Users and groups required by FileNet P8 Platform

This topic describes the users, groups, security access roles, and security-related responsibilities required to install, configure, and administer FileNet P8 and its family of applications.

Accounts are referred to in documentation in the following ways:

If you see a reference to an account that you do not understand, search this topic for the account's display name or its variable designator, and find its definition.

Required for installation and initial configuration- summary

Role/responsibility/tasks Description
Content Engine system user

Application server administrative account that is used to create the GCD and start Content Engine.

Application server administrator:
WebLogic, WebSphere

NOTE   JBoss does not require an administrative account.

Administrator who configures the application server that will contain Content Engine.

Install Content Engine
(Content Engine)
Administrator who installs Content Engine on Windows or Unix.
Install Process Engine (Process Engine)
Administrator who installs Process Engine.
Accounts required by Process Engine installation program (Windows) (Process Engine)
Several users and groups required by the Process Engine/Windows installation program.
Accounts required by Process Engine installation program (Unix) (Process Engine)
Several local users and groups required by the Process Engine/UNIX installation program.
Install Application Engine

(Application Engine)
Administrator who installs the Application Engine.

Publishing user account (Rendition Engine)
A Windows domain user account that must be added to the local Administrators group on all Rendition Engine servers.

Top of page

Required for database creation and connectivity - summary

Role/responsibility/tasks Description
Content Engine SQL Server account Creates and maintains connectivity for Content Engine using SQL Server.
Content Engine Oracle alias Owns and maintains connectivity for Content Engine using Oracle.
Content Engine DB2 for Linux, UNIX and Windows account Creates and maintains connectivity for Content Engine using DB2® for Linux, UNIX, and Windows.
Content Engine DB2 for z/OS account Creates and maintains connectivity for Content Engine using DB2® for z/OS.
Process Engine database administrators group:
Windows and Unix

Database Administrators Group (default = dba) required by Process Engine installation program for Oracle databases.

Process Engine ORA_DBA group (Process Engine, Windows authentication only)
ORA_DBA group is required to install Process Engine on Windows, using Oracle.
Process Engine Oracle account Oracle User (default = oracle) is required by Process Engine installation program for Oracle.
Rendition Engine SQL Server account (Rendition Engine, SQL Server only)
Required by Rendition Engine installation program.

Top of page

Required for administration - summary

Role/responsibility Description
GCD administrators (Content Engine)
Administrators with Full Control on the FileNet P8 domain object.
Object store administrators (Content Engine)
Administrators with Full Control to an object store. Has "Set Any Owner" privileges to any object.
Content Engine directory service user
(Content Engine)
Used by Content Engine to connect to Sun, Novell, IBM, Active Directory, or ADAM.
Content Engine operating system account (Content Engine)
Required to configure the shared root directory of a file storage area.

Autonomy K2 server accounts:

(Content Engine/Autonomy K2)
User and group accounts used by Content Engine to connect to the Autonomy K2 server for CBR, and the operating system account that K2 services run as.
Process Engine service user (Process Engine)
Account used by Process Engine when connecting to Content Engine.
Process Engine administrators group (Process Engine)
Group whose members have administrative privileges for Process Engine.
Process Engine configuration group (Process Engine)
Group whose members have configuration privileges for workflows on Process Engine.
Application Engine administrator role Role whose members have administrative privileges for the Application Engine or Workplace XT servers.
CFS for IS user (Content Federation Services)
Account that Content Engine uses to log in to the Image Services system.

Top of page

Required for Workplace and Workplace XT applications - summary

Access Roles Description
PSConsole, PSDesigner, PWAdministrator, PWConfiguration, PWDesigner, PWDiagram Optional access roles. Application Engine administrator role members can define new access roles to limit access to application features.

Top of page

Required for internal operations - summary

Role/responsibility Description
#AUTHENTICATED-USERS
(Content Engine)
A logical group principal whose members are all authenticated users.
CREATOR-OWNER
(Content Engine)
The special account granted to the user who creates an object.

Process Engine internally required accounts created by installation program:

Accounts used internally by Process Engine for specific administration or troubleshooting activities. The accounts are automatically created by the Process Engine installation program. Reset the initial passwords to maintain system security.

Top of page

Required for installation and initial configuration- details

Content Engine system user (Bootstrap admin)

Description

ce_bootstrap_admin

An application server administrative account that is stored in the CEMPBoot.properties file and is used first to create the GCD and thereafter is the account that Content Engine uses to run as. Also known as the bootstrap admin.

Additional info

This account is used to login to the application server, access the datasources named in the GCDConnection property, and create the GCD. Content Engine will not be able to start if this user is not able to log in to the application server.

This account should be used only for this purpose and should not be considered an all-purpose administrative account.

Any deployments of the EAR file for the same FileNet P8 domain must have the same property values. IBM also recommends that you exempt this account from policies requiring periodic password change.

