Best Practice Question - Setting default ACL for repository
We are new to Documentum, so if there already is information on this, please point me to it.
We have installed D 6.5 SP1 in our company and we have setup the Content Server's Default ACL to be 'Type' (default_acl = 2 in dm_server_config_object).
When we did this, we found that we would need to set a default ACL for every dm_sysobject created - not just objects created from our custom types.
(we were seeing errors when dm_procedure objects were created)
- Is there any recommendation on what this default ACL should look like?
- What do most users/companies do in this scenario?
Best Answer
-
The decision of what default ACL to use (folder, creator or type) is going to depend on how your repository is going to be used by your users and what you are storing. Some companies have several repositories and use a different default ACL based on several sets of criteria. Other companies just have one repository and have to choose the best default ACL that fits all scenarios.
Quick review of the three default ACLs that can be used:
- Folder - When a object is first stored or created it inherits the ACL of the folder it is located in.
- Creator - An object inherits the ACL of the person who created it.
- Type - An object inherits the default ACL as defined for that object type.
Each has it's advantages and disadvantages. It's a good thing that ACLs can change, and frequently do in a busy repository, so choosing the wrong default ACL isn't the end of the world. It does make things easier initially.
Most people that I've come in contact with use the Folder ACL. Most repositories are a general library of information with lots of people viewing and creating material. Most organization that is done is through cabinets and folders. It's also what most people are familiar with since most computer networks employ this type of security.
The next most often used is the Type ACL. This is usually done in multi-repository installations in my experience, where the repository is specifically targeted towards a department or purpose. Since not many people might use the repository, type-based ACLs are handy for quickly catagorizing material. Medical and legal companies tend to gravitate towards this it seems. The downside is that you need to make sure that you set up your types and ACLs way ahead of time before your repository gets heavy use.
One that I don't see getting used a lot is the Creator ACL. To be used correctly, it does take some forethought, some extra maintenance than the folder ACL, but can be very powerful if you have content shared in a few folders, have a lot of people using the repository, but you want to protect content from some groups or individuals. If you're not careful, using Creator ACLs will be a nightmare if each user has a unique ACL as their default. Then you'll end up with hundreds of files with hundreds of individual ACLs. Slows the system down and when one person has a corrupted ACL or is deleted.... oh boy. However, if used correctly sensitive material can be kept within hand but out of sight. Personally, I tend to shy away from Creator ACLs as being the default because it has too many potential downsides and there are workarounds that do the same things as Creator ACLs using Folder or Type.
For you... I'd go with Folder. If you plan on using workflows and lifecycles, then you'll probably be applying different lifecycles to your documents through them anyway. The way I design systems, most objects that are created or imported are through forms or through a workflow. The first thing that usually happens is a TBO applies the ACL or the workflow does it for me. That's why I use Folder ACL as the default 99.97% of the time.
Hope this helps!
0
Answers
-
The decision of what default ACL to use (folder, creator or type) is going to depend on how your repository is going to be used by your users and what you are storing. Some companies have several repositories and use a different default ACL based on several sets of criteria. Other companies just have one repository and have to choose the best default ACL that fits all scenarios.
Quick review of the three default ACLs that can be used:
- Folder - When a object is first stored or created it inherits the ACL of the folder it is located in.
- Creator - An object inherits the ACL of the person who created it.
- Type - An object inherits the default ACL as defined for that object type.
Each has it's advantages and disadvantages. It's a good thing that ACLs can change, and frequently do in a busy repository, so choosing the wrong default ACL isn't the end of the world. It does make things easier initially.
Most people that I've come in contact with use the Folder ACL. Most repositories are a general library of information with lots of people viewing and creating material. Most organization that is done is through cabinets and folders. It's also what most people are familiar with since most computer networks employ this type of security.
The next most often used is the Type ACL. This is usually done in multi-repository installations in my experience, where the repository is specifically targeted towards a department or purpose. Since not many people might use the repository, type-based ACLs are handy for quickly catagorizing material. Medical and legal companies tend to gravitate towards this it seems. The downside is that you need to make sure that you set up your types and ACLs way ahead of time before your repository gets heavy use.
One that I don't see getting used a lot is the Creator ACL. To be used correctly, it does take some forethought, some extra maintenance than the folder ACL, but can be very powerful if you have content shared in a few folders, have a lot of people using the repository, but you want to protect content from some groups or individuals. If you're not careful, using Creator ACLs will be a nightmare if each user has a unique ACL as their default. Then you'll end up with hundreds of files with hundreds of individual ACLs. Slows the system down and when one person has a corrupted ACL or is deleted.... oh boy. However, if used correctly sensitive material can be kept within hand but out of sight. Personally, I tend to shy away from Creator ACLs as being the default because it has too many potential downsides and there are workarounds that do the same things as Creator ACLs using Folder or Type.
For you... I'd go with Folder. If you plan on using workflows and lifecycles, then you'll probably be applying different lifecycles to your documents through them anyway. The way I design systems, most objects that are created or imported are through forms or through a workflow. The first thing that usually happens is a TBO applies the ACL or the workflow does it for me. That's why I use Folder ACL as the default 99.97% of the time.
Hope this helps!
0 -
Thank you so much, Chris!
All this information certainly helps. We will rethink our decision to use Type ACL. As you mentioned, we will be using workflows and lifecycles and every document that is created/imported is through a form or workflow.
0 -
In your case, you're pretty much controlling where the content is going or will end up residing. You're going to be able to control the ACL that is going to be put on the content. That's great because now you just need to be concerned with any content that would be imported or created through any other method or clients. That would be the people who use Webtop or Taskspace to just browse around and have access to import files. Typically, these are going to be your power users. If you look at how they are going to import content, I can just about guarantee that those people place content in a specific place. It just makes common sense to use Folder ACL as your default in that scenario.
Anything that you need Type ACL applied to can be done with a TBO. Very easy to do and there's plenty of tutorials around that show how to do it. I also like Folder ACL because it seems (to me anyway) that the extra work that's needed with type and user ACLs are going to be already covered by aspects. The only thing that you'd additionally need would be a "folder" aspect that you already have if you use Folder ACLs.
0 -
I see your point about Webtop and/or Taskspace clients -it is only a select group - Production Support users (power users as you mentioned) that will be needing this functionality.
Our content ingestion into this repository is highly controlled - code (custom app), form (taskspace app), InputAccel app - these will be the only 3 ways content gets into the system. Given that, TBOs seem like the best solution..will look up information on this. Thanks, again!
0 -
Hi,
Johnny Gee had a good article on this. Read it over... http://johnnygee.wordpress.com/2006/09/29/inherit-from-who/
Mike
0 -
Thank you, Miklos!
That is a very good article indeed - lots of useful information.
0
Categories
- All Categories
- 109 Developer Announcements
- 49 Articles
- 100 General Questions
- 122 IM Services
- 40 OpenText Hackathon
- 31 Developer Tools
- 20.6K Analytics
- 4.1K AppWorks
- 8.9K Extended ECM
- 897 Cloud Fax and Notifications
- 77 Digital Asset Management
- 9.3K Documentum
- 29 eDOCS
- 122 Exstream
- 39.8K TeamSite
- 1.7K Web Experience Management