Interfaces
Type | Interface | Description |
---|---|---|
![]() | IAccessPermission |
Defines access permissions through a bitmask of access rights.
You can create an instance of this class by calling CreateInstance on the Factory.AccessPermission class.
|
![]() | IAccessPermissionDescription |
Describes an access right or level.
This interface provides helper methods that you can use to retrieve descriptive information for a particular access right or access level (a commonly-used combination of access rights) for a particular object. The most typical use of this interface's methods is to populate a security edit dialog. For example, you can retrieve a PermissionDescriptionList for an object, then use these methods to list the access rights and levels that a user can add. You can also retrieve the display name, descriptive text, and the permission type for the object. The user must have Read (AccessRight.READ) permission on the parent object to be able to retrieve the permission description information. You can get an instance of this object in the following ways:
These methods return an AccessPermissionDescriptionList collection from which you can retrieve an AccessPermissionDescription object. |
![]() | IActiveMarking |
Represents a marking that is currently applied to a given object.
Any object that can have a marking can be assigned one or more markings. A marking that is assigned to an object is called an active marking. An ActiveMarkingList collection contains all markings assigned to a single object. From the properties on this interface, you can retrieve the value of the associated Marking property, and the display name of the property to which the active marking applies. (See the PropertyDisplayName property.) You cannot create a new ActiveMarking object. However, you can get a reference to one by retrieving an object's ActiveMarkings property, the value of which is an ActiveMarkingList, and then retrieving an item from the returned collection using an approach of your choice. |
![]() | IApplicationSecurityTemplate |
Represents a template through which an application can apply permissions (access rights) to a Document,
CustomObject, or Folder object, and to their subclasses. Security templates are not independently persistable
to the Content Engine; they are contained in a SecurityPolicy object. The template contains
the permissions that will be applied to an object by the application program. An ApplicationSecurityTemplate
object also has associated AccessPermissionDescription objects, each of which provide
descriptive information for an access right or level.
You can enable or disable a template within its security policy container. An enabled template can be applied to an object; a disabled template remains an item in the security policy container but cannot be applied to an object. A SecurityTemplate object can represent either an application security template or a versioning security template, and both types can exist simultaneously in a single SecurityPolicy object. The two template types are differentiated by their use and by their class IDs (GUIDs). A versioning security template is automatically applied when the state of a document version changes, and may also be explicitly applied at any time by a user or group with permission to modify the object's security (AccessRight.WRITE_ACL). However, an application security template is never automatically applied. It must be explicitly applied by an application calling the ApplySecurityTemplate method. For more information, see the ApplySecurityTemplate method on the Document, CustomObject, and Folder interfaces. To create an instance of ApplicationSecurityTemplate, call CreateInstance on the Factory.ApplicationSecurityTemplate class. To retrieve an ApplicationSecurityTemplate object from a SecurityPolicy object, first retrieve the SecurityPolicy object's SecurityTemplates property then retrieve a SecurityTemplate object of the desired type from the returned SecurityTemplates collection. |
![]() | IDiscretionaryPermission |
Base class for permission objects that define discretionary access permissions.
The object's owner grants individual users or groups access rights to the object based on the
grantee's identity and group memberships.
|
![]() | IGroup |
Represents a group of user accounts defined by the directory service on the Content Engine server.
Access rights and permissions are assigned to a grantee, which can be a user or a group. Access rights can be assigned to a group regardless of whether the group has any members. Users can be added to the group later. When a user is added to a group, the user automatically gains the access rights assigned to the group to which it belongs. A group can also have subgroups. Security on objects, such as folders and documents, can pertain to particular groups. These groups, and the users and subgroups that make up the group's membership, are defined and created using tools provided by your directory service product (for example, Windows Active Directory, Novell eDirectory, or Oracle Directory Server). Creating user accounts and the groups to which they belong are administrative tasks (typically performed by a system administrator) that are outside the scope of the Content Engine API. You cannot create a new Group object, but you can instantiate one that has been persisted in your directory service by:
You can call methods on the Group object to retrieve information about the group, such as its name and ID, or to get references to other objects. References to other objects may include the users who are members of the group and the subgroups or parent groups of the group. |
![]() | IMarking |
Represents the definition of a value that may be assigned to a marking-controlled property. Markings
provide an additional, optional layer of security that is primarily designed for the records
management marketplace, but which can also be applied by non-records management applications.
