This topic describes the users, groups, security access roles, and security-related responsibilities required to install, configure, and administer FileNet P8 and its family of applications.
Accounts are referred to in documentation in the following ways:
If you see a reference to an account that you do not understand, search this topic for the account's display name or its variable designator, and find its definition.
Role/responsibility/tasks | Description |
Content Engine system user |
Application server administrative account that is used to create the GCD and launch Content Engine. |
Application server administrator: NOTE JBoss does not require an administrative account. |
Administrator who configures
the application server that will contain Content Engine. |
Install Content Engine |
(Content Engine) Administrator who installs Content Engine on Windows/Unix. |
Install Process Engine | (Process Engine) Administrator who installs Process Engine. |
Accounts required by Process Engine installation program (Windows) | (Process Engine) Several users and groups required by Process Engine/Windows Setup. |
Accounts required by Process Engine installation program (Unix) | (Process Engine) Several local users and groups required by Process Engine/UNIX Setup. |
Install Application Engine | (Application Engine) |
Publishing user account | (Rendition Engine) A Windows domain user account that must be added to the local Administrators group on all Rendition Engine servers. |
Role/responsibility/tasks | Description |
Content Engine SQL Server account | Creates and maintains connectivity for Content Engine using SQL Server. |
Content Engine Oracle alias | Owns and maintains connectivity for Content Engine using Oracle. |
Content Engine DB2 account | Creates and maintains connectivity for Content Engine using DB2®. |
Process Engine database administrators group: Windows and Unix |
Database Administrators Group (default = dba) required by Process Engine installation program for Oracle databases. |
Process Engine ORA_DBA group | (Process Engine, Windows authentication only) ORA_DBA group is required to install Process Engine on Windows, using Oracle. |
Process Engine Oracle account | Oracle User (default = oracle) is required by Process Engine installation program for Oracle. |
Rendition Engine SQL Server account | (Rendition Engine, SQL Server only) Required by Rendition Engine installation program. |
Role/responsibility | Description |
GCD administrators | (Content Engine) Administrators with Full Control on the FileNet P8 domain object. |
Object store administrators | (Content Engine) Administrators with Full Control to an object store. Has "Set Any Owner" privileges to any object. |
Content Engine directory service user |
(Content Engine) Used by Content Engine to connect to Sun, Novell, IBM, Active Directory, or ADAM. |
Content Engine operating system account | (Content Engine) Required to configure the shared root directory of a file storage area. |
(Content Engine/Autonomy K2) User and group accounts used by Content Engine to connect to the Autonomy K2 server for CBR, and the operating system account that K2 services run as. |
|
Process Engine service user | (Process Engine) Account used by Process Engine when connecting to Content Engine. |
Process Engine administrators group | (Process Engine) Group whose members have administrative privileges for Process Engine. |
Process Engine configuration group | (Process Engine) Group whose members have configuration privileges for workflows on Process Engine. |
Application Engine administrator role | Role whose members have administrative privileges for the Application Engine or Workplace XT servers. |
CFS for IS user | (Content Federation Services) Account that Content Engine uses to log into the Image Services system. |
Access Roles | Description |
PSConsole, PSDesigner, PWAdministrator, PWConfiguration, PWDesigner, PWDiagram | Optional access roles. Application Engine administrator role members can define new access roles to limit access to application features. |
Role/responsibility | Description |
#AUTHENTICATED-USERS |
(Content Engine) A logical group principal whose members are all authenticated users. |
CREATOR-OWNER |
(Content Engine) The special account granted to the user who creates an object. |
Process Engine internally required accounts created by installation program: |
Accounts used internally by Process Engine for specific administration or troubleshooting activities. The accounts are automatically created by PE Setup. FileNet recommends resetting the initial passwords to maintain system security. |
Description ce_bootstrap_admin |
An application server administrative account that is stored in the CEMPBoot.properties file and is used first to create the GCD and thereafter is the account that Content Engine uses to run as. Also known as the bootstrap admin. |
Additional info | This account is used to login to the application server, access the datasources named in the GCDConnection property, and create the GCD. Content Engine will not be able to start if this user is not able to log on to the application server. This account should be used only for this purpose and should not be considered an all-purpose admin account. Any deployments of the EAR file for the same FileNet P8 domain must have the same property values. FileNet also recommends that you exempt this account from policies requiring periodic password change. If you change your system's login parameters so that the Content Engine system user's credentials are no longer valid, the result would be that Content Engine will not be able to start. For example,
if you modified the User Short Name Attribute or User
Search Filter, in the application server's authentication provider and in Enterprise Manager's P8
Domain Properties > Modify Directory Configuration > User property
sheet, from "samAccountName" to "distinguishedName",
