Manage security

Security settings protect all objects (such as documents, folders, stored searches, search templates, entry templates, forms, publish templates and custom objects) that you access from the application. Typically, your administrator defines the users and groups and the default security for your site. Depending on your site settings, you might be able to set security permissions when you add new folders, documents, or custom objects, when you check in a document, when you publish a document, or when you view the information page for an object. Changing the security on an object requires appropriate permissions.

The topics in this section will help you to understand security settings and how to apply them.

Default security

Typically, your administrator defines the default security for document classes, folder classes, and custom object classes. Other ways to define default security are through:

If you possess appropriate permissions, you can change the security for an object.

NOTE  Your administrator can set a site preference that hides security pages when you add or check in documents or add folders. If the security pages are hidden when you add a document or folder, the default security from the document or folder class is applied, and document default security might also be defined by a security policy. When you check in a document, default security comes from the settings applied during the last checkout (reservation object) and from the security policy if one is used with the document. For more information on the reservation object, see About versioning.

Security settings

The basic security page for an object displays a list of the users and groups that have been granted access to the object and shows the permission level granted. From this page, you can view or assign a security policy for the object, or you can add new users and groups or modify the permissions for the existing users and groups.

NOTE  Administrators can use a different tool to administer security. That tool refers to the security settings as the Access Control List (ACL). The tool also identifies each user and group title and its permissions as an Access Control Entry (ACE).

The following illustration shows the security settings for a document called Timesheet. A security policy is currently assigned to the document and controls the default security. Check marks show the permissions granted to each user or group.

Security example

In some cases, a specific user or group might be listed more than once in the security settings for an item. In these cases, the security settings for the user or group are derived from more than one source. For example, if the user "abrown" has access rights that are inherited, are obtained from a security policy, and are set directly, his user name is listed three times. In addition, when the optional IBM Enterprise Records expansion product is enabled, the records management settings can apply more security to a document. You can click the user or group name to view the details of the settings. An icon, as shown in the following table, denotes the source of the security settings.

Icon Description
No icon Security settings were directly set (explicit).
Settings derive from folder inheritance Security settings derive from folder inheritance.
Settings propagate to all subfolders Security settings propagate from one folder to all levels of its subfolders.
Settings propagate to next level folder Security settings propagate from one folder down one level to the next subfolder.

NOTE  A security parent could represent the source of the document's security when inheritance is configured. Inheritance from a parent folder can also apply to folders when adding a new folder. Your administrator defines the rules governing security inheritance.

Permission levels

Permission levels are a set of permissions that determine the combined type of access to an object granted to a specific user or group. Modify Content, for example, controls the user's permissions to check out a document, check in a document as a minor version, and cancel a document checkout.

NOTE  The available permission levels depend on the type of object selected.

You can set a permission to Allow or Deny. Such permissions can relate to other permissions. When you change an Allow or Deny setting, the change ripples to the related settings. For example, when you set Modify Content to Allow, then Modify Properties, View Content and View Properties also receive an Allow setting.

The following illustration shows you the current permission settings for the HR Managers group for a particular document. The permissions for Owner Control and Publish are set to Implicit Deny. Implicit Deny means that no specific setting exists. The group account is denied these access rights until access is granted through another means. The example shows that the HR Managers group has not been explicitly granted Owner Control and Publish access rights to this document, but note that members of the group might have been granted these access rights through some other means (for example, via directly assigned access rights or through membership in some other group). The remaining settings in this example are derived from a security policy. If needed, you can override any of these settings by selecting Allow or Deny for any setting.

The current security settings for the HR Managers group.

Permission descriptions

The following table entries describe each permission.

Permissions Description
Owner Control

The Owner Control permission grants a user complete control of the object. The user can delete the object and set the security for the object. By default, the user who adds an object to the object store initially has Owner Control permission for that object.

  • When you set Owner Control to Allow, all of the remaining permissions are automatically set to Allow.
  • When you set Owner Control to Deny, the other permissions are not changed.
Promote Version
(documents only)

Promote Version allows the user access to promote and demote documents. You can check out a document, check it back in as a major version, cancel the document checkout, and promote or demote the document version. For more information on versioning, see Manage document versioning.

  • When you set Promote Version to Allow, then Modify Content, Modify Properties, View Content, and View Properties are automatically set to Allow.
  • When you set Promote Version to Deny, Owner Control is also set to Deny

NOTE  Application Integration does not have promotion and demotion functionality.

Modify Content
(documents only)

Modify Content allows the user to check out a document, check the document back in as a minor version, or cancel the checkout.

  • When you set Modify Content to Allow, then Modify Properties, View Content, and View Properties are automatically set to Allow.
  • When you set Modify Content to Deny, Owner Control and Promote Version are both set to Deny.

Users cannot modify search templates, stored searches, publish templates, or workflows when using the appropriate designer tools with Modify Content access. Promote Version access is required to apply check out through the search, publish, or process designers.

