JavaBlog.fr / Java.lu API DCTM,DEVELOPMENT,DFC DCTM,Documentum,DQL DCTM,TOOLS DCTM Documentum : ACL template, Permission Set Template with Alias Set (PART 2 : practice)

Documentum : ACL template, Permission Set Template with Alias Set (PART 2 : practice)

Hello,

After my first post concerning the theoretic aspects of Permission Set Template (ACL Template/PST) coupled with Alias Set (AS) Documentum : ACL template, Permission Set Template with Alias Set (PART 1 : theory), in this post, I would like to illustrate this theory, via a simple use of AS and PST in security of “documents archiving”. The documents archived will have a READONLY restriction for all database users.

 


 
Creation of Template ACL or Permission Set Template (acl_class=1)
 
So, first, we can modify an existing PST or create a new PST MY_ACL_TEMPLATE with a new accessor entry for an alias %ReaderRestrictAccess:

01API> begintran,c
02...
03OK
04API> create,c,dm_acl
05...
0645xxxxxxx951
07API> set,c,l,object_name
08MY_ACL_TEMPLATE
09...
10OK
11API> set,c,l,owner_name
12dm_dbo
13...
14OK
15API> set,c,l,acl_class
161
17...
18OK
19API> set,c,l,description
20Desc 4 MY_ACL_TEMPLATE
21...
22OK
23API> grant,c,l,dm_world,AccessPermit,,3
24...
25OK
26API> grant,c,l,dm_owner,AccessPermit,,3
27...
28OK
29API> grant,c,l,%AS4MyGroup,AccessPermit,,6
30...
31OK
32API> grant,c,l,%AS4SuperUser,AccessPermit,,7
33...
34OK
35API> save,c,l
36...
37OK
38API> commit,c
39...
40OK

Adding of an new accessor using the alias %ReaderRestrictAccess in PST:

01API> begintran,c
02...
03OK
04API> retrieve,c,dm_acl where object_name='MY_ACL_TEMPLATE'
05...
0645xxxxxxx951
07API> grant,c,l,%ReaderRestrictAccess,AccessRestriction,,5
08...
09OK
10API> save,c,l
11...
12OK
13API> commit,c
14...
15OK

 
Some explanations:

  • The documents archived will have a READONLY restriction for all database users. This READONLY restriction feature is possible due to Trusted Content Services independently of use of ACL, PST and AS :
    Documentum : ACL, Permit Type, Trusted Content Services, TCS, Access Restriction.
  • A reminder of “dm_acl.r_permit_type” attribute:
    • Defines the kind of entry, some basic valid values: AccessPermit and ExtendedPermit
    • With a Trusted Content Services license, the following values are also valid entries: ApplicationPermit, AccessRestriction, ExtendedRestriction, ApplicationRestriction, RequiredGroup and RequiredGroupSet
    • Constant definitions for types of permits exist also in DFC interface com.documentum.fc.client.IDfPermitType for (IDfPermit):
      1public static final int ACCESS_PERMIT = 0;
      2public static final int EXTENDED_PERMIT = 1;
      3public static final int APPLICATION_PERMIT = 2;
      4public static final int ACCESS_RESTRICTION = 3;
      5public static final int EXTENDED_RESTRICTION = 4;
      6public static final int APPLICATION_RESTRICTION = 5;
      7public static final int REQUIRED_GROUP = 6;
      8public static final int REQUIRED_GROUP_SET = 7;
  • dm_world and dm_owner have an access PERMIT (r_permit_type=0 : IDfPermitType.ACCESS_PERMIT) with READ permission (r_accessor_permit=3 : IDfACL.DF_PERMIT_READ).
  • The alias %AS4MyGroup has an access PERMIT (r_permit_type=0 : IDfPermitType.ACCESS_PERMIT) with WRITE permission (r_accessor_permit=6 : IDfACL.DF_PERMIT_WRITE).
  • The alias %AS4SuperUser has an access PERMIT (r_permit_type=0 : IDfPermitType.ACCESS_PERMIT) with DELETE permission (r_accessor_permit=7 : IDfACL.DF_PERMIT_DELETE).
  • The alias %ReaderRestrictAccess has an access RESTRICTED (r_permit_type=3 : IDfPermitType.ACCESS_RESTRICTION) with VERSION permission (r_accessor_permit=5 : IDfACL.DF_PERMIT_VERSION).
    • The exclusive VERSION permission is assigned “%ReaderRestrictAccess=5” (IDfACL.DF_PERMIT_VERSION) to restrict users to RELATE “4” permission (IDfACL.DF_PERMIT_RELATE)
    • The permission type “3” corresponds to “IDfPermitType.ACCESS_RESTRICTION” available with the Trusted Content Services license.
    • The permission type IDfPermitType.ACCESS_RESTRICTION imposes that the permission to be EXCLUSIVE. For example, the “VERSION permission (r_accessor_permit=5)” => ALLOWING => “RELATE permission (r_accessor_permit=4)”.
  • No extended permission
  •  
    Dump of created Template ACL or Permission Set Template:

