Hi,
I want to add the 3 groups (test_read,test_write,test_delete) to an ACL. Please suggest a DQL query for achieving this.
Thanks,
Vishal
You cannot modify an ACL using DQL.
But you can do it in API.
Hi Jeremy_Lu,
Yes i am able to achieve this using API, but i am not able to run api in DFS. so i thought to use DQL here to add groups into ACL .
You could read the original ACL, append new groups, create new ACL, and then assign new ACL to the existing object. This is basically what Content Server does when you modify ACL on existing object by granting/revoking access to groups and users.
Hi Jonny,
Can you please share some example dql or DFS code which i can make use to add exsisting groups into acl.
public static void main(String[] args) { try { ContextFactory contextFactory = ContextFactory.getInstance(); IServiceContext serviceContext = contextFactory.newContext(); serviceContext.addIdentity(new BasicIdentity("user", "password")); IAccessControlService accessControlService = ServiceFactory.getInstance().getRemoteService(IAccessControlService.class, serviceContext, "core", "http://localhost:9080/services"); AclPackage aclPackage = new AclPackage(); Acl acl = new Acl(); acl.setIdentity(new AclIdentity("repository", "domain", "acl_name")); acl.getEntries().add(new AclEntry("group_name", AccessType.PERMIT, Arrays.asList(new Permission[] { new Permission(PermissionType.BASIC, Permission.VERSION) }))); aclPackage.getAcls().add(acl); AclPackage package1 = accessControlService.update(aclPackage); System.out.println(package1); } catch (Exception e) { e.printStackTrace(); } }
for more example, check the DFS SDK (AccessControlServiceDemo.java)
Jemy_LU,
where can i download DFS SDK(AccessControlServiceDemo.java) file.
If you have access to the Documentum Download Center on Powerlink, it's available there.
Product : Documentum Foundation Services or Documentum Content Server
Documentum Foundation Services SDK for Windows, Version 6.7 SP1 (zip) File Name: emc-dfs-sdk-6.7_SP1.zip Download File Size: 85,056,569 bytes (81.1 MB)
It seems also to be available here : https://emc.subscribenet.com but my account is not working so i can't check.
It is not suggested to modify the dm_acl object directly using DQL or rough object update method. DFC IDfAcl and DFS AccessControlService are the specific APIs to handler ACL object.
William
Jeremy,
I am using the below code to add groupe into the acl, but its not updating the acl.
AclIdentity aclIdentity = new AclIdentity(); aclIdentity.RepositoryName = "repository_name"; aclIdentity.Domain = "dmadmin"; aclIdentity.Name = "Collab_Communitites_ACL";
accessControlService = serviceFactory.GetRemoteService<IAccessControlService>(serviceContext, "core", dfs.DfsUrl); List<AclIdentity> idList = new List<AclIdentity>(); idList.Add(aclIdentity); AclPackage aclPackage = accessControlService.Get(idList); AclEntry aclEntry = new AclEntry(); aclEntry.Accessor = "test_groupe"; Permission basicDeletePermission = new Permission(); basicDeletePermission.Name = Permission.DELETE; basicDeletePermission.Type = PermissionType.BASIC; aclEntry.AccessType = AccessType.PERMIT; List<Permission> permissionList = new List<Permission>(); permissionList.Add(basicDeletePermission); aclEntry.Permissions = permissionList; Acl acl = new Acl(); acl.Entries.Add(aclEntry); aclPackage.Acls.Add(acl); //Acl acl = aclPackage.Acls[0]; //acl.Entries.Add(aclEntry);
accessControlService.Update(aclPackage);
Please let me know where i am doing wrong. the code is in c#.
Just for future reference to anyone bumping to this forum topic (as I did). Unfortunatelly it is NOT possible to change object permissions using DFS, unless you are owner of the object or superuser. It does not mean anything if you have WRITE basic permission and CHANGE_PERMISSION extended permission, with DFS you can't do anything about it, because DFS architects forgot to put grant and revoke methods in DFS (as DFC has). You can't update existing ACL because you're not it's owner (DM_ACL_E_NOT_OWNER). Nor you can simple "read the original ACL, append new groups, create new ACL and then assign new ACL to the existing object", as Johnny Gee suggests because you can't change ACL domain of existing object, because, remember, you're not it's owner (DM_SYSOBJECT_E_INVALID_ACL_DOMAIN).
So all in all to conclude if you want to grant right to some group, role, or user, to existing object and you're not the owner, you'll need to write your own custom DFS service for this.
EXECUTE DO_METHOD WITH METHOD=....
If you thought to execute API via DQL's DM_METHOD, it is not possible. DO_METHOD executes an external program, a docbasic script, or a Java method. You can't invoke API via DQL as far as I know. If you think it's doable please elaborate.
I just wanted to say that you was right about DFS - it's totally useless, but grant usecase could be achieved using passthrough query and custom method, so custom service is not the only solution.
I undesrstand. You're right.
