Hello,
After my first post concerning the theoretic aspects of Permission Set Template (ACL Template/PST) coupled with Alias Set (AS) Documentum : ACL template, Permission Set Template with Alias Set (PART 1 : theory), in this post, I would like to illustrate this theory, via a simple use of AS and PST in security of “documents archiving”. The documents archived will have a READONLY restriction for all database users.
Creation of Template ACL or Permission Set Template (acl_class=1)
So, first, we can modify an existing PST or create a new PST MY_ACL_TEMPLATE with a new accessor entry for an alias %ReaderRestrictAccess:
07 | API> set ,c,l,object_name |
11 | API> set ,c,l,owner_name |
19 | API> set ,c,l,description |
23 | API> grant ,c,l,dm_world,AccessPermit,,3 |
26 | API> grant ,c,l,dm_owner,AccessPermit,,3 |
29 | API> grant ,c,l,%AS4MyGroup,AccessPermit,,6 |
32 | API> grant ,c,l,%AS4SuperUser,AccessPermit,,7 |
Adding of an new accessor using the alias %ReaderRestrictAccess in PST:
04 | API> retrieve,c,dm_acl where object_name= 'MY_ACL_TEMPLATE' |
07 | API> grant ,c,l,%ReaderRestrictAccess,AccessRestriction,,5 |
Some explanations:
The documents archived will have a READONLY restriction for all database users. This READONLY restriction feature is possible due to Trusted Content Services independently of use of ACL, PST and AS :
Documentum : ACL, Permit Type, Trusted Content Services, TCS, Access Restriction.
A reminder of “dm_acl.r_permit_type” attribute:
- Defines the kind of entry, some basic valid values: AccessPermit and ExtendedPermit
- With a Trusted Content Services license, the following values are also valid entries: ApplicationPermit, AccessRestriction, ExtendedRestriction, ApplicationRestriction, RequiredGroup and RequiredGroupSet
- Constant definitions for types of permits exist also in DFC interface com.documentum.fc.client.IDfPermitType for (IDfPermit):
1 | public static final int ACCESS_PERMIT = 0 ; |
2 | public static final int EXTENDED_PERMIT = 1 ; |
3 | public static final int APPLICATION_PERMIT = 2 ; |
4 | public static final int ACCESS_RESTRICTION = 3 ; |
5 | public static final int EXTENDED_RESTRICTION = 4 ; |
6 | public static final int APPLICATION_RESTRICTION = 5 ; |
7 | public static final int REQUIRED_GROUP = 6 ; |
8 | public static final int REQUIRED_GROUP_SET = 7 ; |
dm_world and dm_owner have an access PERMIT (r_permit_type=0 : IDfPermitType.ACCESS_PERMIT) with READ permission (r_accessor_permit=3 : IDfACL.DF_PERMIT_READ).
The alias %AS4MyGroup has an access PERMIT (r_permit_type=0 : IDfPermitType.ACCESS_PERMIT) with WRITE permission (r_accessor_permit=6 : IDfACL.DF_PERMIT_WRITE).
The alias %AS4SuperUser has an access PERMIT (r_permit_type=0 : IDfPermitType.ACCESS_PERMIT) with DELETE permission (r_accessor_permit=7 : IDfACL.DF_PERMIT_DELETE).
The alias %ReaderRestrictAccess has an access RESTRICTED (r_permit_type=3 : IDfPermitType.ACCESS_RESTRICTION) with VERSION permission (r_accessor_permit=5 : IDfACL.DF_PERMIT_VERSION).
- The exclusive VERSION permission is assigned “%ReaderRestrictAccess=5” (IDfACL.DF_PERMIT_VERSION) to restrict users to RELATE “4” permission (IDfACL.DF_PERMIT_RELATE)
- The permission type “3” corresponds to “IDfPermitType.ACCESS_RESTRICTION” available with the Trusted Content Services license.
- The permission type IDfPermitType.ACCESS_RESTRICTION imposes that the permission to be EXCLUSIVE. For example, the “VERSION permission (r_accessor_permit=5)” => ALLOWING => “RELATE permission (r_accessor_permit=4)”.