If you change your system's login parameters so that the Content Engine system user's credentials are no longer valid, the result would be that Content Engine will not be able to start. For example, if you modified the User Short Name Attribute or User Search Filter, in the application server's authentication provider and in Enterprise Manager's P8 Domain Properties > Modify Directory Configuration > User property sheet, from "samAccountName" to "distinguishedName", you would also need to make the same change to the com.filenet.gcd.Username property in the CEMPBoot.properties file. For information on how to change the ID or password for the Content Engine system user, see Content Engine bootstrap properties.

ce_bootstrap_admin is the creator of the new P8 domain. The first time you start Enterprise Manager following initial installation and deployment, you log in as the ce_bootstrap_admin. During this initial start, you will run the Configure New Domain Permission wizard. This wizard prompts you to add at least one user or group account to the list of GCD administrators (that is, accounts with Full Control access to the GCD). The ce_bootstrap_admin will remain on the list of GCD administrators unless some other GCD administrator explicitly removes it. However, it is a best practice to remove it, and to keep the ce_bootstrap_admin (in its role as application server administrator) for the sole purpose as the account that Content Engine will run as.

Minimum required permissions

This is a directory service account that is also an application server administrator. The important permission it needs on the application server is access to the GCD datasources.

When is it created and when is it needed?

These credentials are captured and configured by the Content Engine Configuration Manager.

The account remains in the CEMPBoot.properties file as it is required to start Content Engine.

See also

Refer to Content Engine bootstrap properties. See also the entry for GCD administrator.

To change the ce_bootstrap_admin password, see How to change Content Engine system user password.

 

WebLogic administrator

Description

Administrator who configures WebLogic before Content Engine is installed. This account is used by Configuration Manager to deploy the Content Engine EAR file on each Content Engine server. This administrator also logs on to the WebLogic console in order to create:

  • Authentication provider objects needed for multi-realm authentication or to add additional login parameters to existing realms.
  • Datasources required for each object store.

This administrator can be the same as the Content Engine system user, if you enter the same credentials for both in Configuration Manager.

Minimum required permissions

Full administrative control over the WebLogic domain that will contain Content Engine.

When is it created and when is it needed?

This account is required to configure WebLogic for the Content Engine application prior to deployment and for maintenance. Enter the credentials of this account while using Configuration Manager to configure Content Engine. The account is required on an ongoing basis.

See also

"Specify IBM FileNet P8 Accounts" and "Configure WebLogic for Content Engine" in Plan and Prepare Your Environment for IBM FileNet P8 Platform.

For information about creating datasources, see the "Create the initial object store" task in the FileNet P8 Platform Installation and Upgrade Guide.

Top of page

WebSphere administrator

Description

Administrator who configures WebSphere before Content Engine is installed. This account is used by Configuration Manager to deploy the Content Engine EAR file on each Content Engine server. This administrator also logs on to WebSphere in order to create datasources required for each object store.

The WebSphere administrator is an alias to an actual account in the configured directory server. If WebSphere global security is turned on, the account must reside in the configured directory server.

This administrator can be the same as the Content Engine system user, if you enter the same credentials for both in Configuration Manager.

Minimum required permissions Full administrative control over the WebSphere domain that will contain Content Engine.
When is it created and when is it needed? This account is required to configure WebSphere for the Content Engine application prior to deployment and for maintenance. Enter the credentials of this account while using Configuration Manager to configure Content Engine. The account is required on an ongoing basis.
See also

"Specify IBM FileNet P8 Accounts" and "Configure WebSphere for Content Engine" in Plan and Prepare Your Environment for IBM FileNet P8 Platform.

For information about creating datasources, see the "Create the initial object store" task in the FileNet P8 Platform Installation and Upgrade Guide.

-

Top of page

Install Content Engine

Description

ce_install_user

Permissions needed to run the Content Engine installation program.

Minimum required permissions

On a Windows server: log in as a Local administrator.

On AIX®: log in as root.

On Unix servers except AIX: you must have read/write/execute permissions on the FileNet application server instance and temp directories.

When is it needed? Required in order to run Content Engine installation program.
See also

"Specify IBM FileNet P8 Accounts" in Plan and Prepare Your Environment for IBM FileNet P8 Platform.

"Install and Configure Content Engine" in the FileNet P8 Platform Installation and Upgrade Guide.

Top of page

Publishing user account

Description

(Content Engine, if installing the Rendition Engine) A Windows domain user account that must be added to the local Windows Administrators group on all Rendition Engine servers.

Minimum required permissions Domain privileges in the Windows domain that contains the FileNet P8 domain and local administrator privileges on the machine where the Rendition Engine is installed.
Additional info Installation instructions refer to this user as FNRE_Admin, but you could use any Windows domain account.

On all servers where you intend to install Publishing components (Publishing Plug-in servers and Rendition Engine servers that will contain the publishing software), log in as a local administrator and add the domain_name\FNRE_Admin account to the local Administrators group. You will then log in as this user to run the Rendition Engine installation program.
When is it created? "Install and configure FileNet Publishing components" in the FileNet P8 Platform Rendition Engine Installation and Upgrade Guide.
When is it needed? Required on an ongoing basis if your Content Engine installation includes a Rendition Engine.