    01API> dump,c,45xxxxxxx951
    02...
    03USER ATTRIBUTES
    04  object_name                : MY_ACL_TEMPLATE
    05  description                : Desc 4 MY_ACL_TEMPLATE
    06  owner_name                 : MYDOCBASEDEV
    07  globally_managed           : F
    08  acl_class                  : 1
    09 
    10SYSTEM ATTRIBUTES
    11  r_object_id                : 45xxxxxxx951
    12  r_is_internal              : F
    13  r_accessor_name         [0]: dm_world
    14                          [1]: dm_owner
    15                          [2]: %AS4MyGroup
    16                          [3]: %AS4SuperUser
    17                          [4]: %ReaderRestrictAccess
    18  r_accessor_permit       [0]: 3
    19                          [1]: 3
    20                          [2]: 6
    21                          [3]: 7
    22                          [4]: 5
    23  r_accessor_xpermit      [0]: 0
    24                          [1]: 0
    25                          [2]: 0
    26                          [3]: 0
    27                          [4]: 0
    28  r_is_group              [0]: F
    29                          [1]: F
    30                          [2]: F
    31                          [3]: F
    32                          [4]: F
    33  r_has_events               : F
    34  r_permit_type           [0]: 0
    35                          [1]: 0
    36                          [2]: 0
    37                          [3]: 0
    38                          [4]: 3
    39  r_application_permit    [0]:
    40                          [1]:
    41                          [2]:
    42                          [3]:
    43                          [4]:
    44  r_template_id              : 0000000000000000
    45  r_alias_set_id             : 0000000000000000
    46 
    47APPLICATION ATTRIBUTES
    48 
    49INTERNAL ATTRIBUTES
    50  i_has_required_groups      : F
    51  i_has_required_group_set   : F
    52  i_has_access_restrictions  : T
    53  i_partition                : 0
    54  i_is_replica               : F
    55  i_vstamp                   : 1

     


     
    Creation of Alias Set (dm_alias_set)
     

    Assuming that we have the following 2 groups:

    • my_grp_no_body is a group containing no user
    • my_grp_all_users is a group containing all users

    .. we are creating 2 AliasSets MY_ALIASSET and MY_ALIASSET_ARCHIVED using the above 2 groups:

    • MY_ALIASSET/ReaderRestrictAccess = my_grp_no_body
    • MY_ALIASSET_ARCHIVED/ReaderRestrictAccess = my_grp_all_users
    001API> begintran,c
    002...
    003OK
    004 
    005 
    006API> create,c,dm_alias_set
    007...
    00866xxxxxd41
    009API> set,c,l,object_name
    010MY_ALIASSET
    011...
    012OK
    013API> set,c,l,owner_name
    014dm_dbo
    015...
    016OK
    017API> set,c,l,object_description
    018Desc 4 MY_ALIASSET
    019...
    020OK
    021API> append,c,l,alias_name
    022AS4MyGroup
    023...
    024OK
    025API> append,c,l,alias_value
    026my_grp_all_users
    027...
    028OK
    029API> append,c,l,alias_category
    0302
    031...
    032OK
    033API> append,c,l,alias_usr_category
    034-1
    035...
    036OK
    037API> append,c,l,alias_description
    038Entry for a group alias (my_grp_all_users)
    039...
    040OK
    041API> append,c,l,alias_name
    042AS4SuperUser
    043...
    044OK
    045API> append,c,l,alias_value
    046myuser001
    047...
    048OK
    049API> append,c,l,alias_category
    0501
    051...
    052OK
    053API> append,c,l,alias_usr_category
    054-1
    055...
    056OK
    057API> append,c,l,alias_description
    058Entry for a user alias (myuser001)
    059...
    060OK
    061API> append,c,l,alias_name
    062ReaderRestrictAccess
    063...
    064OK
    065API> append,c,l,alias_value
    066my_grp_no_body
    067...
    068OK
    069API> append,c,l,alias_category
    0701
    071...
    072OK
    073API> append,c,l,alias_usr_category
    074-1
    075...
    076OK
    077API> append,c,l,alias_description
    078Entry for a user alias (my_grp_no_body)
    079...
    080OK
    081API> save,c,l
    082...
    083OK
    084 
    085 
    086API> create,c,dm_alias_set
    087...
    08866xxxxxxd42
    089API> set,c,l,object_name
    090MY_ALIASSET_ARCHIVED
    091...
    092OK
    093API> set,c,l,owner_name
    094dm_dbo
    095...
    096OK
    097API> set,c,l,object_description
    098Desc 4 MY_ALIASSET_ARCHIVED
    099...
    100OK
    101API> append,c,l,alias_name
    102AS4MyGroup
    103...
    104OK
    105API> append,c,l,alias_value
    106my_grp_all_users
    107...
    108OK
    109API> append,c,l,alias_category
    1102
    111...
    112OK
    113API> append,c,l,alias_usr_category
    114-1
    115...
    116OK
    117API> append,c,l,alias_description
    118Entry for a group alias (my_grp_all_users)
    119...
    120OK
    121API> append,c,l,alias_name
    122AS4SuperUser
    123...
    124OK
    125API> append,c,l,alias_value
    126myuser001
    127...
    128OK
    129API> append,c,l,alias_category
    1301
    131...
    132OK
    133API> append,c,l,alias_usr_category
    134-1
    135...
    136OK
    137API> append,c,l,alias_description
    138Entry for a user alias (myuser001)
    139...
    140OK
    141API> append,c,l,alias_name
    142ReaderRestrictAccess
    143...
    144OK
    145API> append,c,l,alias_value
    146my_grp_all_users
    147...
    148OK
    149API> append,c,l,alias_category
    1501
    151...
    152OK
    153API> append,c,l,alias_usr_category
    154-1
    155...
    156OK
    157API> append,c,l,alias_description
    158Entry for a user alias (my_grp_all_users)
    159...
    160OK
    161API> save,c,l
    162...
    163OK
    164 
    165 
    166API> commit,c
    167...
    168OK

