadministrative access rights. For example, if the administrator selects the Domain Users group as the nonadministrative group when creating an object store, users of the Workplace and Workplace XT applications can:
NOTE A new folder acquires its initial security from the Folder class, which grants Full Control to the folder creator (also called Owner Control), Full Control to members of the object store administrative groups, but only View Properties access to Domain Users. A user must have Add to Folder access rights to put documents in the folder. This means that, by default, users can create top-level folders and add items to their own folders. However, users cannot add items to the folders created by other users.
Other access rights are not set one way or the other, which means they are implicitly denied to members of nonadministrative groups.
NOTE For any given access right (for example, View Properties), an access right has three possible settings: Allow, Deny, or neither. If an access right is neither explicitly allowed nor explicitly denied, it is "implicitly denied."
Users of other client applications (such as WebDAV and Application Integration for Office) are subject to the same security as application users but typically cannot perform as many operations.