Top of page

Login requirements for running the Process Engine installation program (all platforms)

Description

pe_install_user

The user who runs the Process Engine installation program.
Minimum required permissions Windows: A Windows administrator for the local machine. This user must also have administrator privileges on the database if you plan to run the database scripts using OS authentication. You can log in as the local Windows Administrator or create a user (with the specified permissions) expressly for the purpose of running the Process Engine installation program.

UNIX: The root user, running in either the Bourne or Korn shell.
When is it needed? (Windows only) If you created a user specifically to run the Process Engine installation program, you can delete that user after the installation program completes.
See also

"Specify IBM FileNet P8 Accounts" in Plan and Prepare Your Environment for IBM FileNet P8 Platform.

"Install Process Engine" in the FileNet P8 Platform Installation and Upgrade Guide.

Top of page

Accounts required by the Process Engine installation program (Windows)

Description

Several local operating system users and groups, or their assigned aliases, required by the Process Engine installation program. Requirements vary depending on the database:

Groups (Oracle): fnadmin, fnusr, fnop, <database administrators group; default group name = dba>, ORA_DBA.
Users (Oracle): fnsw, <Oracle user; default user name = oracle>

Groups (MS SQL Server): fnadmin, fnusr, fnop
User (MS SQL Server): fnsw

Groups (DB2): fnadmin, fnusr, fnop
User (DB2): fnsw

Minimum required permissions

The fnsw user is added to the following groups during installation (unless you predefine these users and groups, in which fnsw must be manually added to these groups before running the Process Engine installation program): fnadmin, fnusr, fnop, ORA_DBA and <dba> groups. If the database is Oracle, the fnsw user can be removed from the ORA_DBA group when the installation is complete.

Windows: The fnsw user is added to the local Windows Administrator group, and is given local security user rights of:

  • Log in as a service.
  • Act as part of the operating system.
  • Increase quotas.
  • Replace a process level token.

If the database is Oracle, the <Oracle> user is a member of the ORA_DBA group. The <Oracle> user can be removed from the ORA_DBA group when the installation is complete. If you have a remote database and are not using the Oracle user for Oracle database activities, then the Oracle user can also be removed.

Additional info fnadmin: Members have all privileges on Process Engine files and databases.
fnusr: Members have non-administrator privileges on Process Engine files and databases.
fnop: Members have non-administrator operator privileges on Process Engine
Oracle database administrators group: Members act as database administrators.
fnsw: Primary Process Engine user. Used to execute Process Engine software and Services. It is a best practice to reset the initial password to maintain system security. See "Install Process Engine" in the FileNet P8 Platform Installation and Upgrade Guide for further considerations in resetting the fnsw password.
When is it created? These accounts are defined automatically during the Process Engine installation (unless predefined by the user); automatic definition includes setting the minimum required permissions described above.
When is it needed?

Required on an ongoing basis by Process Engine.

See also

"Specify IBM FileNet P8 Accounts" in Plan and Prepare Your Environment for IBM FileNet P8 Platform.

"Install Process Engine" in the FileNet P8 Platform Installation and Upgrade Guide for further information about resetting the fnsw password.

Top of page

Accounts required by the Process Engine installation program (UNIX)

Description

Several operating system users and groups, or their assigned aliases, required by the Process Engine installation program.
Groups: fnadmin, fnusr, fnop, <database administrators group; default group name = dba>
Users (Oracle): fnsw, <Oracle user; default user name = oracle>
Users (DB2): fnsw

Minimum required permissions

For the fnsw user, the primary group must be fnusr, and fnop, fnadmin and <dba> must be secondary groups. The Korn shell must be the default shell for the fnsw user. If the database is Oracle, the fnsw user can be removed from the <database administrators group> when the installation is complete.

For the root user, fnadmin and fnusr must be secondary groups. The Korn shell must be the default shell for the root user.

For the <Oracle> user, the primary group must be <dba> and fnusr must be a secondary group.

Additional info fnadmin: Members have all privileges on Process Engine files and databases.
fnusr: Members have non-administrator privileges on Process Engine files and databases.
fnop: Members have operator non-administrator privileges on Image Services utilities.
Oracle database administrators group: Members act as database administrators.
fnsw: Primary Process Engine user. Used to execute Process Engine software and Services.
When is it created? Manually created prior to running the Process Engine installation program.
When is it needed?

Required on an ongoing basis by Process Engine.

See also

"Specify IBM FileNet P8 Accounts" in Plan and Prepare Your Environment for IBM FileNet P8 Platform.

"Install Process Engine" in the FileNet P8 Platform Installation and Upgrade Guide.

Top of page

Install Application Engine

Description

ae_install_user

The administrator who installs the Application Engine.
Minimum required permissions

Unix: Administrator must have:

  • write access to the /bin directory
  • read, write, and execute access to the directory where you plan to install Application Engine.

Windows: Administrator must belong to the local Administrators group or a user with equivalent permissions.

Additional info

The FileNet P8 WebDAV provider is installed along with the Application Engine and is administered by the administrator who installs the Application Engine.

When is it needed?

To run the Application Engine installation program.

See also

"Specify IBM FileNet P8 Accounts" in Plan and Prepare Your Environment for IBM FileNet P8 Platform.