     
    Dump of created Alias Sets MY_ALIASSET:

    01API> dump,c,66xxxxxd41
    02...
    03USER ATTRIBUTES
    04  owner_name                 : dm_dbo
    05  object_name                : MY_ALIASSET
    06  object_description         : Desc 4 MY_ALIASSET
    07  alias_name              [0]: AS4MyGroup
    08                          [1]: AS4SuperUser
    09                          [2]: ReaderRestrictAccess
    10  alias_value             [0]: my_grp_all_users
    11                          [1]: myuser001
    12                          [2]: my_grp_no_body
    13  alias_category          [0]: 2
    14                          [1]: 1
    15                          [2]: 1
    16  alias_usr_category      [0]: -1
    17                          [1]: -1
    18                          [2]: -1
    19  alias_description       [0]: Entry for a group alias (my_grp_all_users)
    20                          [1]: Entry for a user alias (myuser001)
    21                          [2]: Entry for a user alias (my_grp_no_body)
    22 
    23SYSTEM ATTRIBUTES
    24  r_object_id                : 66xxxxxd41
    25 
    26APPLICATION ATTRIBUTES
    27 
    28INTERNAL ATTRIBUTES
    29  i_is_replica               : F
    30  i_vstamp                   : 0

     
    Dump of created Alias Sets MY_ALIASSET_ARCHIVED:

    01API> dump,c,66xxxxxxd42
    02...
    03USER ATTRIBUTES
    04  owner_name                 : dm_dbo
    05  object_name                : MY_ALIASSET_ARCHIVED
    06  object_description         : Desc 4 MY_ALIASSET_ARCHIVED
    07  alias_name              [0]: AS4MyGroup
    08                          [1]: AS4SuperUser
    09                          [2]: ReaderRestrictAccess
    10  alias_value             [0]: my_grp_all_users
    11                          [1]: myuser001
    12                          [2]: my_grp_all_users
    13  alias_category          [0]: 2
    14                          [1]: 1
    15                          [2]: 1
    16  alias_usr_category      [0]: -1
    17                          [1]: -1
    18                          [2]: -1
    19  alias_description       [0]: Entry for a group alias (my_grp_all_users)
    20                          [1]: Entry for a user alias (myuser001)
    21                          [2]: Entry for a user alias (my_grp_all_users)
    22 
    23SYSTEM ATTRIBUTES
    24  r_object_id                : 66xxxxxxd42
    25 
    26APPLICATION ATTRIBUTES
    27 
    28INTERNAL ATTRIBUTES
    29  i_is_replica               : F
    30  i_vstamp                   : 0

     


     
    Creation of instances of Template ACL (acl_class=2)
     
    An instance of an ACL template is created when an AliasSet and PST are associated to a document. It is not possible to create directly manually an instance of PST.
    The error DM_ACL_E_CANT_CHANGE_INSTANCE occurs if the user tries to modify a instance of PST (acl_class=2). To modify the instances of PST, it is necessary to modify the PST or PST/AliasSet associated to theses instances.

