Hello,
After my first post concerning the theoretic aspects of Permission Set Template (ACL Template/PST) coupled with Alias Set (AS) Documentum : ACL template, Permission Set Template with Alias Set (PART 1 : theory), in this post, I would like to illustrate this theory, via a simple use of AS and PST in security of “documents archiving”. The documents archived will have a READONLY restriction for all database users.
Creation of Template ACL or Permission Set Template (acl_class=1)
So, first, we can modify an existing PST or create a new PST MY_ACL_TEMPLATE with a new accessor entry for an alias %ReaderRestrictAccess:
API> begintran,c ... OK API> create,c,dm_acl ... 45xxxxxxx951 API> set,c,l,object_name MY_ACL_TEMPLATE ... OK API> set,c,l,owner_name dm_dbo ... OK API> set,c,l,acl_class 1 ... OK API> set,c,l,description Desc 4 MY_ACL_TEMPLATE ... OK API> grant,c,l,dm_world,AccessPermit,,3 ... OK API> grant,c,l,dm_owner,AccessPermit,,3 ... OK API> grant,c,l,%AS4MyGroup,AccessPermit,,6 ... OK API> grant,c,l,%AS4SuperUser,AccessPermit,,7 ... OK API> save,c,l ... OK API> commit,c ... OK
Adding of an new accessor using the alias %ReaderRestrictAccess in PST:
API> begintran,c ... OK API> retrieve,c,dm_acl where object_name='MY_ACL_TEMPLATE' ... 45xxxxxxx951 API> grant,c,l,%ReaderRestrictAccess,AccessRestriction,,5 ... OK API> save,c,l ... OK API> commit,c ... OK
Some explanations:
Documentum : ACL, Permit Type, Trusted Content Services, TCS, Access Restriction.
- Defines the kind of entry, some basic valid values: AccessPermit and ExtendedPermit
- With a Trusted Content Services license, the following values are also valid entries: ApplicationPermit, AccessRestriction, ExtendedRestriction, ApplicationRestriction, RequiredGroup and RequiredGroupSet
- Constant definitions for types of permits exist also in DFC interface com.documentum.fc.client.IDfPermitType for (IDfPermit):
public static final int ACCESS_PERMIT = 0; public static final int EXTENDED_PERMIT = 1; public static final int APPLICATION_PERMIT = 2; public static final int ACCESS_RESTRICTION = 3; public static final int EXTENDED_RESTRICTION = 4; public static final int APPLICATION_RESTRICTION = 5; public static final int REQUIRED_GROUP = 6; public static final int REQUIRED_GROUP_SET = 7;
- The exclusive VERSION permission is assigned “%ReaderRestrictAccess=5” (IDfACL.DF_PERMIT_VERSION) to restrict users to RELATE “4” permission (IDfACL.DF_PERMIT_RELATE)
- The permission type “3” corresponds to “IDfPermitType.ACCESS_RESTRICTION” available with the Trusted Content Services license.
- The permission type IDfPermitType.ACCESS_RESTRICTION imposes that the permission to be EXCLUSIVE. For example, the “VERSION permission (r_accessor_permit=5)” => ALLOWING => “RELATE permission (r_accessor_permit=4)”.
Dump of created Template ACL or Permission Set Template:
API> dump,c,45xxxxxxx951
...