"Install and configure Application Engine" in the IBM FileNet P8 Platform Installation and Upgrade Guide.

Top of page

Required for database creation and connectivity - details

Content Engine SQL Server account

Description

ce_db_user

Creates and maintains connectivity between Content Engine and Microsoft SQL Server databases containing the GCD and object stores.

Minimum required permissions

SQL Server Roles: System Administrators, Server Administrators, and Database Creators.

Database Access: public and db_owner for GCD database and all object store databases.

Also add this user to SQL Server's master database and grant it the SqlJDBCXAUser role, along with the public role, so it can participate in distributed transactions with the Java™ Database Connectivity (JDBC) driver.

Additional info

You can use the same account for the GCD and object store databases. This account can optionally reside in the configured directory service.

When created

Must be created and configured in SQL Server before running the Content Engine installation program (for the GCD) and before running Enterprise Manager's object store wizard.

See also

"Specify FileNet P8 Accounts" in Plan and Prepare Your Environment for IBM FileNet P8 Platform.

"Install and Deploy Content Engine" in the IBM FileNet P8 Platform Installation and Upgrade Guide.

Top of page

Create Oracle table spaces for Content Engine

Description

ce_db_user

Creates and maintains connectivity between Content Engine and Oracle databases containing the GCD and object stores.

Minimum required permissions CREATE SESSION, CREATE TABLE, and CREATE SEQUENCE roles
Additional info

The Oracle roles CONNECT and RESOURCE combine to include the minimal privileges required by Content Engine, which are CREATE SESSION, CREATE TABLE, and CREATE SEQUENCE. Because these two roles include other privileges as well, you can design your own roles if you prefer to grant only the minimal privileges required by Content Engine.

You must create a different Oracle user for each Content Engine database. That is, multiple object stores must not share the same Oracle user, because otherwise the objects you intend to add to one object store will show up in all those object stores that share the same Oracle user.

This account can optionally reside in the configured directory service.

When created

Must be created and configured in Oracle before running the Content Engine installation program (for the GCD) and before running Enterprise Manager's object store wizard.

See also

"Specify FileNet P8 Accounts" in Plan and Prepare Your Environment for IBM FileNet P8 Platform.

"Install and Deploy Content Engine" in the IBM FileNet P8 Platform Installation and Upgrade Guide.

Top of page

Content Engine DB2 for Linux, UNIX, and Windows account

Description

ce_db_user

Creates and maintains connectivity between Content Engine and DB2 for Linux, UNIX, and Windows) databases containing the GCD and object stores.

Minimum required permissions

CREATETAB and CONNECT ON DATABASE.

USE OF TABLESPACE on User and User Temp DB2 table spaces used for GCD and object stores.

Additional info Content Engine DB2 account is created on the AIX operating system first. It can be the instance owner, the fenced user, or, preferably, a completely separate user with the above permissions granted to it. This account can optionally reside in the configured directory service.
When created

Must be created and configured in DB2 before running the Content Engine installation program (for the GCD) and before running Enterprise Manager's object store wizard.

See also

"Specify FileNet P8 Accounts" in Plan and Prepare Your Environment for IBM FileNet P8 Platform.

"Install and Configure Content Engine" in the IBM FileNet P8 Platform Installation and Upgrade Guide.

Top of page

Content Engine DB2 for z/OS® account

Description

ce_db_user

Creates and maintains connectivity between Content Engine and DB2 for z/OS databases containing the GCD and object stores.

Minimum required permissions

These are operating system user accounts on the database server that are granted database permissions as follows:

GRANT SYSADM TO ce_db_user;

GRANT USE OF STOGROUP storagegroupname TO ce_db_user;

GRANT USE OF BUFFERPOOL BP32K TO ce_db_user;

GRANT SELECT ON SYSCAT.DATATYPES TO ce_db_user;

GRANT SELECT ON SYSIBM.SYSVERSIONS TO ce_db_user;

Use one account for the GCD (for example, ce_db_user1) and one for each object store (for example, ce_db_user2, ce_db_user3, and so on).

Additional info

DB2 for z/OS does not allow underscores in accounts names.

When created

Must be created and configured in DB2 before running the Content Engine installation program (for the GCD) and before running Enterprise Manager's object store wizard.

See also

"Specify FileNet P8 Accounts" in Plan and Prepare Your Environment for IBM FileNet P8 Platform.

"Install and Configure Content Engine" in the IBM FileNet P8 Platform Installation and Upgrade Guide.

Top of page

Rendition Engine SQL Server account

Description Creates and maintains connectivity for Rendition Engine installations that use SQL Server.
Minimum required permissions

Any user with SQL Server's "Create Database" permission.

Any SQL Server user with SQL Server's "Database Creators" server role. (In SQL Server Enterprise Manager, navigate to Security > Logins. Right-click the user's name and select Properties. Click the Server Roles tab and select at least Database Creators.)

Additional info This user is a safer alternative to using SQL Server's SA or SYS users, which will also satisfy the configuration requirements. (This user is not the same as the FNRE_Admin user.)
When created As part of installing FileNet Publishing components (Vista configuration).
See also "Install and configure FileNet Publishing components" in the FileNet P8 Platform Rendition Engine Installation and Upgrade Guide.