Markings allow controlled access to objects based on specific property values. The set of definitions
for all possible Marking objects is contained in a MarkingSet collection.
A marking represents a single item in a set of markings. For example, if a set of markings is called Security Codes, items within the set might be Top Secret, Secret, Confidential, and so on. Each of those marking values contains a set of access permissions that define who can assign that specific value to an object property, who can modify or remove that specific value, and, once the value is assigned, who will have access to the object to which the value is assigned. You can assign one or more of these markings to an object. To then be able to access that object, a user must be granted sufficient access from all assigned markings. The set of all active markings (that is, those that are currently assigned to a given object) are contained in an ActiveMarkingList collection. To retrieve the active markings on a given object, get the value of its ActiveMarkings property. You can then retrieve each marking and its value. The user's access to an object is represented by an effective access mask. The effective access is calculated using the object's permission list and subtracting the constraint mask of the applied markings. The resulting effective access is used to control what that user can do with the object. |
![]() | IMarkingSet |
Represents a container for the set of markings for a given object property.
The MarkingSet collection contains Marking objects. Each Marking object represents a possible value that can be applied to an object property. Each marking value contains a set of access permissions that define who can assign that specific value to an object property, who can modify or remove that specific value, and, once it is assigned, who will have access to the object it is assigned to. The marking set is assigned to a property definition on a class such that the value of that property on instances of the class must be one of the markings defined by the marking set. Values can only be assigned by users authorized by the associated marking, and, after the marking is applied, access to the object is restricted based on the marking. You can create a new MarkingSet collection by calling Factory.MarkingSet.CreateInstance, or retrieve an existing instance by calling GetInstance or FetchInstance. |
![]() | IPermission |
Represents the base class for Permission objects.
A Permission object represents an access control (or rule) associated with an object. Every object has an associated Access Control List (ACL), which is represented by a Content Engine PermissionList object. Each ACL is composed of Access Control Entries (ACEs), each of which grants or denies specific permissions (access rights) to a particular user or group. An individual Permission object represents an access control and corresponds to an Access Control Entry (ACE). You can get a Permission object by calling an object's Get_Permissions method and using methods on the returned collection to retrieve its elements. You can create a new Permission instance by calling Factory.AccessPermission.CreateInstance(). You can optionally set the Permission object to be inheritable. That is, by calling Set_InheritableDepth, you can specify the level (depth) to which the permission you create can be inherited. You can specify that the permission is not inheritable, or that it can be inherited to a single level, or that it can be inherited to an unlimited level. A permission can be acquired from several sources: direct, default, a security parent, or a security template. A permission's source is direct as a result of explicitly setting the object's permission, for example, by calling Set_Permissions. The source is default when a permission is acquired as a result of default settings on an object's class. For example, if you do not specify any permissions when you create an object, the permissions assigned to the class are assigned to the new object. A permission's source is its security parent if the permission is assigned as a result of inheriting a parent object's permissions. For example, if you create a subfolder, the subfolder can inherit the permissions assigned to the folder in which it is contained (that is, its parent folder). If the permission is acquired from a security template, its permission source is the template. To determine the permission source of a Permission object, call Get_PermissionSource(). |
![]() | IPermissionDescription |
Base class for objects describing permissions.
|
![]() | IRealm |
Consists of a set of related groups and users. A realm is normally mapped to a directory
partition (that is, a namingContext) in a directory server. The primary use of a
Realm object is to retrieve lists of the groups and users in the realm.