you would also need to make the same change to the ce_bootstrap_admin is the creator of the new P8 domain. The first time you launch Enterprise Manager following initial installation and deployment, you logon as the ce_bootstrap_admin. During this initial launch, you will run the Configure New Domain Permission wizard. This wizard prompts you to add at least one user or group account to the list of GCD administrators (that is, accounts with Full Control access to the GCD). The ce_bootstrap_admin will remain on the list of GCD administrators unless some other GCD administrator explicitly removes it. However, it is a best practice to remove it, and to keep the ce_bootstrap_admin (in its role as application server administrator) for the sole purpose as the account that Content Engine will run as. |
Minimum required permissions | This is a directory service account that is also an application server administrator. The important permission it needs on the application server is access to the GCD datasources. |
When is it created and when is it needed? | These credentials are captured and configured by the Content Engine Configuration Manager. The account remains in the CEMPBoot.properties file as it is required to launch Content Engine. |
See also | Refer to CE Bootstrap properties. See also the entry for GCD administrator. To change the ce_bootstrap_admin password, see How to change Content Engine system user password. |
Description |
Administrator who configures WebLogic before Content Engine is installed. This account is used by Configuration Manager to deploy the Content Engine EAR file on each Content Engine server. This administrator also logs on to the WebLogic console in order to create:
This administrator can be the same as the CE system user, if you enter the same credentials for both in Configuration Manager. |
Minimum required permissions | Full administrative control over the WebLogic domain that will contain Content Engine. |
When is it created and when is it needed? | This account is required to configure WebLogic for the Content Engine application prior to deployment and for maintenance. Enter the credentials of this account while using Configuration Manager to configure Content Engine. The account is required on an ongoing basis. |
See also | "Specify IBM FileNet P8 Accounts" and "Configure WebLogic for Content Engine" in Plan and Prepare Your Environment for IBM FileNet P8 Platform. For information about creating datasources, see the "Create the initial object store" task in the FileNet P8 Platform Installation and Upgrade Guide. |
Description |
Administrator who configures WebSphere before Content Engine is installed. This account is used by Configuration Manager to deploy the Content Engine EAR file on each Content Engine server. This administrator also logs on to WebSphere in order to create datasources required for each object store. The WebSphere administrator is an alias to an actual account in the configured directory server. If WebSphere global security is turned on, the account must reside in the configured directory server. This administrator can be the same as the CE system user, if you enter the same credentials for both in Configuration Manager. |
Minimum required permissions | Full administrative control over the WebSphere domain that will contain Content Engine. |
When is it created and when is it needed? | This account is required to configure WebSphere for the Content Engine application prior to deployment and for maintenance. Enter the credentials of this account while using Configuration Manager to configure Content Engine. The account is required on an ongoing basis. |
See also | "Specify IBM FileNet P8 Accounts" and "Configure WebSphere for Content Engine" in Plan and Prepare Your Environment for IBM FileNet P8 Platform. For information about creating datasources, see the "Create the initial object store" task in the FileNet P8 Platform Installation and Upgrade Guide. |
Description ce_install_user |
Permissions needed to run Content Engine installer. |
Minimum required permissions | On a Windows server: logon as a Local administrator. On AIX®: logon as root. On Unix servers except AIX: you must have read/write/execute permissions on the FileNet application server instance and temp directories. |
When is it needed? | Required in order to run Content Engine installation program. |
See also | "Specify IBM FileNet P8 Accounts" in Plan and Prepare Your Environment for IBM FileNet P8 Platform. "Install and Configure Content Engine" in the FileNet P8 Platform Installation and Upgrade Guide. |
Description |
(Content Engine, if installing the Rendition Engine) A Windows domain user account that must be added to the local Windows Administrators group on all Rendition Engine servers. |
Minimum required permissions | Domain privileges in the Windows domain that contains the FileNet P8 domain and local administrator privileges on the machine where the Rendition Engine is installed. |
Additional info | Installation instructions refer to this user as
FNRE_Admin, but you could use any Windows domain account. On all servers where you intend to install Publishing components (Publishing Plug-in servers and Rendition Engine servers that will contain the publishing software), log on as a local administrator and add the domain_name\FNRE_Admin account to the local Administrators group. You will then log on as this user to run the Rendition Engine installation program. |
When is it created? | "Install and configure FileNet Publishing components" in the FileNet P8 Platform Rendition Engine Installation and Upgrade Guide. |
When is it needed? | Required on an ongoing basis if your Content Engine installation includes a Rendition Engine. |
Description pe_install_user |
The user who runs Process Engine Setup program. |
Minimum required permissions | Windows: A Windows administrator for the local machine.