Modify Properties

Modify Properties allows the user to change the properties for an object.

  • When you set Modify Properties to Allow, then View Content and View Properties are automatically set to Allow for documents.
  • Setting Modify Properties to Allow for a folder automatically sets View Properties as well.
  • When you set Modify Properties to Deny, then Owner Control, Promote Version (documents only), Modify Content (documents only), and Publish (documents only) are also set to Deny.
View Content
(documents only)

View Content allows the user to view the contents of a document object (including stored searches, search templates, publish templates, workflows, and entry templates). For example, if the object is a spreadsheet document, the user can open and view the spreadsheet.

  • When you set View Content to Allow, then View Properties is automatically set to Allow.
  • When you set View Content to Deny, then Owner Control, Promote Version, Modify Content, Modify Properties, and Publish are set to Deny.
View Properties

View Properties allows the user to view the properties of a folder or an object.

  • Setting View Properties to Allow does not change any other settings.
  • Setting View Properties to Deny sets all other permissions to Deny by default.
Publish
(documents only)

Publish permission allows the user to publish an existing document.

  • When you set Publish to Allow, then View Content, View Properties, and Modify Properties are automatically set to Allow.
  • Setting Publish to Deny also sets Owner Control to Deny.

NOTE  Publishing operations must be performed through Workplace.

Create Subfolder
(folders only)

Create Subfolder allows the user to add a subfolder to an existing folder.

  • Setting Create Subfolder to Allow automatically sets View Properties to Allow.
  • Setting Create Subfolder to Deny also sets Owner Control to Deny.
File In Folder
(folders only)

File In Folder allows the user to add documents to a folder. For Workplace users, it also allows the user to add custom objects to a folder.

  • Setting File In Folder to Allow automatically sets View Properties to Allow.
  • Setting File In Folder to Deny automatically sets Owner Control to Deny.

NOTES 

  • File In Folder does not grant permission to add subfolders to a folder. To add subfolders, a user must have Create Subfolder permission.
  • The security permissions set on a document do not control which folders you can use to store a document. Instead, folder security controls these permissions. If you have View Properties permission for a document, you can file, move, or unfile the document only if you have the File In Folder access right to the folder.

Available permission levels

Use the table below to determine the available permission levels for objects.

Documents Annotations
(Image Viewer)
Folders Custom Objects and Security Policies Stored Searches and Publishing Templates

Owner Control
Promote Version
Modify Content
Modify Properties
View Content
View Properties
Publish

Owner Control
Modify Content
View Content

Owner Control
Modify Properties
Create Subfolder
File In Folder
View Properties

Owner Control
Modify Properties
View Properties

Owner Control
Promote Version
Modify Content
Modify Properties
View Content
View Properties

NOTE  In Workplace, entry template definitions, search templates, and workflow definitions are documents with special classes. Document permissions apply to these special types of documents. Workflow definitions display the Publish permission, but you cannot publish a workflow.

Annotation and document permissions interaction

The annotation feature in Image Viewer allows users to add annotations to existing documents. In addition to the security defined for the document, security can be defined for each annotation item. Your administrator determines if the default security for an annotation is derived from the document object default security settings or if the default security for an annotation is derived from the annotation class default security settings. Your administrator defines classes and their default security settings.

The ability to add, edit, or delete an annotation is determined by the security for the document and the security for the annotation, as described in the following table.

Annotation Operation Document permission required Annotation permission required Resulting annotation permission

View annotation

View Content

View Content

same

Add annotation

Modify Content

Not applicable

Owner Control, plus inherited security from document

Edit annotation

Modify Content

Modify Content

same

Delete annotation

Modify Content

Owner Control

Not applicable

Change annotation security settings

Modify Content

Owner Control

Set security settings

NOTE  Annotation security can prevent a user from deleting a document that the user has delete rights to. The user must have delete rights to all the annotations and delete rights to the document to be permitted to delete the document.

System notes

System notes appear on permission settings pages. These notes provide you with information to understand the source of each setting. The following table shows you the notes and describes their source.

System notes Description

Advanced System Defined Settings

The settings represent one or more sources.

Deny due to security policy

Deny permissions set by security policy.

Allow due to security policy

Allow permissions set by security policy.

Deny due to Advanced System Defined Settings

Deny permissions set by the accumulative rights of the security template permissions and the permissions inherited from the parent folder.

Allow due to Advanced System Defined Settings

Allow permissions set by the accumulative rights of the security template permissions and the permissions inherited from the parent folder.

Deny due to inherited security

Deny permissions set by the permissions inherited from the parent folder.

Allow due to inherited security

Allow permissions set by the permissions inherited from the parent folder.

Implicit Deny

No explicit or inherited system permission is set. The access can be granted or denied to the account through another access control entry. The security model denies access to an object unless a permission is specifically set to Allow.



Feedback

© Copyright IBM Corporation 2013.
This information center is powered by Eclipse technology. (http://www.eclipse.org)