Top of page

Required for administration - details

GCD administrator role

Description

gcd_admin

(Content Engine) Users and groups who have been granted Full Control over the FileNet P8 domain object.
Additional info

Full Control over the FileNet P8 domain object is a security level comprised of the following access rights:

  • View and modify all properties
  • Create and delete child objects
  • Read and modify permissions

In the following screen capture, the selected user has Full Control access to Enterprise Manager's Domain Root Properties > Security property sheet and is therefore a GCD administrator. A GCD administrator can grant Full Control rights to additional users and groups, thereby making them GCD administrators as well.

GCD Administrators have Full Control access to the Domain Root object

Being a GCD administrator does automatically make you an object store administrator which is a role assigned on the object store's own property sheet.

When created

Configuration Manager, in its Configure Bootstrap Properties panel, requests the credentials of the initial GCD administrator, referred to there as the "Bootstrap user name". This account will serve in both roles unless you change one of them. This account must reside in the directory service specified in Configuration Manager's Configure LDAP panel.

When you start Enterprise Manager for the first time after Content Engine deployment, running as the GCD Administrator, you will:

  1. Complete the Directory Configuration Wizard which automatically opens the first time you start Enterprise Manager. This Wizard connects Content Engine to the directory server for authorization. See Directory service provider integration for more information.
  2. Complete the Domain Permissions Wizard which lets you assign additional users and groups to the role of GCD administrator if you wish.

NOTE  Even if you assign additional GCD Administrators and remove the first GCD Administrator, the initial Bootstrap user account remains as the ce_bootstrap_admin. See the entry for the Content Engine System user for more information.

You can add or remove users or groups from this list at any time later on. See Add or remove a GCD administrator.

When is it needed?

Whenever you log in to Enterprise Manager to create or change a Filenet P8 domain resource.

See also

For descriptions of FileNet P8 domain resources, see Concepts: FileNet P8 Domain in Help for Content Engine Administration.

For descriptions of the wizards mentioned above, see Administer directory configurations and Configure New Domain Permissions Wizard.

Top of page

Object store administrator role

Description

object_store_admin

object_store_admin_group

(Content Engine) Users and groups who have been granted Full Control access to an object store.

Additional info

Full Control over an object store is a security level comprised of the following access rights:

  • Connect to store, and create new and modify existing objects (not including P8 domain objects)
  • Delete objects
  • Set owner of any object
  • Read and modify permissions.

In the following screen shot any accounts with Full Control permission to the object store (named "store" in this example) are its object store administrators.

members with Full Control permissions to the object store are its object store administrators

NOTE  See Object store access rights for information about why Modify certain system properties is not included in Full Control.

Each time a GCD administrator runs the Object Store Wizard, you are asked to specify the users and groups who should have administrative access to the object store. Each object store could therefore have a different set of administrators. Conversely, if you want the same groups to administer all object stores in the FileNet P8 domain, you must add them while creating each new object store using the Object Store Wizard. By default, the GCD administrator creating the object store also becomes an object store administrator.

Object store administrative rights do not include the ability to add, move, or remove object stores, fixed content devices, content cache areas, or any of the other FileNet P8 domain resources. These permissions are granted only to GCD administrators.

An object store administrator is not also a GCD administrator unless also specifically granted those permissions. This means that an object store administrator who is not also a GCD administrator would have to request that a GCD administrator create a new domain resource like an object store. Once these objects are created by the GCD administrator, however, the object store administrator can populate the object store with new classes and folders, store content in the file storage area, assign markings, and so on.

When is it created?

Specified each time a GCD administrator runs the Object Store Wizard to create a new object store. Any user or group with Full Control on this security page is an administrator of that object store. The list of object store administrators is available for viewing and modifying in Enterprise Manager's Object Store Properties > Security property page. You can add or remove users or groups from this list at any time later on. See Add or remove an object store administrator.

NOTE  Keeping the number of accounts assigned as object store administrators or object store users as small as possible will improve performance and simplify administration. The best way to do this is to use group accounts instead of large numbers of individual users. Groups can have as many members as you wish and can be nested (that is, contain other groups).

When is it needed? Required for ongoing administration of the object store.
See also Logging on and using Enterprise Manager in Help for Security.

Top of page

Directory service user (Content Engine)

Description

ce_service_user

Used by Content Engine to connect to the directory server.
Minimum required permissions

The directory service user must be configured with the following minimum rights for each security realm that will be configured for your FileNet P8 domain:

Sun Java™ System Directory Service: Read, Search, Compare

Novell® eDirectory: Compare, Read

IBM® Tivoli®: Read, Search, Compare

Microsoft® Active Directory®: Must belong to the Pre-Windows 2000 Compatible Access Group in each desired domain in the Active Directory forest.