USER ATTRIBUTES
object_name : MY_ACL_TEMPLATE
description : Desc 4 MY_ACL_TEMPLATE
owner_name : MYDOCBASEDEV
globally_managed : F
acl_class : 1
SYSTEM ATTRIBUTES
r_object_id : 45xxxxxxx951
r_is_internal : F
r_accessor_name [0]: dm_world
[1]: dm_owner
[2]: %AS4MyGroup
[3]: %AS4SuperUser
[4]: %ReaderRestrictAccess
r_accessor_permit [0]: 3
[1]: 3
[2]: 6
[3]: 7
[4]: 5
r_accessor_xpermit [0]: 0
[1]: 0
[2]: 0
[3]: 0
[4]: 0
r_is_group [0]: F
[1]: F
[2]: F
[3]: F
[4]: F
r_has_events : F
r_permit_type [0]: 0
[1]: 0
[2]: 0
[3]: 0
[4]: 3
r_application_permit [0]:
[1]:
[2]:
[3]:
[4]:
r_template_id : 0000000000000000
r_alias_set_id : 0000000000000000
APPLICATION ATTRIBUTES
INTERNAL ATTRIBUTES
i_has_required_groups : F
i_has_required_group_set : F
i_has_access_restrictions : T
i_partition : 0
i_is_replica : F
i_vstamp : 1
Creation of Alias Set (dm_alias_set)
Assuming that we have the following 2 groups:
- my_grp_no_body is a group containing no user
- my_grp_all_users is a group containing all users
.. we are creating 2 AliasSets MY_ALIASSET and MY_ALIASSET_ARCHIVED using the above 2 groups:
- MY_ALIASSET/ReaderRestrictAccess = my_grp_no_body
- MY_ALIASSET_ARCHIVED/ReaderRestrictAccess = my_grp_all_users
API> begintran,c ... OK API> create,c,dm_alias_set ... 66xxxxxd41 API> set,c,l,object_name MY_ALIASSET ... OK API> set,c,l,owner_name dm_dbo ... OK API> set,c,l,object_description Desc 4 MY_ALIASSET ... OK API> append,c,l,alias_name AS4MyGroup ... OK API> append,c,l,alias_value my_grp_all_users ... OK API> append,c,l,alias_category 2 ... OK API> append,c,l,alias_usr_category -1 ... OK API> append,c,l,alias_description Entry for a group alias (my_grp_all_users) ... OK API> append,c,l,alias_name AS4SuperUser ... OK API> append,c,l,alias_value myuser001 ... OK API> append,c,l,alias_category 1 ... OK API> append,c,l,alias_usr_category -1 ... OK API> append,c,l,alias_description Entry for a user alias (myuser001) ... OK API> append,c,l,alias_name ReaderRestrictAccess ... OK API> append,c,l,alias_value my_grp_no_body ... OK API> append,c,l,alias_category 1 ... OK API> append,c,l,alias_usr_category -1 ... OK API> append,c,l,alias_description Entry for a user alias (my_grp_no_body) ... OK API> save,c,l ... OK API> create,c,dm_alias_set ... 66xxxxxxd42 API> set,c,l,object_name MY_ALIASSET_ARCHIVED ... OK API> set,c,l,owner_name dm_dbo ... OK API> set,c,l,object_description Desc 4 MY_ALIASSET_ARCHIVED ... OK API> append,c,l,alias_name AS4MyGroup ... OK API> append,c,l,alias_value my_grp_all_users ... OK API> append,c,l,alias_category 2 ... OK API> append,c,l,alias_usr_category -1 ... OK API> append,c,l,alias_description Entry for a group alias (my_grp_all_users) ... OK API> append,c,l,alias_name AS4SuperUser ... OK API> append,c,l,alias_value myuser001 ... OK API> append,c,l,alias_category 1 ... OK API> append,c,l,alias_usr_category -1 ... OK API> append,c,l,alias_description Entry for a user alias (myuser001) ... OK API> append,c,l,alias_name ReaderRestrictAccess ... OK API> append,c,l,alias_value my_grp_all_users ... OK API> append,c,l,alias_category 1 ... OK API> append,c,l,alias_usr_category -1 ... OK API> append,c,l,alias_description Entry for a user alias (my_grp_all_users) ... OK API> save,c,l ... OK API> commit,c ... OK
Dump of created Alias Sets MY_ALIASSET:
API> dump,c,66xxxxxd41
...
USER ATTRIBUTES
owner_name : dm_dbo
object_name : MY_ALIASSET
object_description : Desc 4 MY_ALIASSET
alias_name [0]: AS4MyGroup
[1]: AS4SuperUser
[2]: ReaderRestrictAccess
alias_value [0]: my_grp_all_users
[1]: myuser001
[2]: my_grp_no_body
alias_category [0]: 2
[1]: 1
[2]: 1
alias_usr_category [0]: -1
[1]: -1
[2]: -1
alias_description [0]: Entry for a group alias (my_grp_all_users)
[1]: Entry for a user alias (myuser001)
[2]: Entry for a user alias (my_grp_no_body)
SYSTEM ATTRIBUTES
r_object_id : 66xxxxxd41
APPLICATION ATTRIBUTES
INTERNAL ATTRIBUTES
i_is_replica : F
i_vstamp : 0
Dump of created Alias Sets MY_ALIASSET_ARCHIVED:
API> dump,c,66xxxxxxd42
...