No extended permission
Dump of created Template ACL or Permission Set Template:
01 | API> dump,c,45xxxxxxx951 |
04 | object_name : MY_ACL_TEMPLATE |
05 | description : Desc 4 MY_ACL_TEMPLATE |
06 | owner_name : MYDOCBASEDEV |
11 | r_object_id : 45xxxxxxx951 |
13 | r_accessor_name [0]: dm_world |
17 | [4]: %ReaderRestrictAccess |
18 | r_accessor_permit [0]: 3 |
23 | r_accessor_xpermit [0]: 0 |
39 | r_application_permit [0]: |
44 | r_template_id : 0000000000000000 |
45 | r_alias_set_id : 0000000000000000 |
50 | i_has_required_groups : F |
51 | i_has_required_group_set : F |
52 | i_has_access_restrictions : T |
Creation of Alias Set (dm_alias_set)
Assuming that we have the following 2 groups:
- my_grp_no_body is a group containing no user
- my_grp_all_users is a group containing all users
.. we are creating 2 AliasSets MY_ALIASSET and MY_ALIASSET_ARCHIVED using the above 2 groups:
- MY_ALIASSET/ReaderRestrictAccess = my_grp_no_body
- MY_ALIASSET_ARCHIVED/ReaderRestrictAccess = my_grp_all_users
006 | API> create ,c,dm_alias_set |
009 | API> set ,c,l,object_name |
013 | API> set ,c,l,owner_name |
017 | API> set ,c,l,object_description |
021 | API> append,c,l,alias_name |
025 | API> append,c,l,alias_value |
029 | API> append,c,l,alias_category |
033 | API> append,c,l,alias_usr_category |
037 | API> append,c,l,alias_description |
038 | Entry for a group alias (my_grp_all_users) |
041 | API> append,c,l,alias_name |
045 | API> append,c,l,alias_value |
049 | API> append,c,l,alias_category |
053 | API> append,c,l,alias_usr_category |
057 | API> append,c,l,alias_description |
058 | Entry for a user alias (myuser001) |
061 | API> append,c,l,alias_name |
065 | API> append,c,l,alias_value |
069 | API> append,c,l,alias_category |
073 | API> append,c,l,alias_usr_category |
077 | API> append,c,l,alias_description |
078 | Entry for a user alias (my_grp_no_body) |
086 | API> create ,c,dm_alias_set |
089 | API> set ,c,l,object_name |
093 | API> set ,c,l,owner_name |
097 | API> set ,c,l,object_description |
098 | Desc 4 MY_ALIASSET_ARCHIVED |
101 | API> append,c,l,alias_name |
105 | API> append,c,l,alias_value |
109 | API> append,c,l,alias_category |
113 | API> append,c,l,alias_usr_category |
117 | API> append,c,l,alias_description |
118 | Entry for a group alias (my_grp_all_users) |
121 | API> append,c,l,alias_name |
125 | API> append,c,l,alias_value |
129 | API> append,c,l,alias_category |
133 | API> append,c,l,alias_usr_category |
137 | API> append,c,l,alias_description |
138 | Entry for a user alias (myuser001) |
141 | API> append,c,l,alias_name |
145 | API> append,c,l,alias_value |
149 | API> append,c,l,alias_category |
153 | API> append,c,l,alias_usr_category |
157 | API> append,c,l,alias_description |
158 | Entry for a user alias (my_grp_all_users) |
Dump of created Alias Sets MY_ALIASSET:
05 | object_name : MY_ALIASSET |
06 | object_description : Desc 4 MY_ALIASSET |
07 | alias_name [0]: AS4MyGroup |
09 | [2]: ReaderRestrictAccess |
10 | alias_value [0]: my_grp_all_users |
16 | alias_usr_category [0]: -1 |
19 | alias_description [0]: Entry for a group alias (my_grp_all_users) |
20 | [1]: Entry for a user alias (myuser001) |
21 | [2]: Entry for a user alias (my_grp_no_body) |
24 | r_object_id : 66xxxxxd41 |
Dump of created Alias Sets MY_ALIASSET_ARCHIVED:
01 | API> dump,c,66xxxxxxd42 |
05 | object_name : MY_ALIASSET_ARCHIVED |
06 | object_description : Desc 4 MY_ALIASSET_ARCHIVED |
07 | alias_name [0]: AS4MyGroup |
09 | [2]: ReaderRestrictAccess |
10 | alias_value [0]: my_grp_all_users |
16 | alias_usr_category [0]: -1 |
19 | alias_description [0]: Entry for a group alias (my_grp_all_users) |
20 | [1]: Entry for a user alias (myuser001) |
21 | [2]: Entry for a user alias (my_grp_all_users) |
24 | r_object_id : 66xxxxxxd42 |
Creation of instances of Template ACL (acl_class=2)
An instance of an ACL template is created when an AliasSet and PST are associated to a document. It is not possible to create directly manually an instance of PST.
The error DM_ACL_E_CANT_CHANGE_INSTANCE occurs if the user tries to modify a instance of PST (acl_class=2). To modify the instances of PST, it is necessary to modify the PST or PST/AliasSet associated to theses instances.