Microsoft ADAM®: Ability to see the other users in the partition. To configure this, do the following steps:

  1. Start ADAM ADSI Edit under Start > All Programs > ADAM.
  2. Connect to the partition. Expand partition in left-hand pane and click the CN=Roles node. )Be sure you have selected the CN=Roles container in the partition not under the CN=Configuration. )
  3. In the right-hand pane right-click the CN=Readers group and select Properties.
  4. In the Attributes list double-click the “member” attribute.
  5. Click Add ADAM Account.
  6. Enter the full DN of the user to be designated as the service user while running the Content Engine installation program, and click OK.
  7. Click OK and click OK again.
Additional info

When retrieving information from the directory service, Content Engine connects using this account. For example, in Enterprise Manager this occurs when you open the Select Users and Groups window to search for and add accounts to an object's ACL.

The Directory Service User cannot be accessed using referrals.

When is it created?

Any time before installing Content Engine. Available for viewing and modifying in Enterprise Manager: see Directory configuration properties (General tab) in Help for Content Engine Administration.

When is it needed?

Whenever Content Engine accesses the directory service.

Top of page

Operating system account (Content Engine)

Description

ce_os_user

Account used to create and configure the shared root directory of a file storage area or content cache area.

For Windows-based Content Engine and file storage areas, the operating system (OS) account must reside in the same Windows domain or in trusted Windows domains as the servers that host Content Engine and the file storage area.

For Unix-based Content Engine and file storage areas, configuring security requires the use of NFS.

Additional info

The operating system user who logs on to the Content Engine server and starts the local application server process is the account that must be used to secure the folders and files in a file storage area. From a practical standpoint, the account that is used to install the application server should be the same account that is used to start the application server process. As an administrator, you will always log in using the same ce_os_user account to secure the folders and files in the file system that Content Engine will use for a file storage area.

Optionally, you can use an OS group account. All OS user accounts would have to be members of this group.

See also

For a more complete description of the security requirements for creating file storage areas, see Storage area security.

See also "Create a File Storage Area" in the FileNet P8 Platform Installation and Upgrade Guide.

Top of page

K2 security group account (Content Engine/Autonomy K2)

Description

k2_sec_group

A directory service group account used by Content Engine to connect to the Autonomy K2 server for content-based retrieval (CBR).
Additional info

K2 security user accounts must be members of the K2 security group. Only members of this group will have access to the collection.

The credentials assigned to the K2 security user and K2 security group are available for viewing and modifying in Enterprise Manager. See "FileNet P8 domain root properties (Verity Domain Config tab)" in Help for Content Engine Administration.

Content Engine automatically places the value assigned to the K2 security group on each Verity Collection.

When is it created? Assigned during initial installation.
When is it needed?

For the ongoing functioning of CBR.

See also

For more security information, see Security for Autonomy K2 server and the subtopic File storage area security in the Storage area security.

See also "Install and Configure Content Search Engine" in the FileNet P8 Platform Installation and Upgrade Guide.

Top of page

K2 security user account (Content Engine/Autonomy K2)

Description

k2_sec_user

A directory service user account used by Content Engine to connect to the Autonomy K2 server for content-based retrieval (CBR).
Minimum required permissions

This is an Autonomy K2 security user account, used by Content Engine when logging onto the Autonomy K2 Master Administration Server to perform Content-Based Retrieval (CBR). This user must be a member of the K2 Security Group (k2_sec_group) and must be defined as an authorized K2 administrator in the K2 dashboard.

You must specify this account in the Verity Username field in the Verity Domain Configuration wizard when you configure CBR in Enterprise Manager.

Additional info

Content Engine logs on to Autonomy K2 server using the credentials of the K2 security user account, which must be a member of the K2 security group. Only members of this group will have access to the collection.

The credentials assigned to K2 security user and K2 security group are available for viewing and modifying in Enterprise Manager. See "FileNet P8 domain root properties (Verity Domain Config tab)" in Help for Content Engine Administration.
When is it created? Assigned during initial installation.
When is it needed?

For the ongoing functioning of CBR.

See also

For more security information, see Security for Autonomy K2 server and the subtopic File storage area security in the Storage area security.

See also "Install and Configure Content Search Engine" in the FileNet P8 Platform Installation and Upgrade Guide.

Top of page

K2 operating system user (Autonomy K2)

Description

k2_os_user

The operating system account that Autonomy K2 services run as.
Minimum required permissions

The K2 operating system user must be an operating system administrator on the machine where Autonomy K2 Master Administration server is installed.

Additional info

The K2 operating system user is used to secure file system access to collections:

  • Windows-based file storage areas: the K2 operating system user must have Read access to the file storage area root directory.
  • Unix-based file storage areas: one way to grant access to the K2 operating system user is to set the Set UID bit of all the K2 program files, and then also set the owner of each program file to the K2 operating system user, which must also have Read/Execute access to the file storage area root directory.
When is it needed?

For the ongoing functioning of CBR.

See also

For more security information, see Security for Autonomy K2 server and the subtopic File storage area security in the Storage area security.

See also "Install and Configure Content Search Engine" in the FileNet P8 Platform Installation and Upgrade Guide.

Top of page

Service user (Process Engine)

Description

pe_service_user

Account used by Process Engine when connecting to Content Engine.
Minimum required permissions

The Process Engine service user must be a member of the Process Engine Administrator Group.

When is it created?

Assigned using the Process Task Manager.

