After you have configured the object store, you must set
the IBM® Enterprise
Records security on
the file plan object store (FPOS). This task assigns IBM Enterprise
Records security roles to users
and groups and updates the default instance security on the IBM Enterprise
Records objects.
See
IBM Enterprise Records security for more information
on the
IBM Enterprise
Records security
roles and default instance security.
- In general, assign security settings to groups rather than individual
users; this practice makes your system inherently more maintainable.
- Assign security roles only for the FPOS, not for the ROS.
Important: After a successful login, you are prompted to run
the security script wizard for the file plan object store you are
attempting to access if it hasn't already been completed. If you re-run
the Security Script wizard, after assigning security roles, the wizard:
- Removes the previously applied groups from some classes that are
installed as part of the data model. Some security appends to existing
securities.
- Updates the default instance security settings such that any existing
user rights are replaced with the rights defined by the latest run
of the Security Script wizard.
To assign the IBM Enterprise
Records security
roles:
- Access the checklist that you filled out prior to starting
this installation from the link at the end of this topic for the values
you need.
- Verify that you have configured your object stores as described
in the Configuration Manager sections. For more information, see the
link at the end of this topic..
- Log in to IBM Enterprise
Records as
a GCD Administrator and Object Store Administrator for the object
store you will configure.
Tip: If you rerun
the security script with insufficient rights to update certain folders
that have been updated before, the security script fails and returns
an insufficient security error.
- Select the Configure tab and click Object Store
Configuration.
- Run the security script on your object store. From
the list of object stores configured for IBM Enterprise
Records, right-click the FPOS
you want to set security on, and select Run Security Script.
Tip: The Security Script Run Date displays the date the security
script was last run on the object store. If no date is displayed,
security has not been set.
- Select a role and click Add New Members. The Set Security window displays with the names of the IBM Enterprise
Records security roles applicable
for the imported data model.
- Use the Select Users/Groups window to select a user or
a group to be assigned to the role and then click Accept.
- Assign users and groups to all of the security roles by
repeating Steps 6 and 7.
- Verify that users assigned the Records Administrator role
have object store administrative rights on the FPOS.
These
privileges allow such users to complete workflows on the FPOS.
When
creating new object stores, ensure that you add the users/groups assigned
Records Administrator role to the object store administrators group
as part of creating the object store.
For more information about IBM Enterprise
Records security role assignments,
see the Installation and Upgrade Worksheet.
Important: If you are configuring already existing object stores
for use with IBM Enterprise
Records,
you must verify that the users/groups you assign to the Records Administrator
role already are object store administrators. If they are not, you
must run the Security Script wizard to update the security on the
object store.
For information on running the Security Script
wizard to update an object store with new users and groups:
- If your FileNet P8 system
is Version 4.5.1: See the IBM FileNet P8 help topic .
- If your FileNet P8 system
is Version 5.0: See the IBM FileNet P8 Version 5.0 Information
Center topic .
- When all security roles have been set, click Finish. IBM Enterprise
Records displays
a wait screen while it applies the specified security. When security
has been set, click OK.
Important: After
clicking Finish, wait for the confirmation
screen to display before proceeding.
- Record the security roles assignment information.
Important: When assigning the IBM Enterprise
Records roles, verify that there
is no overlapping of users when selecting groups/users for each role.
If a user belongs to more than one role, unexpected behavior occurs
where the permissions of one role conflict with the permissions of
another. This includes assigning #AUTHENTICATED-USER to the Records
User role, which is not recommended.
- Modify security to allow users assigned the Records User
role to create a version of a document that is declared as a record
by another user with the same role.
Important: The
Default Instance Security on the Record class is set to give the Records
Manager User group rights to Minor/Major Versioning which define security
on the record itself. Users who cannot browse to the document due
to container (folder) security can still access the record through
search or reports.