We are creating 2 documents (dm_document) using the previous PST and AS :
- a document named Test DOC HUO WITH AS AND PST not ARCHIVED associated to PST MY_ACL_TEMPLATE and AS MY_ALIASSET in order to generate/use an ACL MY_ACL having r_accessor_name (ReaderRestrictAccess) = my_grp_no_body (permission exclusive VERSION “5”)
- a document Test DOC HUO WITH AS AND PST ARCHIVED associated to PST MY_ACL_TEMPLATE and AS MY_ALIASSET_ARCHIVED in order to generate/use an ACL MY_ACL_ARCHIVED having r_accessor_name (ReaderRestrictAccess) = my_grp_all_users (permission exclusive VERSION “5”)
Actually, the association between document, AliasSet and Templace ACL generates an instance of Templace ACL (acl_class=2) with name like dm_450xxxxxxx94_xxxxd3e. This instance is created only if its is not already exist.
The unique difference between MY_ACL and MY_ACL_ARCHIVED will be the read-only right of people having already access to documents. By using AccessRestriction permit type with basic permission VERSION (5):
- with the MY_ACL, the system dosen’t restrict explicitly users to access and modify the document because the my_grp_no_body group contains no user,
- with the MY_ACL_ARCHIVED, the system restricts all users to only BROWSE, READ, and RELATE the document (not “VERSION”!!!!) EVENT IF these users belong to groups which have more permissive rights.
06 | API> create ,c,dm_document |
09 | API> set ,c,l,object_name |
10 | Test DOC HUO WITH AS AND PST not ARCHIVED |
13 | API> set ,c,l,a_content_type |
17 | API> setfile,c,l,C:\ temp \test.pdf |
23 | API> set ,c,l,r_alias_set_id |
27 | API> set ,c,l,acl_domain |
40 | API> create ,c,dm_document |
43 | API> set ,c,l,object_name |
44 | Test DOC HUO WITH AS AND PST ARCHIVED |
47 | API> set ,c,l,a_content_type |
51 | API> setfile,c,l,C:\ temp \test.pdf |
57 | API> set ,c,l,r_alias_set_id |
61 | API> set ,c,l,acl_domain |
Dump of created document Test DOC HUO WITH AS AND PST not ARCHIVED:
01 | API> dump,c,09xxxxxxxxx88 |
04 | object_name : Test DOC HUO WITH AS AND PST not ARCHIVED |
05 | acl_domain : MYDOCBASEDEV |
06 | acl_name : dm_45xxxxxxx951_xxxxxd41 |
09 | r_object_id : 09xxxxxxxxx88 |
10 | r_object_type : dm_document |
Dump of created document Test DOC HUO WITH AS AND PST ARCHIVED:
01 | API> dump,c,09xxxxxxxxxx89 |
04 | object_name : Test DOC HUO WITH AS AND PST ARCHIVED |
05 | acl_domain : MYDOCBASEDEV |
06 | acl_name : dm_45xxxxxxx9511_xxxxxd42 |
09 | r_object_id : 09xxxxxxxxxx89 |
10 | r_object_type : dm_document |
So, the instances of PST used for these new documents are:
The document Test DOC HUO WITH AS AND PST not ARCHIVED uses the instance of Template ACL (acl_class=2) dm_45xxxxxxx951_xxxxxd41:
1 | DQL> select r_object_id from dm_acl where object_name IN ( 'dm_45xxxxxxx951_xxxxxd41' , 'dm_45xxxxxxx9511_xxxxxd42' ) |
01 | API> dump,c,45xxxxxx952 |
04 | object_name : dm_45xxxxxxx951_xxxxxd41 |
05 | description : dm_45xxxxxxx951_xxxxxd41 |
06 | owner_name : MYDOCBASEDEV |
11 | r_object_id : 45xxxxxx952 |
13 | r_accessor_name [0]: dm_world |
18 | r_accessor_permit [0]: 3 |
23 | r_accessor_xpermit [0]: 0 |
39 | r_application_permit [0]: |
44 | r_template_id : 45xxxxxxx951 |
45 | r_alias_set_id : 66xxxxxd41 |
50 | i_has_required_groups : F |
51 | i_has_required_group_set : F |
52 | i_has_access_restrictions : T |
The document Test DOC HUO WITH AS AND PST ARCHIVED uses the instance of Template ACL (acl_class=2) dm_45xxxxxxx9511_xxxxxd42:
01 | API> dump,c,45xxxxxx953 |
04 | object_name : dm_45xxxxxxx9511_xxxxxd42 |
05 | description : dm_45xxxxxxx9511_xxxxxd42 |
06 | owner_name : MYDOCBASEDEV |
11 | r_object_id : 45xxxxxx953 |
13 | r_accessor_name [0]: dm_world |
18 | r_accessor_permit [0]: 3 |
23 | r_accessor_xpermit [0]: 0 |
39 | r_application_permit [0]: |
44 | r_template_id : 45xxxxxxx951 |
45 | r_alias_set_id : 66xxxxxxd42 |
50 | i_has_required_groups : F |
51 | i_has_required_group_set : F |
52 | i_has_access_restrictions : T |
Important note: any modification of PST and/or AS will impact all instances of PST (ACL) associated with these elements..
Best regards,
Huseyin OZVEREN
Related