Hi. We're using folder security, users' access is provided by their group memberships. Questions r

We're implementing Documentum 6.5. We're using folder security, access to folders controlled by users' group memberships.

1. In this environment, if a user is a member of two groups, and those two groups provide a different level of access to a repos. folder, which one takes precedence? Is the user's access the greater of or the lesser of the two levels of access (more restrictive or less restrictive)? For ex: user is member of Manager group that has "read" access to a Finance folder, and is also a member of the Accounting group that has "version" access, which access takes precedence?

2. Next scenario: If a user is a member of a group that has "version" access to a folder, and is also a member of a group that has "none" access to a folder, does "none" prevail? So suppose the user is a member of the Plant group that has "version" access to a folder, and is also a member of the Hourly group that has "none" access to the same folder, does "none" trump "version"? What I'm trying to get at here is--even if the normal precedence is the less restrictive access, is "none" a special case that trumps that rule?

Find more posts tagged with

Comments

DCTM_Guru

1. Version

2. No, version prevails. If you want to restrict access beyond normal security model, you use RequiredGroup/GroupSet. To use this extended security feature, you will need to license TCS (Trusted Content Services).

udeleng

Johnny, you're saying that the less restrictive access applies, but I found contrary information in the Content Server Fundamentals guide, can you clarify please. I've seen this behavior on some objects, but I never seem to be completely sure.

Here is the info regarding conflicting ACL permissions fro the Fundamentals guide (pages 127-128):

When a non‑Superuser user accesses an object, Content Server examines the object’s a_controlling_app property. If the property has no value, then the user’s access is determined solely by ACL permissions. If the property has a value, then the server compares the value to the values in the session’s application_code property. If a match is found, the user is allowed to access the object at the level permitted by the object’s ACL.

If a match is not found, Content Server examines the default_app_permit property in the docbase config object. The user is granted access to the object at the level defined in that property (Read permission by default) or at the level defined by the object’s ACL, which ever is the more restrictive. Additionally, if a match isn’t found, regardless of the permission provided by the default repository setting or the ACL, the user is never allowed extended permissions on the object.

DCTM_Guru

" If the property has no value, then the user’s access is determined solely by ACL permissions."

- Read, version, none - these are all accessor permits as defined by the ACL.

"The user is granted access to the object at the level defined in that property (Read permission by default) or at the level defined by the object’s ACL, which ever is the more restrictive"

- This comparing access property defined at default_app_permit property to object ACL. This is NOT comparing accessor permit (in the ACL definition) you used in your examples. If you dont believe my initial response, you can easily test this out yourself.