USER ATTRIBUTES
owner_name : dm_dbo
object_name : MY_ALIASSET_ARCHIVED
object_description : Desc 4 MY_ALIASSET_ARCHIVED
alias_name [0]: AS4MyGroup
[1]: AS4SuperUser
[2]: ReaderRestrictAccess
alias_value [0]: my_grp_all_users
[1]: myuser001
[2]: my_grp_all_users
alias_category [0]: 2
[1]: 1
[2]: 1
alias_usr_category [0]: -1
[1]: -1
[2]: -1
alias_description [0]: Entry for a group alias (my_grp_all_users)
[1]: Entry for a user alias (myuser001)
[2]: Entry for a user alias (my_grp_all_users)
SYSTEM ATTRIBUTES
r_object_id : 66xxxxxxd42
APPLICATION ATTRIBUTES
INTERNAL ATTRIBUTES
i_is_replica : F
i_vstamp : 0
Creation of instances of Template ACL (acl_class=2)
An instance of an ACL template is created when an AliasSet and PST are associated to a document. It is not possible to create directly manually an instance of PST.
The error DM_ACL_E_CANT_CHANGE_INSTANCE occurs if the user tries to modify a instance of PST (acl_class=2). To modify the instances of PST, it is necessary to modify the PST or PST/AliasSet associated to theses instances.
We are creating 2 documents (dm_document) using the previous PST and AS :
- a document named Test DOC HUO WITH AS AND PST not ARCHIVED associated to PST MY_ACL_TEMPLATE and AS MY_ALIASSET in order to generate/use an ACL MY_ACL having r_accessor_name (ReaderRestrictAccess) = my_grp_no_body (permission exclusive VERSION “5”)
- a document Test DOC HUO WITH AS AND PST ARCHIVED associated to PST MY_ACL_TEMPLATE and AS MY_ALIASSET_ARCHIVED in order to generate/use an ACL MY_ACL_ARCHIVED having r_accessor_name (ReaderRestrictAccess) = my_grp_all_users (permission exclusive VERSION “5”)
Actually, the association between document, AliasSet and Templace ACL generates an instance of Templace ACL (acl_class=2) with name like dm_450xxxxxxx94_xxxxd3e. This instance is created only if its is not already exist.
The unique difference between MY_ACL and MY_ACL_ARCHIVED will be the read-only right of people having already access to documents. By using AccessRestriction permit type with basic permission VERSION (5):
- with the MY_ACL, the system dosen’t restrict explicitly users to access and modify the document because the my_grp_no_body group contains no user,
- with the MY_ACL_ARCHIVED, the system restricts all users to only BROWSE, READ, and RELATE the document (not “VERSION”!!!!) EVENT IF these users belong to groups which have more permissive rights.
API> begintran,c ... OK API> create,c,dm_document ... 09xxxxxxxxx88 API> set,c,l,object_name Test DOC HUO WITH AS AND PST not ARCHIVED ... OK API> set,c,l,a_content_type pdf ... OK API> setfile,c,l,C:\temp\test.pdf ... OK API> link,c,l,'/Temp' ... OK API> set,c,l,r_alias_set_id 66xxxxxd41 ... OK API> set,c,l,acl_domain dm_dbo ... OK API> set,c,l,acl_name MY_ACL_TEMPLATE ... OK API> save,c,l ... OK API> create,c,dm_document ... 09xxxxxxxxxx89 API> set,c,l,object_name Test DOC HUO WITH AS AND PST ARCHIVED ... OK API> set,c,l,a_content_type pdf ... OK API> setfile,c,l,C:\temp\test.pdf ... OK API> link,c,l,'/Temp' ... OK API> set,c,l,r_alias_set_id 66xxxxxxd42 ... OK API> set,c,l,acl_domain dm_dbo ... OK API> set,c,l,acl_name MY_ACL_TEMPLATE ... OK API> save,c,l ... OK API> commit,c ... OK
Dump of created document Test DOC HUO WITH AS AND PST not ARCHIVED:
API> dump,c,09xxxxxxxxx88 ... USER ATTRIBUTES object_name : Test DOC HUO WITH AS AND PST not ARCHIVED acl_domain : MYDOCBASEDEV acl_name : dm_45xxxxxxx951_xxxxxd41 SYSTEM ATTRIBUTES r_object_id : 09xxxxxxxxx88 r_object_type : dm_document
Dump of created document Test DOC HUO WITH AS AND PST ARCHIVED:
API> dump,c,09xxxxxxxxxx89 ... USER ATTRIBUTES object_name : Test DOC HUO WITH AS AND PST ARCHIVED acl_domain : MYDOCBASEDEV acl_name : dm_45xxxxxxx9511_xxxxxd42 SYSTEM ATTRIBUTES r_object_id : 09xxxxxxxxxx89 r_object_type : dm_document
So, the instances of PST used for these new documents are:
The document Test DOC HUO WITH AS AND PST not ARCHIVED uses the instance of Template ACL (acl_class=2) dm_45xxxxxxx951_xxxxxd41:
DQL> select r_object_id from dm_acl where object_name IN('dm_45xxxxxxx951_xxxxxd41','dm_45xxxxxxx9511_xxxxxd42')
...
