Security inheritance refers to the passing of permissions from a parent object to a child object. For instance, a folder could be the parent of a subfolder or a document; a document could be the parent of an annotation. The child object can inherit the security permissions from its parent object. Because of inheritance, the security administrator can apply security updates to many objects in one operation by setting the permissions at the parent level which can then be inherited by the children at all levels.
Some important characteristics of inherited permissions are:
Each ACE has an inheritable depth setting that is invoked if the ACE is configured to be inherited by a child object. The inheritable depths are:
The Enterprise Manager security editor lets you set inheritable depth in its Apply to section:
See Configure inheritable depth for more information.
NOTE The setting for inheritable depth does not apply to situations where the ACE is being applied in non-inheritance conditions. For example, an ACE on a Default Instance Security ACL of a class will be applied to an instance of that class, even if the ACE has an inheritable depth of This object only, because the application of security from a Default Instance ACL is considered default security and not inherited security.
You can configure the relationship between a parent and child object in several ways, described below.
Security Parent
When a folder's Security Parent property is configured, that folder becomes a Security Parent for the documents and custom objects contained within it. That is, inheritable permissions are inherited by the Security Parent folder's documents and custom objects.
NOTE This feature has been deprecated as of 4.0.1, although it is still available for compatibility with earlier versions. Any existing applications that use this feature will continue to work as before, without change.
You can see the Security Parent property on all documents and custom objects: in Enterprise Manager, right-click the document or custom object, select Properties, then click the Properties tab and scroll down the list of properties.
Security Folder
A Security Folder is a folder from which an object inherits security, but there is no requirement that its security children be filed in the folder. You can see the Security Folder property on all documents and custom objects: in Enterprise Manager, right-click the document or custom object, select Properties, then click the Properties tab and scroll down the list of properties.
Security Proxy Type
Content Engine provides extensible security parent relationships by means of the Security Proxy Type property placed on the metadata of custom object-valued properties. This property acts as a security parent. You can add this property to any class of objects as required by your security design. An object can have many such Security Proxy Type properties—that is, many security parents—with the inherited ACEs from each being merged together and contributing with equal priority to the access check that produces the final security mask.
You can apply the Security Proxy Type property to objects other than folders. For example, you could use the Security Proxy Type property on a custom object so that it was the security parent to a document. You can see the Security Proxy property on all objects: in Enterprise Manager, right-click the object, select Properties, then click the Properties tab and scroll down the list of properties.
See Configure security inheritance to configure these security inheritance features.
For configuring inheritance on documents and custom objects, see Configure a document's security parent and Configure a folder to be a security parent.
Folders have an Inherit parent permissions check box on the General tab of their property sheets in Enterprise Manager.
This
check box governs inheritance between folders. When
you select it, the folder will inherit permissions
from its parent folder if the parent folder has inheritable permissions
(see Inheritable
depth above). This option is selected by default. Clearing
the check box removes
any ACEs that were formerly inherited from the parent folder.
When you make a new subclass from a class, permissions are passed from the parent class to the new child class in a manner that is not inheritance. When you make a new subclass, those permissions of the originating class that have a Source type of Default or Direct are exactly copied to the new subclass with no change in source type or inheritable depth.
During subclassing, the child class receives the ACEs of its parent as described in the following table. Notice that Default permissions with inheritable depth of This object only are not inherited by the child; rather they are copied without change and are therefore modifiable on the child object.
If the ACE on the parent class is marked… | … then the same ACE on the subclass will be marked… | Inheritance or copy? |
Source = Default Inheritable depth = "This object only" |
Source = Default Inheritable depth = "This object only" |
Copy |
Source = Direct |
Source = Inherited Inheritable depth = "This object only" |
Inheritance |
Source = Direct or Inherited Inheritable depth = "This object and all children" |
Source = Inherited Inheritable depth = "This object and all children" |
Inheritance |
Source = Direct or Inherited Inheritable depth = "This object only" |
Does not appear. Inheritance is stopped by the inheritable depth. | Not applicable |
For a discussion of property inheritance between classes, see Inheritance between classes.
The table below summarizes how classes receive default security. Security inheritance takes place only if the source class or object has inheritable permissions:
Object | Initial security comes from... | Inherits additional security from... | Its security can be inherited by... |
---|---|---|---|
Folder | Its class. Security policy, if configured. |
Its parent folder (the folder immediately above), if the Inherit parent permissions check box is selected on the child folder. |
Child folders, if Inherit parent permissions is enabled on those child folders, and if there are inheritable ACEs. Documents or custom objects that consider the folder its security folder, if the folder has inheritable ACEs. |
Document | Its class.
Security policy, if configured. |
Security folder, if configured using Security Parent or Security Folder properties. Custom object-valued properties with Security Proxy Type set. See Configure security inheritance. |
Any annotations assigned to the document version, if the document has inheritable ACEs. |
Custom object | Its class.
Security policy, if configured. |
Same as Document. |
<none> |
Annotation | Its class. | Document. | <none> |
Other Classes | Its parent class. | Any additional parent classes up to the top of the class hierarchy. | Child classes, if there are inheritable ACEs. |