Manage security
Security settings protect all objects (such as documents, folders, stored searches, search templates, entry templates, forms, publish templates and custom objects) that you access from the application. Typically, your administrator defines the users and groups and the default security for your site. Depending on your site settings, you might be able to set security permissions when you add new folders, documents, or custom objects, when you check in a document, when you publish a document, or when you view the information page for an object. Changing the security on an object requires appropriate permissions.
The topics in this section will help you to understand security settings and how to apply them.
Default security
Typically, your administrator defines the default security for document classes, folder classes, and custom object classes. Other ways to define default security are through:
- An entry template.
- A security policy.
- Folder inheritance.
A folder with inheritance security defined by your administrator can define default security for objects in the folder. - Expansion products.
For example, an application such as IBM Enterprise Records can apply default security. - Property masks.
Property mask settings control which properties you can view and edit, and can control the values you can select from choice lists. - Security markings.
Markings can restrict access to individual objects that use the markings.
If you possess appropriate permissions, you can change the security for an object.
NOTE Your administrator can set a site preference that hides security pages when you add or check in documents or add folders. If the security pages are hidden when you add a document or folder, the default security from the document or folder class is applied, and document default security might also be defined by a security policy. When you check in a document, default security comes from the settings applied during the last checkout (reservation object) and from the security policy if one is used with the document. For more information on the reservation object, see About versioning.
Security settings
The basic security page for an object displays a list of the users and groups that have been granted access to the object and shows the permission level granted. From this page, you can view or assign a security policy for the object, or you can add new users and groups or modify the permissions for the existing users and groups.
NOTE Administrators can use a different tool to administer security. That tool refers to the security settings as the Access Control List (ACL). The tool also identifies each user and group title and its permissions as an Access Control Entry (ACE).
The following illustration shows the security settings for a document called Timesheet. A security policy is currently assigned to the document and controls the default security. Check marks show the permissions granted to each user or group.
In some cases, a specific user or group might be listed more than once in the security settings for an item. In these cases, the security settings for the user or group are derived from more than one source. For example, if the user "abrown" has access rights that are inherited, are obtained from a security policy, and are set directly, his user name is listed three times. In addition, when the optional IBM Enterprise Records expansion product is enabled, the records management settings can apply more security to a document. You can click the user or group name to view the details of the settings. An icon, as shown in the following table, denotes the source of the security settings.
Icon | Description |
---|---|
No icon | Security settings were directly set (explicit). |
![]() |
Security settings derive from folder inheritance. |
![]() |
Security settings propagate from one folder to all levels of its subfolders. |
![]() |
Security settings propagate from one folder down one level to the next subfolder. |
NOTE A security parent could represent the source of the document's security when inheritance is configured. Inheritance from a parent folder can also apply to folders when adding a new folder. Your administrator defines the rules governing security inheritance.
Permission levels
Permission levels are a set of permissions that determine the combined type of access to an object granted to a specific user or group. Modify Content, for example, controls the user's permissions to check out a document, check in a document as a minor version, and cancel a document checkout.
NOTE The available permission levels depend on the type of object selected.
You can set a permission to Allow or Deny. Such permissions can relate to other permissions. When you change an Allow or Deny setting, the change ripples to the related settings. For example, when you set Modify Content to Allow, then Modify Properties, View Content and View Properties also receive an Allow setting.
The following illustration shows you the current permission settings for the HR Managers group for a particular document. The permissions for Owner Control and Publish are set to Implicit Deny. Implicit Deny means that no specific setting exists. The group account is denied these access rights until access is granted through another means. The example shows that the HR Managers group has not been explicitly granted Owner Control and Publish access rights to this document, but note that members of the group might have been granted these access rights through some other means (for example, via directly assigned access rights or through membership in some other group). The remaining settings in this example are derived from a security policy. If needed, you can override any of these settings by selecting Allow or Deny for any setting.
Permission descriptions
The following table entries describe each permission.
