FileNet P8 Platform, Version 5.2.1            

Compound document security

Component Relationship objects define the structure of a compound document and specify rules for binding from the parent to a child component.

Component Relationship objects are not independently securable, and inherit the security of their parent document. This parent-based style of security means that users with view rights to a child component document are not guaranteed view rights to all component relationship objects that reference them.

A user needs the access right Link a document / Annotate on a parent component document to be allowed to create component relationship objects that reference the document as a parent component. Also, Unlink document or Delete rights on the parent component document are required to delete a component relationship object, and Modify all properties rights on the parent component document are required to modify the properties of a component relationship object.

View all properties rights are required on a child component document to assign the document to the Child Component object-valued property of a component relationship object.

Component Relationship Actions and Parent Component Requirements
Table of component relationship actions and parent component requirements
Component relationship action Requirements Comments
Create

User must have Link a document / Annotate rights on the parent component to create component relationship object that references the parent.

User must have View all properties rights on the child component to create component relationship object that references the child.

In addition to security requirements, a parent document CompoundDocumentState property must be set to CompoundDocument for any child component relationship objects to be created that reference the document as the parent.
Delete Users must have Unlink document or Delete rights on the parent component to delete a component relationship object that references the parent.

Any user with Unlink document rights on the parent component is also granted Delete rights on any direct child component relationships object.

This enables a user without delete rights on a parent document to delete child component relationship objects, that is, to modify the structure of the compound document.

Modify properties Users must have Modify all properties rights on the parent component to modify properties on a component relationship object. Property update rights allow users to modify order number, change child document referenced, and modify custom properties on component relationship objects.
Requirements for Child Component Actions
Table of child component actions and security requirements
Child Component Action Security requirements
Delete Before deleting a child component, query for any component relationship objects which deny deleting the child component as long as the component relationship object exists. This query is performed bypassing the credentials of the user initiating the delete action since that user might not have View all properties rights on all existing component relationships that reference the child component.
Checkout, Delete, Demote version, Promote version, Modify properties These actions on a child component might require that component relationship objects that reference the child component be updated. This requires View all properties and Modify all properties rights on all component relationship objects that reference the child component. The user initiating the action might not have these rights on the component relationship objects so the server must be able to bypass the credentials of the user to query, retrieve and update properties as needed on these objects.

Administration Console for Content Platform Engine exposes the ability to modify a component document structure according to the user's access rights to the parent document. The access rights required to make modifications are listed below, along with the text that Administration Console for Content Platform Engine uses to display these on the Security property page of the Document Properties property sheet. Administration Console for Content Platform Engine disables the appropriate user interface controls if the user does not have the proper access to make a modification.

Table of access rights required to modify a component document structure.
User Action Required Access Displayed in Administration Console for Content Platform Engine
Add compound document link FN_ACCESS_LINK Link a document / Annotate
Remove compound document link FN_ACCESS_UNLINK Unlink document
Reorder / modify compound document link FN_ACCESS_WRITE Modify all properties


Last updated: March 2016
p8psa003.htm

© Copyright IBM Corporation 2016.