The Security Script wizard allows you to assign security roles to user and group accounts in order to create security principals for the objects in an object store. The security roles to be assigned are defined in an XML information file, which also identifies the VBS security script file to run on the selected accounts. The XML file establishes communication between the wizard and the security script, by enabling the wizard to understand how to apply the defined security roles to the selected user and group accounts in order to create the security principals.
When running the Security Script wizard, you will query your directory service and assign the security roles defined in the XML information file to specific users and groups. The Security Script wizard will then add these accounts to the objects identified in the security role definitions contained in the VBS security script, and thus create the security principals for the object store. The set of objects affected by this operation will be those in the object store in which the Security Script wizard is being run.
The input requirements for the Security Script wizard are (1) a properly formatted XML information file which references (2) a properly formatted VBS security script file. The Content Engine installation program installs examples of each of these (WorkplaceScript.xml and WorkplaceSecurity.vbs) which are listed as a required post-installation configuration step in the IBM FileNet P8 Platform Installation and Upgrade Guide.
See also Update an object store with new users and groups for a specific example of running the Security Script Wizard.
A properly formatted XML information file contains the following elements:
<SecurityScriptFile>
- a reference to a properly formatted
VBS security script file.<SecurityRoleMap>
- one or more roles for which corresponding
definitions exist in the security script.
<VariableName>
- for each role, a variable used to
access the definition of the security role in the security script.<RoleName>
- for each role, a name to display for
the role in Enterprise Manager, such as this wizard.The following code fragment demonstrates how these elements appear in workplacescript.xml:
<SecurityScriptInformation>
<SecurityScriptFile>workplacesecurity.vbs</SecurityScriptFile>
<SecurityRoleMap>
<VariableName>strUsrPWDesigner</VariableName>
<RoleName>Workflow Designer</RoleName>
</SecurityRoleMap>
<SecurityRoleMap>
...
</SecurityRoleMap>
</SecurityScriptInformation>
The following code fragment from WorkplaceSecurity.vbs demonstrates a properly
formatted VBS security script file. This particular script adds the Workflow
Designer role via the strUsrPWDesigner
permissions to the Workflow
Subscription Class, where:
(View
+ Link + Create Instance)
, are actually assigned in the ap.AccessMask
hexadecimal value.CELib.GetObject()
was
obtained in Enterprise Manager by right-clicking the object and selecting
Copy Object Reference. Public Sub ScriptWizardEntry(CELib)
'MsgBox strUsrPWDesigner
PostImportScriptMethod CELib
End Sub
Public Sub PostImportScriptMethod(CheetahLib)
'On Error Resume Next
Dim oClassDef
Dim nCount
nCount = UBound(strUsrPWDesigner, 1)
Dim ap
CheetahLib.Refresh
'Class Workflow Subscription Class (View + Link + Create Instance)
'Notes: CEMP does not show Link access right for Workflow Subscription Class.
'After this code is ran, viewing from Enterprise Manager, you'll see that View, Create Instance,
and Read access rights
'checkboxes are checked.
Set oClassDef = CheetahLib.GetObject(1027, "{5763CE24-8D28-47F3-84AB-5F1FBC2BB24A}")
'vbscript indexing starts from 0 but in this particular script, entry 0 of
strUsrPWDesigner array
'does not have any value. The user/group name starts from entry 1.
For I = 1 To nCount
Set ap = CheetahLib.CreateObject(2012)
ap.GranteeName = strUsrPWDesigner(I)
ap.AccessMask = &H20111
ap.AccessType = 1 'idmAccessAllow=1, idmAccessDeny=2
ap.InheritableDepth = 0
oClassDef.Permissions.Add ap
Next
oClassDef.Save
'MsgBox "updated Workflow Subscription class"
...
To run the Security Script wizard using Enterprise Manager
When encountering errors with the script, turn on tracing within the script by setting the bEnableTracing flag to TRUE. Then examine the trace log.