This user must also have administrator privileges on the database
if you plan to run the database scripts using OS authentication. You can
log on as the local Windows Administrator or create a user (with the specified
permissions) expressly for the purpose of running Process Engine Setup.
UNIX: The root user, running in either the Bourne or Korn shell. |
When is it needed? | (Windows only) If you created a user specifically to run Process Engine Setup, you can delete that user after Process Engine Setup completes. |
See also | "Specify IBM FileNet P8 Accounts" in Plan and Prepare Your Environment for IBM FileNet P8 Platform. "Install Process Engine" in the FileNet P8 Platform Installation and Upgrade Guide. |
Description |
Several local operating system users and groups, or their assigned
aliases, required by Process Engine Setup. Requirements vary depending
on the database: Groups (MS SQL Server): fnadmin, fnusr, fnop Groups (DB2): fnadmin, fnusr, fnop |
Minimum required permissions |
The fnsw user is added to the following groups during installation (unless you predefine these users and groups, in which fnsw must be manually added to these groups before running PE setup): fnadmin, fnusr, fnop, ORA_DBA and <dba> groups. If the database is Oracle, the fnsw user can be removed from the ORA_DBA group when the installation is complete. Windows: The fnsw user is added to the local Windows Administrator group, and is given local security user rights of:
If the database is Oracle, the <Oracle> user is a member of the ORA_DBA group. The <Oracle> user can be removed from the ORA_DBA group when the installation is complete. If you have a remote database and are not using the Oracle user for Oracle database activities, then the Oracle user can also be removed. |
Additional info | fnadmin: Members have all privileges on
Process Engine files and databases. fnusr: Members have non-administrator privileges on Process Engine files and databases. fnop: Members have non-administrator operator privileges on PE Oracle database administrators group: Members act as database administrators. fnsw: Primary Process Engine user. Used to execute Process Engine software and Services. It is a best practice to reset the initial password to maintain system security. See "Install Process Engine" in the FileNet P8 Platform Installation and Upgrade Guide for further considerations in resetting the fnsw password. |
When is it created? | These accounts are defined automatically during Process Engine Setup (unless predefined by the user); automatic definition includes setting the minimum required permissions described above. |
When is it needed? |
Required on an ongoing basis by Process Engine. |
See also | "Specify IBM FileNet P8 Accounts" in Plan and Prepare Your Environment for IBM FileNet P8 Platform. "Install Process Engine" in the FileNet P8 Platform Installation and Upgrade Guide for further information about resetting the fnsw password. |
Description | Several operating system users and groups, or their assigned
aliases, required by Process Engine Setup.
