Objects have security settings applied automatically by
the system.
This topic discusses the security behavior when administrators
and users do nothing to change it.
- Object store administrative groups
Members of the groups added to the Object Store Wizard as object
store administrators (object_store_admin) have Full
Control of object stores and their contents, which means
that while using Administration Console for Content Platform Engine they
can perform any valid action on any item. See the Reference section for the specific actions.
- Users
When creating an object store, the administrator selects one
or more groups that will have basic, non-administrative access rights.
For example, if the administrator selects the Domain Users group as
the non-administrative group when creating an object store, users
of an applications can perform the following actions:
- Add folders at the top level of the object store.
Important: A new folder acquires its initial security from the
Folder class, which grants Full Control to
the folder creator (also called Owner Control), Full
Control to members of the object store administrative
groups, but only View Properties access to
Domain Users. A user must have Add to Folder access
rights to put documents in the folder. This means that, by default,
users can create top-level folders and add items to their own folders.
However, users cannot add items to the folders created by other users.
- Add documents (with Add to Folder access
rights to the selected folder).
- View the properties and content of all folders.
- View the properties and content of all documents.
- Run the designer applications but not those that are workflow-related.
Other access rights are not set one way or the other, which
means they are implicitly denied to members of non-administrative
groups.
Note: For any given access right (for example, View
Properties), an access right has three possible settings: Allow, Deny,
or neither. If an access right is neither explicitly
allowed nor explicitly denied, it is "implicitly denied."