I am trying to update an object using super user but i am not able to update because the user i am using to update not present in the acl of that object, is there any way to update the object without adding the super user in the acl?
You can try to change the owner to the super user (of course it's pointless if the owner doesn't have WRITE permit). However, I think that you need CHANGE OWNER extended permit to do that, even as superuser. Temporarily changing the ACL is usually the easiest solution.
Thanks for reply, We are trying to create single user who will be having write access on all objects in the repository.
Currently we have created a user with Sysadmin / Superuser privilege but the user is not having write access on all objects.
Please suggest best solution to get user write access on all objects (like - if there is any group / role where we can add this user so that user will get write access on all objects).
Thanks
So by default, superuser will have the permissions that dm_owner has PLUS the ability to change the ACL. So if dm_owner doesnt have WRITE permissions, then superuser will not. In this situation, you will have to do what bacham3 suggested -> change the acl that will give superuser (or dm_owner) write permissions and then change it back after you are done.
Thank you , we will add user to the group
You can trying using API without changing anything else.
API still respects security permissions. So if you dont have WRITE permissions on the object, using the API doesnt change anything.
DCTM_Guru, can you review again.
I created an object with no permission to superuser. Now if I used DQL to update it using superuser account, it didn't update but when I used API, I found the object updated. Am I missing something.
Please post screenshot of the permissions for the object you created as superuser. Also post the DQL you are using to update the object. API/DQL have been around since beginning of DCTM and both of them adhere to the security model.
Superuser inherits the permissions of dm_owner. The OP was saying that dm_owner did not have WRITE permissions, so if dm_owner doesnt have WRITE permissions, then superuser doesnt have WRITE permissions as well.
Thanks Guru for pointing that "The OP was saying that dm_owner did not have WRITE permissions", this is what I missed in my testing, so, you are correct there.
I still assume it may possible to update the object using superuser account without changing the permission on object. The repository config (dm_docbase_config) object has minimum_owner_permit which by default is 0 (READ). This must be set to WRITE (6) and then the superuser account should be able to update the object. I am not able to confirm this as I currently dont have privilege to make this kind of change and test in my environment. It would be great if someone could test and confirm.
Yes, if you change repository config to get around this. Keep in mind, if you implement this setting, then you are giving ANY user who is owner of the document the ability to update the document (even if ACL you defined does not allow this). Typically, controlled documents that have been approved/released have ACLs that dont give anyone WRITE permissions.
IMHO changing repo setting and changing it back is the same amount of effort as changing ACL for specify document and changing it back AND it does NOT "open up" security for other users.
