FileNet P8 Platform, Version 5.2.1            

Default security

Objects have security settings applied automatically by the system.

This topic discusses the security behavior when administrators and users do nothing to change it.

Object store administrative groups

Members of the groups added to the Object Store Wizard as object store administrators (object_store_admin) have Full Control of object stores and their contents, which means that while using Administration Console for Content Platform Engine they can perform any valid action on any item. See the Reference section for the specific actions.

Users

When creating an object store, the administrator selects one or more groups that will have basic, non-administrative access rights. For example, if the administrator selects the Domain Users group as the non-administrative group when creating an object store, users of an applications can perform the following actions:

  • Add folders at the top level of the object store.
    Important: A new folder acquires its initial security from the Folder class, which grants Full Control to the folder creator (also called Owner Control), Full Control to members of the object store administrative groups, but only View Properties access to Domain Users. A user must have Add to Folder access rights to put documents in the folder. This means that, by default, users can create top-level folders and add items to their own folders. However, users cannot add items to the folders created by other users.
  • Add documents (with Add to Folder access rights to the selected folder).
  • View the properties and content of all folders.
  • View the properties and content of all documents.
  • Run the designer applications but not those that are workflow-related.

Other access rights are not set one way or the other, which means they are implicitly denied to members of non-administrative groups.

Note: For any given access right (for example, View Properties), an access right has three possible settings: Allow, Deny, or neither. If an access right is neither explicitly allowed nor explicitly denied, it is "implicitly denied."


Last updated: March 2016
p8psa056.htm

© Copyright IBM Corporation 2016.