Use this procedure to add new user and group accounts to an object store when the new
accounts must be able to access the existing objects.
About this task
You can add new users to an object store that is already
in production by using the data design functions that are available
in Administration Console for Content Platform Engine. However,
a user that is added by this procedure has permissions only on those
objects that are created after the addition of that user. See Add users and groups to a class for this
procedure.
Adding new users so that they have default permissions
to all existing objects requires a different procedure. This procedure
uses the Administration Console for Content Platform Engine Security
Script wizard. The Security Script wizard updates the security of
an existing object store with users and groups as if those users and
groups had been added when the object store was originally created.
The users and groups can be given permissions as object store users
or as object store administrators. For more information about these
security levels and the rights granted by each level, see Object store security levels.
The Security Script
wizard assigns security roles to user and group accounts to create
security principals for the objects in an object store. The wizard
uses two sample files,
UpdateOSSecurity.json and
SecurityScript.js.
The
UpdateOSSecurity.json JavaScript Object Notation file defines
the security roles to be assigned and the permissions for the roles.
The JSON file also establishes communication between the wizard and
the
SecurityScript.js security script by applying
the actions that are defined for the permissions in the script file
to the users and groups that are selected in the wizard.
Restriction: The JSON file and security script must be invoked
through the use of the Security Script wizard.
The following
information describes the actions that the Security Script wizard
does when you run this procedure, and includes clarifications of actions
that are not done:
- It does not directly modify documents and custom objects. However,
it does set permissions on the Administration Console for Content Platform Engine root folder. Thereafter,
you can configure security parentage so that the root folder becomes
the security parent of any folders, documents, and custom objects
that should inherit the new permissions. This change to security parent
configuration applies the same effective security as if all these
documents, custom objects, and contained folders had been directly
modified. Remember, however, the different behavior between directly
applied security and inherited security. For more information, see Understanding security inheritance.
- It does modify the security on all other securable objects.
- It does not remove or modify existing permissions.
What to do next
Log on to the
Administration Console for Content Platform Engine as
the object store administrator ID. From the object store node, browse
to the root folder and examine the changes to the permissions. Depending
on how you have configured the inheritance from the root folder and
all generations of child folders, these new permissions might not
yet have been inherited. Configure the folder security parentage as
appropriate. For more information, see
Configure
security inheritance.