Hello,
In the post, I would like present the following Documentum groups:
- dm_read_all : introduced DCTM 6.5 SP2, the members of this group are able to read all the documents in a Documentum repository. They have a READ access to any sysobject in the repository regardless of the ACL assigned to the object. This permission applies to the existing documents and also to future documents which will be created/imported in the repository.
- dm_browse_all : The members of this group have a BROWSE access on all the sysobjects in the repository. This group exist already in versions before DCTM 6.0.
- dm_browse_all_dynamic : This group is the dynamic group equivalent of group dm_browse_all.
- dm_read_all_dynamic : This group is the dynamic group equivalent of group dm_read_all.
Some explanations : The dm_read_all group is created during the server startup if the group does not exist already. The membership of this group for session user everywhere (that is when constructing an object or performing DQL statements) is checked for the READ persmission before looking into the ACL. For example, if a user is a member of the dm_read_all group, then the user is allowed to construct and update any object in the repository even if the user does not have any permission in the asociated ACL. Similarly, if the session user belongs to the dm_read_all group, then the ACL predicate is not constructed when converting a DQL statement to the corresponding SQL statement.
Reminder : Dynamic Group
A dynamic group is a group, whose list of members is considered a list of potential members. A setting in the group’s definition defines whether the potential members are treated as members of the group or not when a repository session is started. Depending on that setting, an application can issue a session call to add or remove a user from the group when the session starts.
Example:
Tests accesses to document with user belonging to dm_browse_all or dm_read_all group (DCTM 7.2)
- Create user testuserreadonly Consumer (client capability) without basic and extended privileges:
- Associate this user to dm_browse_all group:
- Target a document for our tests with the mandatory group dm_world associated to READ permission
=> document with r_object_id=090xxxxxb83
- TEST1: Document (r_object_id=090xxxxxb83) with the permission READ associated to the dm_world group
– With the testuserreadonly user, check the access to the attibutes of documentDQL>SELECT * FROM dm_document WHERE r_object_id='090xxxxxb83'
=>OK: the user has access to the document’s attributes because the user is associated to dm_browse_all group
– With the testuserreadonly user, check the access to the content file of documentAPI>getfile,c,090xxxxxb83
=>OK: the user has access to the document’s content file because the dm_world group has the READ permission on this document.
- TEST2: Modification of document (r_object_id=090xxxxxb83) to associate the permission NONE to the dm_world group
– With the testuserreadonly user, check the access to the attibutes of documentDQL>SELECT * FROM dm_document WHERE r_object_id='090xxxxxb83'
=>OK: the user has access to the document’s attributes because the user is associated to dm_browse_all group
– With the testuserreadonly user, check the access to the content file of documentAPI>getfile,c,090xxxxxb83
=>NOK: No access to the document’s content file because the dm_world group has the NONE permission on this document : [DM_SYSOBJECT_E_NO_READ_ACCESS] error: “No read access sysobject named ‘MY_DOC_NAME_JAVA.LU’.”
- TEST3: Modification of testuserreadonly to be associated to the dm_read_all group
– With the testuserreadonly user, check the access to the attibutes of document
DQL>SELECT * FROM dm_document WHERE r_object_id='090xxxxxb83'
=>OK: the user has access to the document’s attributes because the user is associated to dm_browse_all group
– With the testuserreadonly user, check the access to the content file of documentAPI>getfile,c,090xxxxxb83
=>OK: the user has access to the document’s content file because the user is associated to dm_read_all group, despite that the dm_world group is still associated to the NONE permission on this document.
That’s all!!!
Huseyin OZVEREN