Each object in an object store has security settings. When you create an IBM® Enterprise Records object, the security settings are defined by various methods.
The security setting are defines by:
In addition, an object can inherit a security marking or a user can directly assign a marking to the object. For more information about applying object security, see the topic about setting or modifying object security.
The post-import script FPOS_PostImport_datamodel.vbs, sets the Default Instance Owner for the Record class and subclasses, Electronic, Email, and Marker, to NULL. This script is run when you are importing a data model into an object store. When you declare a record with the Record class or a subclass, the record inherits the Default Instance Owner property of the class. This property is set to NULL. For a PRO installation, the Owner property represents the Custodian. When the owner is NULL, IBM Enterprise Records does not grant any special access rights to any user. A record creator does not have administrative rights to the record, such as modifying the security of a record.
You can use IBM Administration Console for Content Platform Engine to change the owner to a specific user or group. You change this ownership by modifying the Default Instance Owner on the Record class or a subclass. However, IBM Enterprise Records does not apply the change to any existing records, but only to records created after the change.
When the declaration process files a record into a container, the record inherits the security of the parent container, known as the security parent. If you use Application Engine or Workplace XT to declare the record into multiple containers, the security parent is the first record container you selected.
During the IBM Enterprise Records installation, the Default Instance Security on the Record class gives the Records Manager User group rights to Minor/Major Versioning. These rights allow you to create new versions of documents declared as records. If the container security specifically denies all rights to some users, the denial propagates to the record. However, the user group set-up in the Default Instance Security of the class takes precedence over this propagated denial. The denied user cannot browse to the category, but can still access the record through search or reports.
To prevent broad access to records through search and reports, do not complete the Default Instance Security installation step. If you do not complete the Default Instance Security Installation step, IBM Enterprise Records controls security access at the record and folder level. For example, you can:
If you file a record into more than one folder, the record continues to inherit its security from the first folder. The first folder is the security parent folder. If a record is filed into more than one folder and you move the record from the security parent folder to a new folder, the record inherits the security of the new folder. The security inheritance also changes if a security parent folder of the record is deleted.
To view and modify the security parent folder for a record that is filed in multiple folders:
In that case, the sweeps also use that security parent to select the current running schedule for this record.
To declare a document as a record, a user must be assigned to the Records User role and must have Modify Properties rights on the document. As the document author, a user has full access rights to the document. After that document is declared as a record, IBM Enterprise Records overwrites the security of the document with the security of the record. The access rights assigned to the document are controlled by the record associated with the document. The author can no longer modify the declared security of the declared document. If an authorized user updates the access rights for a record, the same access rights are updated for the document the record is declared from.
To allow records users to check out and check in documents declared as records, the default installation procedure gives all users additional permissions on every record. In some IBM Enterprise Records implementations, users with higher access levels can modify the security for records and folders so that document authors can check out and check in their documents. A user must have Modify Content rights on a record to create a version of the document. A user also must have View Content rights on a record to view the content of the document.
A declared document cannot be deleted until its associated record is deleted. The constraint of deleting a document is imposed by a property on the document that points to the record and uses the Prevent Delete action. A user with Full Control access rights cannot delete a declared document. The system automatically deletes a document when the record associated with the document is deleted. The delete action occurs because the object-valued property on the record points to the document and uses the Cascade Delete action.