The Security Script wizard assigns security roles to user and group accounts to create security principals for the objects in an object store.
The Security Script wizard requires a properly formatted JSON security role definition file that is referenced by a properly formatted JavaScript security script file. When you run the Security Script wizard, you select an object store, select a security role, and then add users and groups to that role through a query to your directory service. The Security Script wizard then converts this data to JSON data, appends this data to the JSON role definition file, and merges the combined JSON data structure with the JavaScript security script. The wizard then submits the populated security script to create the security principals for the object store and the objects.
Two sample files, UpdateOSSecurity.json and SecurityScript.js, are provided for use with the Security Script wizard. The UpdateOSSecurity.json JavaScript Object Notation file defines security roles and the permissions for those roles that are to be applied to the selected Content Platform Engine object or class. The SecurityScript.js security script file defines the actions that invoke the Content Platform Engine Java™ API that assigns permissions for the object store or objects to the security principals. The JSON file also establishes communication between the wizard and the security script by applying the actions that are defined for the permissions in the script file to the users and groups that are selected in the wizard.
The sample script file and the sample role definition file include function that applies to most common use cases for the Security Script wizard. These files can also be copied and then customized for other use cases. For an example that demonstrates how to run the Security Script wizard with the provided sample files, see Update an object store with new users and groups.
The number in the access mask value is a bitmap mask that represents the sum of the constant field values for individual access rights. For example, idmAccessLevelWriteFolder:135159 comprises several individual access rights where sum of the constant field values for each access right equals 135159. The sample JSON role definition file contains access masks for the common use cases for the Security Script wizard. You can create a custom role definition file for other use cases that might require other access masks. To do this, you must be familiar with the information about the AccessRight class and about field constant values for those access rights. For more information, see Class AccessRight and Constant Field Values.
The following code fragment demonstrates how these elements appear in the UpdateOSSecurity.json JSON sample file:
{
SecurityRoles:
[
{
Name: 'Object Store Users',
AccessMasks: {
idmAccessLevelWriteFolder:135159,
idmAccessRightCreateInstance:256,
idmAccessLevelRead:131073,
idmAccessLevelUseOS:15728640,
idmAccessLevelView:131201
},
Permissions:
[
{
Description:'SecurityWizard_Permission_Desc_ObjectStore',
AccessType: 1,
InheritableDepth:0,
AccessMask: 'idmAccessLevelUseOS',
Action: 'UpdateOSPermission'
},
{
Description: 'SecurityWizard_Permission_Desc_Folder',
AccessType: 1,
InheritableDepth:0,
AccessMask: 'idmAccessLevelWriteFolder',
Action: 'UpdateFolderPermission'
},
...
],
},
],
}
The JavaScript security script file defines the actions, or functions, that invoke the Content Platform Engine Java API to assign the security principals with specific permissions for the object store or objects.
The script file does not specify any security role. The security roles are defined in the role definition JSON file. In this way, you can design the script functions and the security roles separately. The Security Script wizard then combines the two files, inserts the user and group account information that it collects at runtime, and submits the information for execution.
The following code fragment from SecurityScript.js demonstrates a properly formatted JavaScript security script file.
function OnCustomProcess (CEObject, channel, domain)
{
CEObject.refresh();
//The wizard constructs the SecurityRoles with the information provided
//in the JSON role definition file.
for (var s = 0; s < SecurityRoles.length; s++)
{
CEObject.refresh();
ub = UpdatingBatch.createUpdatingBatchInstance(domain, RefreshMode.NO_REFRESH);
System.out.println("Apply role " + SecurityRoles[s].Name);
var permissions = SecurityRoles[s].Permissions;
//The wizard constructs the grantees list with the information
//solicited from the directory service. The list contains the
//user and group accounts the security permission will be granted
//to.
for (var p in permissions)
{
var permission = permissions[p];
var grantees = Grantees[s];
if (permission.Action == "UpdateOSPermission" )
{
System.out.println("to UpdateOSPermission");
UpdateOSPermission(CEObject, permission, grantees, channel);
}
else if (permission.Action == "UpdateFolderPermission")
{
System.out.println("to UpdateFolderPermission");
UpdateFolderPermission(CEObject, permission, grantees, channel);
}
...
To run the Security Script wizard, you must have a security script file and a security role definition file on the local workstation. Samples for both of these files are included on the application server for Content Platform Engine and can be downloaded from the wizard.
The sample script file SecurityScript.js and the sample role definition file UpdateOSSecurity.json include function that applies to most common use cases for the Security Script wizard. These files can also be copied and then customized for other use cases.