At object store creation time, users and groups that are designated as administrators or non-administrators receive default access rights to the object store and to the objects that are contained within it.
Security on the object store itself is distinguished from security on objects that are stored in the object store. Applying security on the object store occurs when the object store is created. At creation time, you specify the users and groups who are object store administrators and those who have non-administrative (user) access rights. By default, administrators receive full control access rights on the object store and all securable objects that are contained within it. Non-administrative users receive access rights to the object store that allow them to browse directories and read documents. The access rights that are specified at creation time are used to set the permissions for all of the class definitions that get created. It is recommended that, rather than specifying individual users when you set security at object store creation time, you add at least one group for administrators (for example, "CEAdmins") and one group for users during object store creation. You can then easily grant or remove access to an object store by modifying the group (such as adding or removing members) without having to modify individual class definitions.
You can programmatically retrieve and set access rights for the objects that are contained within an object store. A collection of access rights (represented within the Content Engine API as an AccessPermissionList object) control a user's ability to store an object, delete an object, and so on.
In addition to the typical access rights, that you might grant to administrators and to users that work with objects, you can assign the following special object store access rights to a select user or group of users: