Listing permissions assigned to groups (Documentum 6.7)

CasperBoyles
edited June 5, 2015 in Documentum #1


Hi all

I am trying to do some housekeeping on our list of Documentum groups. We do not use Documentum in the same way as when it was originally implemented and a lot of our user groups are no longer relevant.

I see that if a group is deleted the permissions are not removed from objects in Documentum where they are applied.

It seems to me I need to know every cabinet / folder / document where permissions appear for a particular group so I can remove the relevant permissions from the objects manually before deleting the groups.

Is there a way (DQL?) of seeing a particular group and everywhere the group has permissions allocated? Also is there a more elegant way to do this so groups are deleted and permissions are removed as one action?

Documentum recommends we reassign the groups, but this is not ideal for us, we really do want to clear some of the old redundant groups out of the list.

Many Thanks

Casper

Comments

  • Marcus_Wuensche
    edited June 4, 2015 #2

    select r_object_id, object_name, r_accessor_name, r_accessor_permit from dm_acl where any r_is_group = true and r_accessor_name not in (select group_name from dm_group) enable (row_based)

    Does this fit your needs?

  • CasperBoyles
    edited June 4, 2015 #3

    Hi Marcus

    Thanks for your reply. I am not entirely sure, I am executing the query but I am not sure what I am looking at in terms if results.

    For example, we have a group called asset_mod_assessor, this is one of the groups I would like to delete.

    I would need to see any documents / folders / cabinets where this group may have some basic permissions (write, delete, etc). This would allow me to manually remove all of these basic permissions before deleting the group.

    However, if I run your query:

    select r_object_id, object_name, r_accessor_name, r_accessor_permit from dm_acl where any r_is_group = true and r_accessor_name not in ('asset_mod_assessor') enable (row_based)

    I will return 1219 pages of results with 100 results per page. The top line returns:

    r_object_id 450003e980000101

    object_name dm_450003e980000101

    r_accessor_name docu

    r_accessor_permit 5

    So this does not really give me the information I would need to complete the task I have described, but I may be misinterpreting what you say or be doing something wrong?

    Many Thanks

    Casper

  • Marcus_Wuensche
    edited June 4, 2015 #4

    Hi Casper,

    for me it returns ACLs which refers to non existing groups. I assume group "docu" is not deleted in your system? The resultset would be valid if "docu" was deleted.

    If you want to know which ACLs refer to a certain group (which you will delete afterwards) just use:

    select r_object_id, object_name, r_accessor_name, r_accessor_permit from dm_acl where any r_is_group = true and r_accessor_name = 'groupToDelete' enable (row_based)


    You dont need a list of Cabinets/Folders/Documents dont you? You need to adjust ACLs. So if you know which groups to delete it doesnt matter where access is granted. It is just important which ACLs to adjust.



    EDIT: Ah, i just noticed you change of the DQL:

    select r_object_id, object_name, r_accessor_name, r_accessor_permit from dm_acl where any r_is_group = true and r_accessor_name not in ('asset_mod_assessor') enable (row_based)


    This will give you any ACL where this certain group is not referred!

  • CasperBoyles
    edited June 4, 2015 #5

    Hi Marcus

    Ok, I have been trying to get my head around this.

    You are correct, the group 'docu' has not been deleted.

    So the query is giving me an object_name for the ACL associated with the group asset_mod_assessor. I can then look this up in the list of permission sets in DA and find it 'tp_assetmod_acl'.

    So can I assume that the only permissions this group has within our Documentum repository are ones allocated via the tp_assetmod_acl?

    If so I believe I will need to amend or delete tp_assetmod_acl, so that it includes no permissions for 'asset_mod_assessor' and then delete the 'asset_mod_assessor' group? In this particular case I can see the tp_assetmod_acl contains 'Write' permissions for 'asset_mod_assessor'.

    If the query had returned more than 1 line then there would be additional ACLs to amend / delete.

    Is this correct? Thanks a lot for your help with this, it is much appreciated.

    Thanks, Casper

  • Marcus_Wuensche
    edited June 4, 2015 #6

    Hi Casper,

    Access is granted by:

    - giving the specified group direct access inside ACL

    - having any resolved supergroup of the specified group with access in an ACL

    If you use the query to lookup ACLs which refers a certain group you are correct.

    You get a list of ACLs that contains the specified group as r_accessor_name (direct access granted). This is sufficient to cleanup access for this group (keep in mind that the group to delete can have access by being assigned to a supergroup). If you modify the listed ACLs to not contain this group anymore any access is cleaned up correctly after you deleted the entries in the ACL and the group itself.

    Have fun cleaning up

    Regards, Marcus

  • CasperBoyles
    edited June 5, 2015 #7

    Hi Marcus

    That's great. Yes, I will get started on the 'clean up' today, thanks again for all your help on this.

    Regards

    Casper