|
Minimum required permissions |
For the fnsw user, the primary group must be fnusr, and fnop, fnadmin and <dba> must be secondary groups. The Korn shell must be the default shell for the fnsw user. If the database is Oracle, the fnsw user can be removed from the <database administrators group> when the installation is complete. For the root user, fnadmin and fnusr must be secondary groups. The Korn shell must be the default shell for the root user. For the <Oracle> user, the primary group must be <dba> and fnusr must be a secondary group. |
Additional info | fnadmin: Members have all privileges on
Process Engine files and databases. fnusr: Members have non-administrator privileges on Process Engine files and databases. fnop: Members have operator non-administrator privileges on Image Services utilities. Oracle database administrators group: Members act as database administrators. fnsw: Primary Process Engine user. Used to execute Process Engine software and Services. |
When is it created? | Manually created prior to running Process Engine Setup. |
When is it needed? |
Required on an ongoing basis by Process Engine. |
See also | "Specify IBM FileNet P8 Accounts" in Plan and Prepare Your Environment for IBM FileNet P8 Platform. "Install Process Engine" in the FileNet P8 Platform Installation and Upgrade Guide. |
Description ae_install_user |
The administrator who installs the Application Engine. |
Minimum required permissions |
Unix: Administrator must have:
Windows: Administrator must belong to the local Administrators group or a user with equivalent permissions. |
Additional info | The FileNet P8 WebDAV provider is installed along with the Application Engine and is administered by the administrator who installs the Application Engine. |
When is it needed? |
To run the Application Engine installation program. |
See also | "Specify IBM FileNet P8 Accounts" in Plan and Prepare Your Environment for IBM FileNet P8 Platform. "Install and configure Application Engine" in the IBM FileNet P8 Platform Installation and Upgrade Guide. |
Description ce_db_user |
Creates and maintains connectivity between Content Engine and Microsoft SQL Server databases containing the GCD and object stores. |
Minimum required permissions | SQL Server Roles: System Administrators, Server Administrators, and Database
Creators. Also add this user to SQL Server's master database and grant it the SqlJDBCXAUser role, along with the public role, so it can participate in distributed transactions with the Java™ Database Connectivity (JDBC) driver. |
Additional info | You can use the same account for the GCD and object store databases. This account may optionally reside in the configured directory service. |
When created |
Must be created and configured in SQL Server before running Content Engine setup (for the GCD) and before running Enterprise Manager's object store wizard. |
See also | "Specify FileNet P8 Accounts" in Plan and Prepare Your Environment for IBM FileNet P8 Platform. "Install and Deploy Content Engine" in the IBM FileNet P8 Platform Installation and Upgrade Guide. |
Description ce_db_user |
Creates and maintains connectivity between Content Engine and Oracle databases containing the GCD and object stores. |
Minimum required permissions | CREATE SESSION, CREATE TABLE, and CREATE SEQUENCE roles |
Additional info | The Oracle roles CONNECT and RESOURCE combine to include the minimal privileges required by Content Engine, which are CREATE SESSION, CREATE TABLE, and CREATE SEQUENCE. Because these two roles include other privileges as well, FileNet recommends that you design your own roles if you prefer to grant only the minimal privileges required by Content Engine. You must create a different Oracle user for each Content Engine database. That is, multiple object stores must not share the same Oracle user, because otherwise the objects you intend to add to one object store will show up in all those object stores that share the same Oracle user. This account may optionally reside in the configured directory service. |
When created | Must be created and configured in Oracle before running Content Engine setup (for the GCD) and before running Enterprise Manager's object store wizard. |
See also | "Specify FileNet P8 Accounts" in Plan and Prepare Your Environment for IBM FileNet P8 Platform. "Install and Deploy Content Engine" in the IBM FileNet P8 Platform Installation and Upgrade Guide. |
Description ce_db_user |
Creates and maintains connectivity between Content Engine and DB2 databases containing the GCD and object stores. |
Minimum required permissions |
CREATETAB and CONNECT ON DATABASE. USE OF TABLESPACE on User and User Temp DB2 tablespaces used for GCD and object stores. |
Additional info | Content Engine DB2 account is created on the AIX operating system first. It can be the instance owner, the fenced user, or a completely separate user with the above permissions granted to it. FileNet recommends the latter configuration. This account may optionally reside in the configured directory service. |
When created |
Must be created and configured in DB2 before running Content Engine setup (for the GCD) and before running Enterprise Manager's object store wizard. |
See also | "Specify FileNet P8 Accounts" in Plan and Prepare Your Environment for IBM FileNet P8 Platform. "Install and Configure Content Engine" in the IBM FileNet P8 Platform Installation and Upgrade Guide. |
Description | Creates and maintains connectivity for Rendition Engine installations that use SQL Server. |
Minimum required permissions |
Any user with SQL Server's Create Database permission. Any SQL Server user with SQL Server's "Database Creators" server
role. (In SQL Server Enterprise Manager, navigate to Security > Logins.