See also Configure the Process Engine security connection

Top of page

Process Engine administrator group

Description

pe_admin_group

Group whose members have administrative privileges for Process Engine.
When is it created? Assigned using the Process Task Manager.
When is it needed?

By Process Engine administrators to administer the workflow database.

See also About workflow security
Configure the Process Engine security connection

Top of page

Process Engine configuration group

Description

pe_config_group

Group whose members have configuration privileges on the Process Engine workflow database.
Additional info The Process Engine configuration group is optional. If specified, members of this group or Process Engine administrator group can make configuration changes to the workflow database. If not assigned, anyone can make these changes.
When is it created? Assigned using Process Task Manager.
When is it needed?

By Process Engine administrators to administer the workflow database.

See also About workflow security
Configure the Process Engine security connection

Top of page

Application Engine administrator role

Description

ae_admin_user
wp_admin_user

Role whose members have administrative privileges for the Application Engine or Workplace XT servers.
Minimum required permissions None: this is an internally managed role.
Additional info

Managed by Access Roles preferences. The user who configures the bootstrap preferences on initial signin to the Workplace or Workplace XT application is automatically added to this role. Other users can be added to the role as needed.

When is it created? Created while configuring Site Preferences.
When is it needed?

Required for access to Site Preferences, for modifying membership of specific roles.

See also Access Roles preferences in Help for Site Preferences.

Top of page

CFS for IS User

Description Image Services account used by Content Engine to log on to and access Image Services resources as part of Content Federation Services configuration.
When is it created? Any time prior to creating a CFS fixed content device.
When is it needed?

Used whenever Content Engine accesses the Image Services system as part of Content Federation Services configuration.

See also See FileNet P8 Content Federation Services for Image Services Guidelines for full reference information.

Top of page

Required for Workplace and Workplace XT applications - details

PSConsole

Description Access role whose members can access Simulation Console from the Advanced Author page.
Minimum required permissions None. Access roles are stored as values in custom objects in the object store.
Additional info You can restrict the ability to run Simulation Console by assigning a group to the corresponding role in the Access roles preferences. If a group is assigned to the role, only members of the group can run Simulation Console.
When is it created? While defining site preferences.
When is it needed?

By users running Simulation Console.

See also Application security in Process Engine Reference.

Top of page

PSDesigner

Description Access role whose members can access Simulation Designer from the Advanced Author page.
Minimum required permissions None. Access roles are stored as values in custom objects in the object store.
Additional info You can restrict the ability to run Simulation Designer by assigning a group to the corresponding role in the Access roles preferences. If a group is assigned to the role, only members of the group can run Simulation Designer.
When is it created? While defining site preferences.
When is it needed? By users running Simulation Designer.
See also Application security in Process Engine Reference.

Top of page

PWAdministrator

Description Access role whose members can access Process Administrator from the Admin page in Workplace or the Tools menu in Workplace XT.
Minimum required permissions None. Access roles are stored as values in custom objects in the object store.
Additional info You can restrict the ability to run Process Administrator by assigning a group to the corresponding role in the Access roles preferences. If a group is assigned to the role, only members of the group can run Process Administrator.
When is it created? While defining site preferences.
When is it needed? By users running Process Administrator.
See also Application security in Process Engine Reference.

Top of page

PWConfiguration

Description Access role whose members can access Process Configuration Console from the Admin page in Workplace or the Tools menu in Workplace XT.
Minimum required permissions None. Access roles are stored as values in custom objects in the object store.
Additional info You can restrict the ability to run Process Configuration Console by assigning a group to the corresponding role in the Access roles preferences. If a group is assigned to the role, only members of the group can run Process Configuration Console.
When is it created? While defining site preferences.
When is it needed?

By users running Process Configuration Console.

See also Application security in Process Engine Reference.

Top of page

PWDesigner

Description Access role whose members can access Process Designer in design and diagram mode and the Workflow Subscription wizard from the Advanced Author page in Workplace or the Tools menu in Workplace XT.
Minimum required permissions None. Access roles are stored as values in custom objects in the object store.
Additional info You can restrict the ability to run Process Designer in design and diagram mode by assigning a group to the corresponding role in the Access roles preferences. If a group is assigned to the role, only members of the group can run Process Designer.
When is it created? While defining site preferences.
When is it needed?

By users running Process Designer in design and diagram mode.

See also Application security in Process Engine Reference.

Top of page

PWDiagram

Description Access role whose members can access Process Designer in diagram mode from the Advanced Author page in Workplace or the Tools menu in Workplace XT.
Minimum required permissions None. Access roles are stored as values in custom objects in the object store.
Additional info You can restrict the ability to run Process Designer in diagram mode by assigning a group to the corresponding role in the Access roles preferences. If a group is assigned to the role, only members of the group can run Process Designer.
When is it created? While defining site preferences.
When is it needed?

By users running Process Designer in diagram mode.

See also Application security in Process Engine Reference.

Top of page

Required for internal operations - details

#AUTHENTICATED-USERS

Description

(Content Engine) A logical group whose members are any authenticated user principal. Any user account that who can successfully log in belongs to this group.

