IBM Enterprise Records, Version 5.1.+            

Object security

Each object in an object store has associated security settings. When you create an IBM® Enterprise Records object, the security settings are defined by a variety of methods.

The security setting are defines by:

In addition, an object can inherit a security marking or a user can directly assign a marking to the object. For more information applying object security, see Set or modify object security.

Record security

The post-import script FPOS_PostImport_datamodel.vbs, which is run when importing a data model into an object store, sets the Default Instance Owner for the Record class and subclasses, Electronic, Email, and Marker, to NULL. When a user declares a record with the Record class or a subclass, the record inherits the class' Default Instance Owner property, which is set to NULL. For a PRO installation, the Owner property represents the Custodian. When the owner is NULL, IBM Enterprise Records does not grant any special access rights to any user, and a record creator does not have administrative rights to the record, such as modifying the record's security.

You can use Enterprise Manager (EM) to change the owner to a specific user or group by modifying the Default Instance Owner on the Record class or a subclass. However, IBM Enterprise Records does not apply the change to any existing records, but only to records created after the change.

When the declaration process files a record into a container, the record inherits the security of the parent container, known as the security parent. If you use Application Engine or Workplace XT to declare the record into multiple containers, the security parent is the first record container you selected.

During the IBM Enterprise Records installation, the Default Instance Security on the Record class gives the RM User group rights to Minor/Major Versioning, which allows users to create new versions of documents declared as records. If the container security specifically denies all rights to some users, the denial propagates to the record. However, the user group set up in the Default Instance Security of the class takes precedence over this propagated denial. The denied user cannot browse to the category, but can still access the record through search or reports.

To prevent broad access to records through search and reports, do not complete the Default Instance Security installation step. If you do not complete the Default Instance Security Installation step, IBM Enterprise Records controls security access at the record and folder level. For example, you can:

Inherited Security

If you file a record into more than one folder, the record continues to inherit its security from the first folder, which is the security parent folder. If a record is filed into more than one folder and you move the record from the security parent folder to a new folder, the record inherits the security of the new folder. The security inheritance also changes if a record's security parent folder is deleted.

To view and modify the security parent folder for a record that is filed in multiple folders:

  1. Browse to that record.
  2. Click Get Info.
  3. Under Record Information, select Filed In.
  4. Select a security parent folder.
  5. Click Accept to apply the change.

In that case, the sweeps also use that security parent to select the current running schedule for this record.

Important: Disabling security inheritance is not supported in IBM Enterprise Records.

Document security

To declare a document as a record, a user must be assigned to the Records User role and must have Modify Properties rights on the document. As the document author, a user has full access rights to the document, but once that document is declared as a record, IBM Enterprise Records overwrites the document's security with the security of the record. The access rights assigned to the document are controlled by the document's record, and the author can no longer modify the declared document's security. If an authorized user updates the access rights for a record, the same access rights are also updated for the document from which the record is declared.

To allow records users to check out and check in documents declared as records, the default installation procedure gives all records users additional permissions on every record. In some IBM Enterprise Records implementations, users with higher access levels can modify the security for records and folders so that document authors can check out and check in their documents. A user must have Modify Content rights on a record to create a new version of the document, and must have View Content rights on a record to view the content of the document.

A declared document cannot be deleted until its associated record is deleted. The constraint of deleting a document is imposed by a property on the document that points to the record and uses the Prevent Delete action. A user with Full Control access rights cannot delete a declared document. The system automatically deletes a document when the document's associated record is deleted. The delete action occurs because the object-valued property on the record points to the document and uses the Cascade Delete action.



Feedback

Last updated: August 2011
object_security.htm

© Copyright IBM Corporation 2011.
This information center is powered by Eclipse technology. (http://www.eclipse.org)