r_object_id
45xxxxxx952
45xxxxxx953
API> dump,c,45xxxxxx952
...
USER ATTRIBUTES
object_name : dm_45xxxxxxx951_xxxxxd41
description : dm_45xxxxxxx951_xxxxxd41
owner_name : MYDOCBASEDEV
globally_managed : F
acl_class : 2
SYSTEM ATTRIBUTES
r_object_id : 45xxxxxx952
r_is_internal : T
r_accessor_name [0]: dm_world
[1]: dm_owner
[2]: my_grp_all_users
[3]: myuser001
[4]: my_grp_no_body
r_accessor_permit [0]: 3
[1]: 3
[2]: 6
[3]: 7
[4]: 5
r_accessor_xpermit [0]: 0
[1]: 0
[2]: 0
[3]: 0
[4]: 0
r_is_group [0]: F
[1]: F
[2]: T
[3]: F
[4]: T
r_has_events : F
r_permit_type [0]: 0
[1]: 0
[2]: 0
[3]: 0
[4]: 3
r_application_permit [0]:
[1]:
[2]:
[3]:
[4]:
r_template_id : 45xxxxxxx951
r_alias_set_id : 66xxxxxd41
APPLICATION ATTRIBUTES
INTERNAL ATTRIBUTES
i_has_required_groups : F
i_has_required_group_set : F
i_has_access_restrictions : T
i_partition : 0
i_is_replica : F
i_vstamp : 1
The document Test DOC HUO WITH AS AND PST ARCHIVED uses the instance of Template ACL (acl_class=2) dm_45xxxxxxx9511_xxxxxd42:
API> dump,c,45xxxxxx953
...
USER ATTRIBUTES
object_name : dm_45xxxxxxx9511_xxxxxd42
description : dm_45xxxxxxx9511_xxxxxd42
owner_name : MYDOCBASEDEV
globally_managed : F
acl_class : 2
SYSTEM ATTRIBUTES
r_object_id : 45xxxxxx953
r_is_internal : T
r_accessor_name [0]: dm_world
[1]: dm_owner
[2]: my_grp_all_users
[3]: myuser001
[4]: my_grp_all_users
r_accessor_permit [0]: 3
[1]: 3
[2]: 6
[3]: 7
[4]: 5
r_accessor_xpermit [0]: 0
[1]: 0
[2]: 0
[3]: 0
[4]: 0
r_is_group [0]: F
[1]: F
[2]: T
[3]: F
[4]: T
r_has_events : F
r_permit_type [0]: 0
[1]: 0
[2]: 0
[3]: 0
[4]: 3
r_application_permit [0]:
[1]:
[2]:
[3]:
[4]:
r_template_id : 45xxxxxxx951
r_alias_set_id : 66xxxxxxd42
APPLICATION ATTRIBUTES
INTERNAL ATTRIBUTES
i_has_required_groups : F
i_has_required_group_set : F
i_has_access_restrictions : T
i_partition : 0
i_is_replica : F
i_vstamp : 1
Important note: any modification of PST and/or AS will impact all instances of PST (ACL) associated with these elements..
Best regards,
Huseyin OZVEREN