Administrators can view and modify the security of an object
by opening its property sheet and going to the Security tab.
The Security tab contains several fields:
- Name:
The display name of the user or group. If you hover your mouse above
the display name, you see the following information, depending on
your directory service provider and depending on how you have configured
it for login:
- For Active Directory: The user principal name (UPN), for example, shawking@filenet.com.
- For other directory service providers: The distinguished name
(DN), for example, uid=shawking,cn=users,dc=filenet,dc=com.
- Source:
ACEs can have different source types.
If an ACE is editable (which is the case if the permissions are Direct),
you can tell because the various regions are not disabled. An ACE
whose Source is Template or Inherited are not editable, and when selected
the rest of the security editor becomes disabled.
- Level:
The possible levels for the object type are listed with radio buttons.
The users and groups who are specified as object store administrative
groups when the object store is created appear on all ACLs with Full
Control. You can change the level by selecting one of
the radio buttons associated with the Levels.
- Apply to:
Also called inheritable depth, you can change the value using the Apply
to control box if the ACE is editable.
- Type:
Displays whether the ACE is allowed or denied, and also lets you change
the value if the ACE is editable.
- (list of) Levels: List of security levels
appropriate to the object. Different objects have different sets of
security levels. For documents, it includes such things as the ability
to publish and to create minor and major versions. A folder would
have a different set of security levels. When Full Control is
selected, all the other lower levels are marked with an asterisk.
The asterisk next to a Level means that it is included in the Level
currently selected; this behavior is the meaning of All
required bits are set.
- (list of) Rights: When Full
Control is selected as the Level, all Rights are selected.
If you were to clear just one of them, View all properties,
for example, the Level would automatically be changed to Custom,
which means that the collection of all selected Rights does not exactly
match the requirements of the predefined Levels. If you were to reselect View
all properties so that all the Rights were selected, the Full
Control level would again be automatically selected.
- Add: Click to add users and groups.
- Remove: Click to remove the selected ACE
from the ACL. This does not remove the user or group from the directory
server or from any other ACL the ACE might be present on.
- Active Marking/Owner: Click to view or
edit the ownership of this object.