Configure security inheritance
This topic describes the following ways to configure security inheritance
between objects:
- Using the deprecated (but still active) Security Parent property
(first procedure below)
- Using the class property Security Folder (second procedure below)
- Creating one or more custom object-valued properties and setting
its Security Proxy Type property to Inherited,
and then assigning that property to a class (third procedure below).
Run these procedures as part of your initial security configuration,
after you have created document classes and configured their default
security instance tabs. It is best to establish security inheritance
before putting an object store into production.
For more information about inherited security see:
NOTE You can use this procedure for custom objects also. Just substitute "custom
object" wherever you see "document".
Use Enterprise Manager to designate a folder as a security parent,
using Security Parent
You can configure a document to inherit permissions from a folder.
The folder may contain the document, but this is not required. (Earlier
versions of Content Engine did require that the security parent folder
contain the document, but this requirement has been
removed with the introduction of the SecurityFolder property.)
- Logon to Enterprise Manager as object store administrator.
- Open the Object Store node, select the Root
Folder, and navigate
to the folder containing the document whose security inheritance you
are configuring.
- Click the folder's Security tab. Make sure
the folder has ACEs whose Apply
to setting is either This object and immediate
children or This
object and all children. See Configure
a folder's security inheritance for reference.
- Click OK to close the folder's property
sheet.
- Right-click the document, select Properties,
and then select the property sheet's General tab.
You will see the following:

- Select the Inherit Security from folder checkbox.
Then select
a folder from the drop-down list.
(All folders containing the document will appear in the list. If the
folder you want is not in the list you will need to stop this procedure,
file the document in the folder, and then start again.)
NOTE After
the upgrade to CE 4.0.1, this checkbox appears exactly as it did in earlier
releases. However, selecting it actually sets the new SecurityFolder property
and not the SecurityParent property as it did formerly and which is being
deprecated. However, because the SecurityParent feature is still supported,
the dropdown box will display only those folders that contain the document.
This Enterprise Manager behavior therefore mimics the SecurityParent behavior
which depends on containment, even though it is in fact using the SecurityFolder
property which does not require containment of the document by the folder.
Custom applications that have been coded using SecurityParent will continue
to function without change.
- Click Apply or OK.
- Click the document's Security tab and
confirm that it has inherited ACEs from the security folder. The inherited
ACEs will show a Source type of Inherited.
If the required rights do not appear, make sure that they are configured
to be inheritable on the folder. See Configure
a folder's security inheritance.
Use Enterprise Manager to designate a folder as a security folder,
using Security Folder
Similar to the SecurityParent procedure above, this procedure uses the
Security Folder property, a standard property of every document and custom
object class.
- Logon to Enterprise Manager as object store administrator.
- Open the Object Store node, select the Root
Folder, and navigate to the folder that will serve as the
Security Folder.
- Right-click the folder and select Properties.
Click the folder's Security tab.
Make sure the folder has ACEs whose Apply to setting
is either This object and immediate children or This
object and all children. See Configure
a folder's security inheritance for reference. Click Cancel or
OK to close the folder's property sheet.
You should see the folder's icon listed in Enterprise Manager's tree
view.
- Right-click the folder and select Copy Object
Reference.
- Now navigate
to the folder containing the document whose security inheritance you
are configuring.
- Right-click the document and select Properties.
Select the property sheet's Properties tab.
- Scroll down the list of properties and find Security
Folder. Its Property Value cell
will display <Value Not Set>
if there is no value yet for this property.
- Click the Property Value column. The Set
Object Value dialog box will appear. Click OK to
set the value. The Select Object from Paste Buffer dialog
box will appear and will list the object reference you copied earlier
under the Object Name column.
- Select the appropriate Object Name and
click OK.
You will see the name of the folder appear as the Property
Value for
the Security Folder property.
- Click Apply to
apply the changes you just made and keep the document's property
sheet open.
- Click the Security tab, and confirm that the Security Folder's inheritable
ACEs appear, with Source type of Inherited.
Use Enterprise Manager to configure security inheritance using
a custom object-valued property
In addition to the methods explained above, you
can also create pairs of security-passing and security-inheriting objects,
as follows:
- Logon to Enterprise Manager as object store administrator.
- Copy the object reference of the object whose security
will be inherited. (This object will become a security parent as a
result of this procedure.) This object must have at least one
inheritable ACE (one whose Apply
to setting
is either This
object and immediate children or This
object and all children). For
reference, see Copy
object reference.
- Launch the Create a Property Template Wizard to create
the property that will establish the connection between the two objects.
For reference, see Create
a property template.
- Give the new template a name.
- Select Object for the data type.
- On the Single or Multi-Value? step
of the wizard, select
Single. Click the More... button.
- On the More tab of the dialog
box that displays, for Security
Proxy Type select Inherited.
(This value will appear as the integer 2 when viewed in the document's
property grid.) Click OK.
- Click Next and Finish
to complete the wizard.
- Assign the new property template to a new or existing class.
The following procedure assumes the class already exists. For reference
see Assign
properties to a class.
- Right-click the class and select Add
Properties to Class. This
launches the Add Properties to a Class
Wizard. Click Next.
- In the Select Properties panel, select the Show
Object Type checkbox
and in the Available column select the property you just created
above. Click Add>> to add the property to the Selected column.
Click Next.
- In the Select Property Attributes panel, select the property
you just added to the class and then click More. The property
template's property sheet opens.
- In the property template's property sheet, click the More tab.
- For Required
Class, use the drop-down menu to select the class of
the object whose object reference you copied above. For example,
if that proxying object is a document, you would select its
exact class or subclass.
- Click Next and then click Finish to finish the Wizard.
- (Optional) Assign a default value to the object-valued
property. This step is optional but can be used, if appropriate,
to automate the process of establishing the connection to the object
providing security inheritance. If you do not set a default value,
Enterprise Manager will request an object reference each time you create
a new object that references that object-valued property for its inherited
security. (This step assumes that there is a single inheritance-providing
object for this particular custom property.)
- Right-click the class you used in the step above and select Properties.
Select the
Properties tab.
- Scroll down and find the Property Definitions row. (This
is not the same as selecting the Property
Definitions tab of
the property sheet.)
- Click the down arrow in the Property
Value column. The
list of all custom properties drops down.
- Select the object-valued property you just created. Its
property sheet will display. Click the Properties tab of that
property sheet.
- Scroll down and find the Property Default
Object row and
click its Property Value cell. If you have not yet set the value,
you will get a dialog box asking you to select OK to set the value.
Click OK and the Select
Object from Paste Buffer will appear.
- Select the object that will
be supplying the inherited security and click OK. Click
Close and OK to
close the class property sheet.
If the object you need is not in the list, click Cancel and
start this procedure again, being careful to follow the step describing
how to copy the object reference of the object whose security will
be inherited.
If the
Propagate Metadata Changes dialog
box opens, you must decide, based on the requirements of your security
design, whether the new property you just added to a class should
be propagated down to all subclasses. We will not propagate for this
procedure; therefore in the Updated
Property Definitions box do not select the property definition
we just created. Click OK to
return to Enterprise Manager.
- Create a new document using the class we have been using in this
procedure. (If you have not assigned a default value as optionally
described above, you will be prompted for an object reference. Set
the reference using the object reference you copied.)
- Examine the new document's Security tab
and confirm that it has inherited ACEs from the security parent object.
The inherited ACEs will show a Source type
of Inherited. In order to change the
access rights of this inherited ACE, you would change it on the source
document; the changes will automatically be updated on the target document.
- Repeat this procedure as many times as required by your security
design.