Additional info

#AUTHENTICATED-USERS is similar to the special groups "Everyone" in Windows NT 4 and "Authenticated Users" in Windows 2000. It does not have specific memberships that you can modify, and it does not include anonymous users or guests.

If you specify #AUTHENTICATED-USERS to be a default user or group of an object store, then all users who log in to the FileNet P8 domain are automatically made members of this group. It will appear on the Default Instance Security ACL of all classes. Therefore each instance of the class will include #AUTHENTICATED-USERS on its own ACL. If you do not change the default, the net effect will be that any user who can log in to the FileNet P8 domain will be able to:

  • View all object stores (default level = "Use stores and services")
  • View all folders (default level = "View properties")
  • View all documents, both properties and content (default level = "View content")
  • View all custom objects (default level = "View properties")

If this is not what you want, you could:

  • Remove #AUTHENTICATED-USERS from the particular class or classes. (You can, of course, remove it from individual objects, but this is not a recommended method for efficiently administering security across many classes and objects.)
  • Add "deny groups" to the class' Default Instance ACL; this will effectively remove the members of the deny group from the #AUTHENTICATED-USERS group.
  • Use a non-security method such as exploiting the "IsHiddenContainer" property which Workplace and other applications use to hide a folder.

#AUTHENTICATED-USERS and #CREATOR-OWNER are referred to as "Special Accounts" in Enterprise Manager's Select Users and Groups dialog box.

When is it created?

Automatically created and maintained by Content Engine.

Top of page

#CREATOR-OWNER

Description (Content Engine) The special account granted to the user who creates an object.
Additional info

#CREATOR-OWNER is a placeholder in an access control entry (ACE) and is used for copying a defined set of permissions to the individual user who is creating a new object. This copying takes place:

  • When applying default instance security from a class to an instance of the class.
  • Whenever a security template places ACEs on an object.
  • When performing inheritance propagation to a target ACE (such as from a parent folder to a child folder).

By default, #CREATOR-OWNER appears on the Security and Default Instance Security tabs of all instantiable classes, and is granted Full Control, with an inheritable depth of "This object only". This account functions just like a normal user account, and its default permissions can be edited according to normal rules (that is, by users with appropriate permission).

When the ACE is inherited, the permissions granted to the #CREATOR-OWNER become the permissions granted to the object's current owner. For example, when a user creates a document based on a document class, that user takes on the #CREATOR-OWNER's permissions.

Actually, two target ACEs result whenever the #CREATOR-OWNER is copied onto an object - a substituted ACE and a non-substituted ACE:

  • The substituted ACE is always created but is forced to be non-inheritable (its inheritable depth becomes "This object only" regardless of the source value).
  • The unsubstituted ACE is a complete copy of the source ACE except that if performing inheritance propagation the inheritable depth value can be decremented (if it is not 0 or -1), and in all cases the unsubstituted ACE will be suppressed if the (resulting) inheritable depth is zero.

Windows Authentication: the user attribute used is the samAccountName.
Sun Java System Directory Server and eDirectory: the user attribute is configurable to the LogonAttribute in the GCD.

#AUTHENTICATED-USERS and #CREATOR-OWNER are referred to as "Special Accounts" in Enterprise Manager's Select Users and Groups dialog box.

When is it created? Automatically created and maintained by the Content Engine.
See also

Take or change ownership
Mapping security levels to individual access rights for information about the Modify Owner permission.

Top of page

Accounts required by Process Engine to access the workflow database

Description

Database accounts used by Process Engine to access the workflow database. You can instruct the installation program to automatically create these accounts or to assign an alias of your choice. By default, the following database users are created:

  • f_maint: Used for database maintenance.
  • f_sw: Required for runtime access to Process Engine database.
Minimum required permissions

The Process Engine installation program grants various database permissions to these users. For a complete list, see “Process Engine SQL Scripts” in the FileNet P8 Platform Installation and Upgrade Guide.

When is it created? Manually created before installation or automatically created during Process Engine installation.
When is it needed? Required on an ongoing basis.
See also Because the Process Engine installation program creates each of these users with a default password, you should reset the passwords to maintain system security. See "To set the f_maint and f_sw passwords (Oracle and SQL Server)” in the FileNet P8 Platform Installation and Upgrade Guide for instructions.

Top of page

Accounts required by Process Engine for internal use (created by the Process Engine installation program)

Description

The Process Engine installation program automatically creates several accounts (SysAdmin, FieldService, Operator) required when using the underlying Image Services (IS) tools. The users are created in the SEC database; they are not operating system, directory service, or database users.

Minimum required permissions
  • SysAdmin:  Logs on to the IS XApex Utility. Primary administrator user for FileNet IS tools.
  • FieldService:  Used internally by Process Engine software.
  • Operator:  Used internally by Process Engine software.
When is it created? Automatically created during Process Engine installation.
When is it needed? Required on an ongoing basis.
See also Because the Process Engine installation program creates each of these users with a default password, you should reset the passwords to maintain system security. See "To reset administrative user passwords” in the appropriate platform section of the FileNet P8 Platform Installation and Upgrade Guide for instructions.

Top of page