You can instantiate a Realm object by:
Note: When instantiating using the static factory methods, calling GetInstance with a Null realm name returns the current realm; the behavior is the same as calling Factory.Realm.FetchCurrent(). |
![]() | ISecurityPolicy |
Represents an independently persistable, subclassable container for a list of security templates.
Through an object's SecurityPolicy property, a SecurityPolicy object is associated with a
Document, CustomObject, or Folder object, and subclasses of those objects.
When you create an object of one of these types, you can optionally assign a SecurityPolicy
object to it. If not explicitly assigned, the object's SecurityPolicy property is assigned a value
provided by the class's default.
The security policy defines the set of security templates that can be applied to the objects with which the policy is associated. The templates contained within a security policy can be one of two types: versioning or application templates. (For more information on security template types, see SecurityTemplate.) You can create an instance of a SecurityPolicy object by calling CreateInstance methods on the Factory.SecurityPolicy class. A SecurityPolicy object can be retrieved from the object-valued SecurityPolicy property on a Containable object. (You cannot create a SecurityPolicy instance by retrieving it from the SecurityPolicy property.) |
![]() | ISecurityPrincipal |
Provides the base class for security principals (Group and User objects).
|
![]() | ISecurityTemplate |
Represents the base class for security template classes. The templates are contained within a security
policy and can be one of two types: versioning or application templates. For more information
on each of these types, refer to the interface descriptions for
IVersioningSecurityTemplate and
IApplicationSecurityTemplate
interface descriptions.
|
![]() | IUser |
Represents a particular user who has access to Content Engine resources.
Access rights and permissions are assigned to a grantee, which can be a user or a group. A user's access to resources can be defined in terms of its membership in a group, but need not be. Permission objects have an associated User or Group object. Group and Realm objects have associated User objects, and can also have associated Group objects. User accounts and the groups and subgroups to which they belong are defined and created using tools provided by your directory service product (for example, Windows Active Directory, Novell eDirectory, or Oracle Directory Server). Creating and modifying user accounts and groups are administrative tasks (typically performed by a system administrator) that are outside the scope of the Content Engine API. You cannot create a new User object, but you can instantiate one that has been persisted in your directory service by:
You can call methods on the User object to retrieve information about the user, such as the user's name and ID and to which groups the user belongs. |
![]() | IVersioningSecurityTemplate |
Represents a template for automatically applying permissions (access rights) to a Document
object during versioning state changes. Security templates are not independently persistable
to the Content Engine; they are contained in a SecurityPolicy object. The template contains
the permissions that will be applied to an object as its version state changes. A VersioningSecurityTemplate
object also has associated AccessPermissionDescription objects, each of which provide
descriptive information for an access right or level.
You can enable or disable a template within its security policy container. An enabled template can be applied to an object; a disabled template remains an item in the security policy container but cannot be applied to an object. A SecurityTemplate object can represent either an application security template or a versioning security template, and both types can exist simultaneously in a single SecurityPolicy object. The two template types are differentiated by their use and by their class IDs (GUIDs). An application security template must be explicitly applied by calling an object's ApplySecurityTemplate method; it is never automatically applied. A versioning security template is automatically applied when the state of a document version changes, and may also be explicitly applied at any time by a user or group with permission to modify the object's security (AccessRight.WRITE_ACL). If an object has no associated security policy, its permissions remain unchanged when it undergoes a versioning change. However, if the object has an associated SecurityPolicy object, its permissions are modified according to the non-disabled, applicable security templates of its SecurityPolicy when:
To create a new VersioningSecurityTemplate object, call CreateInstance on the Factory.VersioningSecurityTemplate class. To retrieve a VersioningSecurityTemplate object from a SecurityPolicy object, first retrieve the SecurityPolicy object's SecurityTemplates property then retrieve a SecurityTemplate object of the desired type from the returned SecurityTemplates collection. |