     
    We are creating 2 documents (dm_document) using the previous PST and AS :

    • a document named Test DOC HUO WITH AS AND PST not ARCHIVED associated to PST MY_ACL_TEMPLATE and AS MY_ALIASSET in order to generate/use an ACL MY_ACL having r_accessor_name (ReaderRestrictAccess) = my_grp_no_body (permission exclusive VERSION “5”)
       
    • a document Test DOC HUO WITH AS AND PST ARCHIVED associated to PST MY_ACL_TEMPLATE and AS MY_ALIASSET_ARCHIVED in order to generate/use an ACL MY_ACL_ARCHIVED having r_accessor_name (ReaderRestrictAccess) = my_grp_all_users (permission exclusive VERSION “5”)

    Actually, the association between document, AliasSet and Templace ACL generates an instance of Templace ACL (acl_class=2) with name like dm_450xxxxxxx94_xxxxd3e. This instance is created only if its is not already exist.
     
    The unique difference between MY_ACL and MY_ACL_ARCHIVED will be the read-only right of people having already access to documents. By using AccessRestriction permit type with basic permission VERSION (5):

    • with the MY_ACL, the system dosen’t restrict explicitly users to access and modify the document because the my_grp_no_body group contains no user,
    • with the MY_ACL_ARCHIVED, the system restricts all users to only BROWSE, READ, and RELATE the document (not “VERSION”!!!!) EVENT IF these users belong to groups which have more permissive rights.

     

    01API> begintran,c
    02...
    03OK
    04 
    05 
    06API> create,c,dm_document
    07...
    0809xxxxxxxxx88
    09API> set,c,l,object_name
    10Test DOC HUO WITH AS AND PST not ARCHIVED
    11...
    12OK
    13API> set,c,l,a_content_type
    14pdf
    15...
    16OK
    17API> setfile,c,l,C:\temp\test.pdf
    18...
    19OK
    20API> link,c,l,'/Temp'
    21...
    22OK
    23API> set,c,l,r_alias_set_id
    2466xxxxxd41
    25...
    26OK
    27API> set,c,l,acl_domain
    28dm_dbo
    29...
    30OK
    31API> set,c,l,acl_name
    32MY_ACL_TEMPLATE
    33...
    34OK
    35API> save,c,l
    36...
    37OK
    38 
    39 
    40API> create,c,dm_document
    41...
    4209xxxxxxxxxx89
    43API> set,c,l,object_name
    44Test DOC HUO WITH AS AND PST ARCHIVED
    45...
    46OK
    47API> set,c,l,a_content_type
    48pdf
    49...
    50OK
    51API> setfile,c,l,C:\temp\test.pdf
    52...
    53OK
    54API> link,c,l,'/Temp'
    55...
    56OK
    57API> set,c,l,r_alias_set_id
    5866xxxxxxd42
    59...
    60OK
    61API> set,c,l,acl_domain
    62dm_dbo
    63...
    64OK
    65API> set,c,l,acl_name
    66MY_ACL_TEMPLATE
    67...
    68OK
    69API> save,c,l
    70...
    71OK
    72 
    73 
    74API> commit,c
    75...
    76OK

     
    Dump of created document Test DOC HUO WITH AS AND PST not ARCHIVED:

    01API> dump,c,09xxxxxxxxx88
    02...
    03USER ATTRIBUTES
    04  object_name                : Test DOC HUO WITH AS AND PST not ARCHIVED
    05  acl_domain                 : MYDOCBASEDEV
    06  acl_name                   : dm_45xxxxxxx951_xxxxxd41
    07 
    08SYSTEM ATTRIBUTES
    09  r_object_id                : 09xxxxxxxxx88
    10  r_object_type              : dm_document

     

    Dump of created document Test DOC HUO WITH AS AND PST ARCHIVED:

    01API> dump,c,09xxxxxxxxxx89
    02...
    03USER ATTRIBUTES
    04  object_name                : Test DOC HUO WITH AS AND PST ARCHIVED
    05  acl_domain                 : MYDOCBASEDEV
    06  acl_name                   : dm_45xxxxxxx9511_xxxxxd42
    07 
    08SYSTEM ATTRIBUTES
    09  r_object_id                : 09xxxxxxxxxx89
    10  r_object_type              : dm_document

     
     
    So, the instances of PST used for these new documents are:
    The document Test DOC HUO WITH AS AND PST not ARCHIVED uses the instance of Template ACL (acl_class=2) dm_45xxxxxxx951_xxxxxd41:

