Security

At object store creation time, users and groups that are designated as administrators or non-administrators receive default access rights to the object store and to the objects that are contained within it.

Security on the object store itself is distinguished from security on objects that are stored in the object store. Applying security on the object store occurs when the object store is created. At creation time, you specify the users and groups who are object store administrators and those who have non-administrative (user) access rights. By default, administrators receive full control access rights on the object store and all securable objects that are contained within it. Non-administrative users receive access rights to the object store that allow them to browse directories and read documents. The access rights that are specified at creation time are used to set the permissions for all of the class definitions that get created. It is recommended that, rather than specifying individual users when you set security at object store creation time, you add at least one group for administrators (for example, "CEAdmins") and one group for users during object store creation. You can then easily grant or remove access to an object store by modifying the group (such as adding or removing members) without having to modify individual class definitions.

You can programmatically retrieve and set access rights for the objects that are contained within an object store. A collection of access rights (represented within the Content Engine API as an AccessPermissionList object) control a user's ability to store an object, delete an object, and so on.

In addition to the typical access rights, that you might grant to administrators and to users that work with objects, you can assign the following special object store access rights to a select user or group of users:

  • PRIVLEGED_WRITE. A user or group granted this permission is allowed to set the following system-level properties: Creator, DateCreated, LastModifier, and DateLastModified. System-level tools such as import/export tools, migration utilities, and federation tools might need to modify these properties, so that the users who run the tools must be granted an elevated level of permission. Note that the Creator and DateCreated properties can be set only at object creation time, and then only by users who are granted PRIVLEGED_WRITE access.
  • WRITE_ANY_OWNER. This permission implicitly gives a user or group the WRITE_OWNER permission on all objects in the object store. That user can read all objects and set the owner to himself, thus also obtaining the ability to read and write ACLs.
  • VIEW_RECOVERABLE_OBJECTS. This permission allows a user or group to access and modify all recoverable objects in the object store. Recoverable objects are objects that are marked for deletion and are contained in recovery bins.
Important: Do not grant these elevated object store permissions to ordinary users and groups, or even to most administrators. Grant these rights only to users or groups who need this special access.