Permission Set Templates (Template ACLs) - recommended use cases?

We have a perfect use case for creating permission set templates as part of our base install which includes the object model for a repository.
We have development and production ActiveDirectory user groups that need to be part of the ACLs that are neccessary for our application.
Our initial thought was to have permission set templates with installation parameters - the dev group will be used when the DAR is installed into our dev/test repository and the Prod group will be used when the DAR is installed in the Prod repository

However, after reading about how Documentum resolves aliases in a permission set template, it does not seem like this is a good idea.
This is what is mentioned in the Tech Fundamentals course book:

When the permission set template is assigned to an object, the server:
- Creates a copy of the template
- Resolves the aliases in the copy to actual user or group names
- Assigns the copy to the object as a custom permission set

Does this mean that we could potentially have thousands of custom permission sets in the repository? (which is not desirable)
What is the benefit of using Permission Set templates then if it is offset by the above point?

Any thoughts/advice/tips on this is greatly appreciated.

Thanks in advance

Find more posts tagged with

Comments

DCTM_Guru

Read my blog entries on PSTs:

http://johnnygee.wordpress.com/2006/09/12/permission-set-templates-friend-or-foe-part-1/

http://johnnygee.wordpress.com/2006/09/14/permission-set-templates-friend-or-foe-part-2/

If you any further questions, post them and I will try to address them. It would probably be helpful in the discussions if you use an example as well.

Trupthy.Bharadwaj

Thanks, Johnny!

After reading your articles, I am very sure now that using permission set templates is the way to go for my organization. We satisfy all 3 requirements that you have listed in your article (Part II).

I will come back with specific examples - I am in the process of testing out a similar scenario that you mention in your link.

Thanks again!

Trupthy.Bharadwaj

I tried out a PST in our Dev environment. The first time, I got this error:

[DM_POLICY_E_AS_NO_ALIAS_SET_USER] error: "No default alias set found for user XYZ. The following alias sets were searched: sessionconfig, user, user's default group,server config and policy (if applicable)."

I had to set the alias set of user XYZ to the alias set I used in my PST. I understand the point you made about the "pecking" order of alias set resolution, so my question is this:

If our default ACL for the repository is set to 'Type', what is the recommended way to set the alias set - set it on user, user's default group or server/session config objects?

TIA

DCTM_Guru

I normally assign the alias set directly to the document itself. This way I dont have to worry about the different resolution path. Using a superuser session, you can assign r_alias_set_id attribute directly against the document.

prabhu

Hi,

Consider we have a requirement where we automate the folder (custom folder type) creation using TBOs.

Here for each new folder created, the acl should be applied based on the custom attribute which will have list of users whom should be given access to that folder.

Say the user count is 200. So there can be lot of combinations of users which will lead to lots of acl.

If i go for PST (Template acl), again I see that acls are getting created in the form of instances of the acl template. So there is no use in going with PST apart from the fact that changes to the acl if any will be easier in future. Is my understanding correct??

What is best possible way to minimize the count of acls in this scenario?

DCTM_Guru

PSTs are good when you have structure in your organization (ie you can define groups, rather than individual users). Look at my blog entry on more info for this:

http://johnnygee.wordpress.com/2006/09/14/permission-set-templates-friend-or-foe-part-2/

Are you saying that the 200 users do not belong to a department/group? It might be better to start another post, so that you will receive updates, not the OP.

prabhu

i was expecting a reply from you Jhony ... thanks for the response .. i will start a new thread for this .. lets discuss over there