    1DQL> select r_object_id from dm_acl where object_name IN('dm_45xxxxxxx951_xxxxxd41','dm_45xxxxxxx9511_xxxxxd42')
    2...
    3r_object_id
    445xxxxxx952
    545xxxxxx953
    01API> dump,c,45xxxxxx952
    02...
    03USER ATTRIBUTES
    04  object_name                : dm_45xxxxxxx951_xxxxxd41
    05  description                : dm_45xxxxxxx951_xxxxxd41
    06  owner_name                 : MYDOCBASEDEV
    07  globally_managed           : F
    08  acl_class                  : 2
    09 
    10SYSTEM ATTRIBUTES
    11  r_object_id                : 45xxxxxx952
    12  r_is_internal              : T
    13  r_accessor_name         [0]: dm_world
    14                          [1]: dm_owner
    15                          [2]: my_grp_all_users
    16                          [3]: myuser001
    17                          [4]: my_grp_no_body
    18  r_accessor_permit       [0]: 3
    19                          [1]: 3
    20                          [2]: 6
    21                          [3]: 7
    22                          [4]: 5
    23  r_accessor_xpermit      [0]: 0
    24                          [1]: 0
    25                          [2]: 0
    26                          [3]: 0
    27                          [4]: 0
    28  r_is_group              [0]: F
    29                          [1]: F
    30                          [2]: T
    31                          [3]: F
    32                          [4]: T
    33  r_has_events               : F
    34  r_permit_type           [0]: 0
    35                          [1]: 0
    36                          [2]: 0
    37                          [3]: 0
    38                          [4]: 3
    39  r_application_permit    [0]:
    40                          [1]:
    41                          [2]:
    42                          [3]:
    43                          [4]:
    44  r_template_id              : 45xxxxxxx951
    45  r_alias_set_id             : 66xxxxxd41
    46 
    47APPLICATION ATTRIBUTES
    48 
    49INTERNAL ATTRIBUTES
    50  i_has_required_groups      : F
    51  i_has_required_group_set   : F
    52  i_has_access_restrictions  : T
    53  i_partition                : 0
    54  i_is_replica               : F
    55  i_vstamp                   : 1

     
    The document Test DOC HUO WITH AS AND PST ARCHIVED uses the instance of Template ACL (acl_class=2) dm_45xxxxxxx9511_xxxxxd42:

    01API> dump,c,45xxxxxx953
    02...
    03USER ATTRIBUTES
    04  object_name                : dm_45xxxxxxx9511_xxxxxd42
    05  description                : dm_45xxxxxxx9511_xxxxxd42
    06  owner_name                 : MYDOCBASEDEV
    07  globally_managed           : F
    08  acl_class                  : 2
    09 
    10SYSTEM ATTRIBUTES
    11  r_object_id                : 45xxxxxx953
    12  r_is_internal              : T
    13  r_accessor_name         [0]: dm_world
    14                          [1]: dm_owner
    15                          [2]: my_grp_all_users
    16                          [3]: myuser001
    17                          [4]: my_grp_all_users
    18  r_accessor_permit       [0]: 3
    19                          [1]: 3
    20                          [2]: 6
    21                          [3]: 7
    22                          [4]: 5
    23  r_accessor_xpermit      [0]: 0
    24                          [1]: 0
    25                          [2]: 0
    26                          [3]: 0
    27                          [4]: 0
    28  r_is_group              [0]: F
    29                          [1]: F
    30                          [2]: T
    31                          [3]: F
    32                          [4]: T
    33  r_has_events               : F
    34  r_permit_type           [0]: 0
    35                          [1]: 0
    36                          [2]: 0
    37                          [3]: 0
    38                          [4]: 3
    39  r_application_permit    [0]:
    40                          [1]:
    41                          [2]:
    42                          [3]:
    43                          [4]:
    44  r_template_id              : 45xxxxxxx951
    45  r_alias_set_id             : 66xxxxxxd42
    46 
    47APPLICATION ATTRIBUTES
    48 
    49INTERNAL ATTRIBUTES
    50  i_has_required_groups      : F
    51  i_has_required_group_set   : F
    52  i_has_access_restrictions  : T
    53  i_partition                : 0
    54  i_is_replica               : F
    55  i_vstamp                   : 1

    Important note: any modification of PST and/or AS will impact all instances of PST (ACL) associated with these elements..

    Best regards,

    Huseyin OZVEREN

    Leave a Reply

    Your email address will not be published.

    Time limit is exhausted. Please reload CAPTCHA.

    Related Post