Right-click the user's name and select Properties. Click the Server Roles
tab and select at least Database Creators.) |
Additional info | This user is a safer alternative to using SQL Server's SA or SYS users, which will also satisfy the configuration requirements. (This user is not the same as the FNRE_Admin user.) |
When created | As part of installing FileNet Publishing components (Vista configuration). |
See also | "Install and configure FileNet Publishing components" in the FileNet P8 Platform Rendition Engine Installation and Upgrade Guide. |
Description gcd_admin |
(Content Engine) Users and groups who have been granted Full Control over the FileNet P8 domain object. |
Additional info |
Full Control over the FileNet P8 domain object is a security level comprised of the following access rights:
In the following screen shot the selected user has Full Control access to Enterprise Manager's Domain Root Properties > Security property sheet and is therefore a GCD administrator. A GCD administrator can grant Full Control rights to additional users and groups, thereby making them GCD administrators as well. Being a GCD administrator does automatically make you an object store administrator which is a role assigned on the object store's own property sheet. |
When created | Configuration Manager, in its Configure Bootstrap Properties panel, requests the credentials of the initial GCD administrator, referred to there as the "Bootstrap user name". This account will serve in both roles unless you change one of them. This account must reside in the directory service specified in Configuration Manager's Configure LDAP panel. When you launch Enterprise Manager for the first time after Content Engine deployment, running as the GCD Administrator, you will:
NOTE Even if you assign additional GCD Administrators and remove the first GCD Administrator, the initial Bootstrap user account remains as the ce_bootstrap_admin. See the entry for the CE System user for more information. You can add or remove users or groups from this list at any time later on. See Add or remove a GCD administrator. |
When is it needed? |
Whenever you logon to Enterprise Manager to create or change a Filenet P8 domain resource. |
See also |
For descriptions of FileNet P8 domain resources, see Concepts: FileNet P8 Domain in Help for Content Engine Administration. For descriptions of the wizards mentioned above, see Administer directory configurations and Configure New Domain Permissions Wizard. |
Description object_store_admin object_store_admin_group |
(Content Engine) Users and groups who have been granted Full Control access to an object store. |
Additional info |
Full Control over an object store is a security level comprised of the following access rights:
In the following screen shot any accounts with Full Control permission to the object store (named "store" in this example) are its object store administrators. NOTE See Object store access rights for information about why Modify certain system properties is not included in Full Control. Each time a GCD administrator runs the Object Store Wizard, you are asked to specify the users and groups who should have administrative access to the object store. Each object store could therefore have a different set of administrators. Conversely, if you want the same groups to administer all object stores in the FileNet P8 domain, you must add them while creating each new object store using the Object Store Wizard. By default, the GCD administrator creating the object store also becomes an object store administrator. Object store administrative rights do not include the ability to add, move, or remove object stores, fixed content devices, content cache areas, or any of the other FileNet P8 domain resources. These permissions are granted only to GCD administrators. An object store administrator is not also a GCD administrator unless also specifically granted those permissions. This means that an object store administrator who is not also a GCD administrator would have to request that a GCD administrator create a new domain resource like an object store. Once these objects are created by the GCD administrator, however, the object store administrator can populate the object store with new classes and folders, store content in the file storage area, assign markings, and so on. |
When is it created? | Specified each time a GCD administrator runs the Object Store Wizard to create a new object store. Any user or group with Full Control on this security page is an administrator of that object store. The list of object store administrators is available for viewing and modifying in Enterprise Manager's Object Store Properties > Security property page. You can add or remove users or groups from this list at any time later on. See Add or remove an object store administrator. NOTE FileNet recommends that you keep the number of accounts assigned as object store administrators or object store end users as small as possible. This will improve performance and simplify administration. The best way to do this is to use group accounts instead of large numbers of individual users. Groups can have as many members as you wish and can be nested (that is, contain other groups). |
When is it needed? | Required for ongoing administration of the object store. |
See also | Logging on and using Enterprise Manager in Help for Security. |
Description ce_service_user |
Used by Content Engine to connect to the directory server. |