Permissions | Description |
---|---|
Owner Control |
The Owner Control permission grants a user complete control of the object. The user can delete the object and set the security for the object. By default, the user who adds an object to the object store initially has Owner Control permission for that object.
|
Promote
Version (documents only) |
Promote Version allows the user access to promote and demote documents. You can check out a document, check it back in as a major version, cancel the document checkout, and promote or demote the document version. For more information on versioning, see Manage document versioning.
NOTE Application Integration does not have promotion and demotion functionality. |
Modify
Content |
Modify Content allows the user to check out a document, check the document back in as a minor version, or cancel the checkout.
Users cannot modify search templates, stored searches, publish templates, or workflows when using the appropriate designer tools with Modify Content access. Promote Version access is required to apply check out through the search, publish, or process designers. |
Modify Properties |
Modify Properties allows the user to change the properties for an object.
|
View
Content (documents only) |
View Content allows the user to view the contents of a document object (including stored searches, search templates, publish templates, workflows, and entry templates). For example, if the object is a spreadsheet document, the user can open and view the spreadsheet.
|
View Properties |
View Properties allows the user to view the properties of a folder or an object.
|
Publish (documents only) |
Publish permission allows the user to publish an existing document.
NOTE Publishing operations must be performed through Workplace. |
Create Subfolder (folders only) |
Create Subfolder allows the user to add a subfolder to an existing folder.
|
File In Folder (folders only) |
File In Folder allows the user to add documents to a folder. For Workplace users, it also allows the user to add custom objects to a folder.
NOTES
|
Available permission levels
Use the table below to determine the available permission levels for objects.
Documents |
Annotations (Image Viewer) |
Folders | Custom Objects and Security Policies | Stored Searches and Publishing Templates |
---|---|---|---|---|
Owner Control |
Owner Control |
Owner Control |
Owner Control |
Owner Control |
NOTE In Workplace, entry template definitions, search templates, and workflow definitions are documents with special classes. Document permissions apply to these special types of documents. Workflow definitions display the Publish permission, but you cannot publish a workflow.
Annotation and document permissions interaction
The annotation feature in Image Viewer allows users to add annotations to existing documents. In addition to the security defined for the document, security can be defined for each annotation item. Your administrator determines if the default security for an annotation is derived from the document object default security settings or if the default security for an annotation is derived from the annotation class default security settings. Your administrator defines classes and their default security settings.
The ability to add, edit, or delete an annotation is determined by the security for the document and the security for the annotation, as described in the following table.
Annotation Operation | Document permission required | Annotation permission required | Resulting annotation permission |
---|---|---|---|
View annotation |
View Content |
View Content |
same |
Add annotation |
Modify Content |
Not applicable |
Owner Control, plus inherited security from document |
Edit annotation |
Modify Content |
Modify Content |
same |
Delete annotation |
Modify Content |
Owner Control |
Not applicable |
Change annotation security settings |
Modify Content |
Owner Control |
Set security settings |
NOTE Annotation security can prevent a user from deleting a document that the user has delete rights to. The user must have delete rights to all the annotations and delete rights to the document to be permitted to delete the document.
System notes
System notes appear on permission settings pages. These notes provide you with information to understand the source of each setting. The following table shows you the notes and describes their source.
System notes | Description |
---|---|
Advanced System Defined Settings |
The settings represent one or more sources. |
Deny due to security policy |
Deny permissions set by security policy. |
Allow due to security policy |
Allow permissions set by security policy. |
Deny due to Advanced System Defined Settings |
Deny permissions set by the accumulative rights of the security template permissions and the permissions inherited from the parent folder. |
Allow due to Advanced System Defined Settings |
Allow permissions set by the accumulative rights of the security template permissions and the permissions inherited from the parent folder. |
Deny due to inherited security |
Deny permissions set by the permissions inherited from the parent folder. |
Allow due to inherited security |
Allow permissions set by the permissions inherited from the parent folder. |
Implicit Deny |
No explicit or inherited system permission is set. The access can be granted or denied to the account through another access control entry. The security model denies access to an object unless a permission is specifically set to Allow. |
Feedback