Minimum required permissions | The directory service user must be configured with the following minimum rights for each security realm that will be configured for your FileNet P8 domain: Novell® eDirectory: Compare, Read IBM® Tivoli®: Read, Search, Compare Microsoft® Active Directory®: Must belong to the Pre-Windows 2000 Compatible Access Group in each desired domain in the Active Directory forest. Microsoft ADAM®: Ability to see the other users in the partition. To configure this, do the following:
|
Additional info |
When retrieving information from the directory service, Content Engine connects using this account. For example, in Enterprise Manager this occurs when you launch the Select Users and Groups dialog box to search for and add accounts to an object's ACL. The Directory Service User cannot be accessed using referrals. |
When is it created? |
Any time before installing Content Engine. Available for viewing and modifying in Enterprise Manager: see Directory configuration properties (General tab) in Help for Content Engine Administration. |
When is it needed? | Whenever Content Engine accesses the directory service. |
Description ce_os_user |
Account used to create and configure the shared root directory of a file storage area or content cache area. For Windows-based Content Engine and file storage areas, the operating system (OS) account must reside in the same Windows domain or in trusted Windows domains as the servers that host Content Engine and the file storage area. For Unix-based Content Engine and file storage areas, configuring security requires the use of NFS. |
Additional info |
The operating system user who logs on to the Content Engine server and starts the local application server process is the account that must be used to secure the folders and files in a file storage area. From a practical standpoint, the account that is used to install the application server should be the same account that is used to start the application server process. As an administrator, you will always log on using the same ce_os_user account to secure the folders and files in the file system that Content Engine will use for a file storage area. Optionally, you can use an OS group account. All OS user accounts would have to be members of this group. |
See also | For a more complete description of the security requirements for creating file storage areas, see Storage area security. See also "Create a File Storage Area" in the FileNet P8 Platform Installation and Upgrade Guide. |
Description k2_sec_group |
A directory service group account used by Content Engine to connect to the Autonomy K2 server for content-based retrieval (CBR). |
Additional info |
K2 security user accounts must be members of the K2 security group. Only members of this group will have access to the collection. The credentials assigned to the K2 security user and K2 security group are available for viewing and modifying in Enterprise Manager. See "FileNet P8 domain root properties (Verity Domain Config tab)" in Help for Content Engine Administration. Content Engine automatically places the value assigned to the K2 security group on each Verity Collection. |
When is it created? | Assigned during initial installation. |
When is it needed? | For the ongoing functioning of CBR. |
See also |
For more security information, see Security for Autonomy K2 server and the subtopic File storage area security in the Storage area security. See also "Install and Configure Content Search Engine" in the FileNet P8 Platform Installation and Upgrade Guide. |
Description k2_sec_user |
A directory service user account used by Content Engine to connect to the Autonomy K2 server for content-based retrieval (CBR). |
Minimum required permissions | The K2 security user must be granted the following permissions:
|
Additional info |
Content Engine logs on to Autonomy K2 server using the credentials of the K2 security user account, which must be a member of the K2 security group. Only members of this group will have access to the collection. The credentials assigned to K2 security user and K2 security group are available for viewing and modifying in Enterprise Manager. See "FileNet P8 domain root properties (Verity Domain Config tab)" in Help for Content Engine Administration. |
When is it created? | Assigned during initial installation. |
When is it needed? | For the ongoing functioning of CBR. |
See also | For more security information, see Security for Autonomy K2 server and the subtopic File storage area security in the Storage area security. See also "Install and Configure Content Search Engine" in the FileNet P8 Platform Installation and Upgrade Guide. |
Description k2_os_user |
The operating system account that Autonomy K2 services run as. |
Minimum required permissions | The K2 operating system user must be an operating system administrator on the machine where Autonomy K2 Master Administration server is installed. |
Additional info |
The K2 operating system user is used to secure file system access to collections:
|
When is it needed? | For the ongoing functioning of CBR. |
See also |
For more security information, see Security for Autonomy K2 server and the subtopic File storage area security in the Storage area security. See also "Install and Configure Content Search Engine" in the FileNet P8 Platform Installation and Upgrade Guide. |
Description pe_service_user |
Account used by Process Engine when connecting to Content Engine. |
Minimum required permissions | The Process Engine service user must be a member of the Process Engine Administrator Group. |
When is it created? |
Assigned using the Process Task Manager. |
See also | Configure the Process Engine security connection |
Description pe_admin_group |
Group whose members have administrative privileges for Process Engine. |
When is it created? | Assigned using the Process Task Manager. |
When is it needed? |
By Process Engine administrators to administer the workflow database. |
See also | About
workflow security Configure the Process Engine security connection |
Description pe_config_group |
Group whose members have configuration privileges on the Process Engine workflow database. |
Additional info | The Process Engine configuration group is optional. If specified, members of this group or Process Engine administrator group can make configuration changes to the workflow database. If not assigned, anyone can make these changes. |
When is it created? | Assigned using Process Task Manager. |
When is it needed? |
By Process Engine administrators to administer the workflow database. |
See also | About
workflow security Configure the Process Engine security connection |
Description ae_admin_user |
Role whose members have administrative privileges for the Application Engine or Workplace XT servers. |
Minimum required permissions | None: this is an internally managed role. |
Additional info |
Managed by Access Roles preferences. The user who configures the bootstrap preferences on initial signin to the Workplace or Workplace XT application is automatically added to this role. Other users can be added to the role as needed. |
When is it created? | Created while configuring Site Preferences. |
When is it needed? |
Required for access to Site Preferences, for modifying membership of specific roles. |
See also | Access Roles preferences in Help for Site Preferences. |
Description | Image Services account used by Content Engine to log on to and access Image Services resources as part of Content Federation Services configuration. |
When is it created? | Any time prior to creating a CFS fixed content device. |
When is it needed? |
Used whenever Content Engine accesses the Image Services system as part of Content Federation Services configuration. |
See also | See FileNet P8 Content Federation Services for Image Services Guidelines for full reference information. |
Description | Access role whose members can access Simulation Console from the Advanced Author page. |
Minimum required permissions | None. Access roles are stored as values in custom objects in the object store. |
Additional info | You can restrict the ability to run Simulation Console by assigning a group to the corresponding role in the Access roles preferences. If a group is assigned to the role, only members of the group can run Simulation Console. |
When is it created? | While defining site preferences. |
When is it needed? |
By users running Simulation Console. |
See also | Application security in Process Engine Reference. |
Description | Access role whose members can access Simulation Designer from the Advanced Author page. |
Minimum required permissions | None. Access roles are stored as values in custom objects in the object store. |
Additional info | You can restrict the ability to run Simulation Designer by assigning a group to the corresponding role in the Access roles preferences. If a group is assigned to the role, only members of the group can run Simulation Designer. |
When is it created? | While defining site preferences. |
When is it needed? | By users running Simulation Designer. |
See also | Application security in Process Engine Reference. |
Description | Access role whose members can access Process Administrator from the Admin page in Workplace or the Tools menu in Workplace XT. |
Minimum required permissions | None. Access roles are stored as values in custom objects in the object store. |
Additional info | You can restrict the ability to run Process Administrator by assigning a group to the corresponding role in the Access roles preferences. If a group is assigned to the role, only members of the group can run Process Administrator. |
When is it created? | While defining site preferences. |
When is it needed? | By users running Process Administrator. |
See also | Application security in Process Engine Reference. |
Description | Access role whose members can access Process Configuration Console from the Admin page in Workplace or the Tools menu in Workplace XT. |
Minimum required permissions | None. Access roles are stored as values in custom objects in the object store. |
Additional info | You can restrict the ability to run Process Configuration Console by assigning a group to the corresponding role in the Access roles preferences. If a group is assigned to the role, only members of the group can run Process Configuration Console. |
When is it created? | While defining site preferences. |
When is it needed? |
By users running Process Configuration Console. |
See also | Application security in Process Engine Reference. |
Description | Access role whose members can access Process Designer in design and diagram mode and the Workflow Subscription wizard from the Advanced Author page in Workplace or the Tools menu in Workplace XT. |
Minimum required permissions | None. Access roles are stored as values in custom objects in the object store. |
Additional info | You can restrict the ability to run Process Designer in design and diagram mode by assigning a group to the corresponding role in the Access roles preferences. If a group is assigned to the role, only members of the group can run Process Designer. |
When is it created? | While defining site preferences. |
When is it needed? |
By users running Process Designer in design and diagram mode. |
See also | Application security in Process Engine Reference. |
Description | Access role whose members can access Process Designer in diagram mode from the Advanced Author page in Workplace or the Tools menu in Workplace XT. |
Minimum required permissions | None. Access roles are stored as values in custom objects in the object store. |
Additional info | You can restrict the ability to run Process Designer in diagram mode by assigning a group to the corresponding role in the Access roles preferences. If a group is assigned to the role, only members of the group can run Process Designer. |
When is it created? | While defining site preferences. |
When is it needed? |
By users running Process Designer in diagram mode. |
See also | Application security in Process Engine Reference. |
Description |
(Content Engine) A logical group whose members are any authenticated user principal. Any user account that who can successfully login belongs to this group. |
Additional info |
#AUTHENTICATED-USERS is similar to the special groups "Everyone" in Windows NT 4 and "Authenticated Users" in Windows 2000. It does not have specific memberships that you can modify, and it does not include anonymous users or guests. If you specify #AUTHENTICATED-USERS to be a default user/group of an object store, then all users who log onto the FileNet P8 domain are automatically made members of this group. It will appear on the Default Instance Security ACL of all classes. Therefore each instance of the class will include #AUTHENTICATED-USERS on its own ACL. If you do not change the default, the net effect will be that any user who can logon to the FileNet P8 domain will be able to:
If this is not what you want, you could:
#AUTHENTICATED-USERS and #CREATOR-OWNER are referred to as "Special Accounts" in Enterprise Manager's Select Users and Groups dialog box. |
When is it created? |
Automatically created and maintained by Content Engine. |
Description | (Content Engine) The special account granted to the user who creates an object. |
Additional info |
#CREATOR-OWNER is a placeholder in an access control entry (ACE) and is used for copying a defined set of permissions to the individual user who is creating a new object. This copying takes place:
By default, #CREATOR-OWNER appears on the Security and Default Instance Security tabs of all instantiable classes, and is granted Full Control, with an inheritable depth of "This object only". This account functions just like a normal user account, and its default permissions can be edited according to normal rules (that is, by users with appropriate permission). When the ACE is inherited, the permissions granted to the #CREATOR-OWNER become the permissions granted to the object's current owner. For example, when a user creates a document based on a document class, that user takes on the #CREATOR-OWNER's permissions. Actually, two target ACEs result whenever the #CREATOR-OWNER is copied onto an object - a substituted ACE and a non-substituted ACE:
Windows Authentication: the user attribute used is the samAccountName. #AUTHENTICATED-USERS and #CREATOR-OWNER are referred to as "Special Accounts" in Enterprise Manager's Select Users and Groups dialog box. |
When is it created? | Automatically created and maintained by the Content Engine. |
See also |
Take or change ownership |
Description | Database accounts used by Process Engine to access the workflow database. You can instruct setup to automatically create these accounts or to assign an alias of your choice. By default, the following database users are created:
|
Minimum required permissions |
Process Engine Setup grants various database permissions to these users. For a complete list, see “Process Engine SQL Scripts” in the FileNet P8 Platform Installation and Upgrade Guide. |
When is it created? | Manually created before installation or automatically created during Process Engine installation. |
When is it needed? | Required on an ongoing basis. |
See also | Because Process Engine Setup creates each of these users with a default password, FileNet strongly recommends resetting the passwords to maintain system security. See "To set the f_maint and f_sw passwords (Oracle and SQL Server)” in the FileNet P8 Platform Installation and Upgrade Guide for instructions. |
Description | Process Engine Setup automatically creates several accounts (SysAdmin, FieldService, Operator) required when using the underlying Image Services (IS) tools. The users are created in the SEC database; they are not operating system, directory service, or database users. |
Minimum required permissions |
|
When is it created? | Automatically created during Process Engine installation. |
When is it needed? | Required on an ongoing basis. |
See also | Because Process Engine Setup creates each of these users with a default password, FileNet strongly recommends resetting the passwords to maintain system security. See "To reset administrative user passwords” in the appropriate platform section of the FileNet P8 Platform Installation and Upgrade Guide for instructions. |