`

documentum security, user privileges, object-level permissions

阅读更多
  • User privileges

Basic user privileges

 

0      None                 User has no special privileges

1      Create Type          User can create object types

2      Create Cabinet       User can create cabinets

4      Create Group         User can create groups

8      Sysadmin             User has system administration privileges

16     Superuser            User has Superuser privileges

 

The basic user privileges are additive, not hierarchical. For example, granting Create Group to a user does not give the user Create Cabinet or Create Type privileges. If you want a user to have both privileges, you must explicitly give them both privileges.

Typically, the majority of users in a repository have None as their privilege level. Some users, depending on their job function, will have one or more of the higher privileges. A

few users will have either Sysadmin or Superuser privileges.

 

User privileges do not override objectlevel permissions when repository security is turned on. However, a superuser always has at least Read permission on any object and can change the objectlevel permissions assigned to any object.

Applications and methods that are executed with Content Server as the server always have Superuser privileges.

 

Extended user privileges

 

8      Config Audit         User can execute the methods to start and stop auditing.

16     Purge Audit          User can remove audit trail entries from the repository.

32     View Audit           User can view audit trail entries.

 

The extended user privileges are not hierarchical. For example, granting a user Purge

Audit privilege does not confer Config Audit privilege also.

Repository owners, Superusers, and users with the View Audit permission can view all audit trail entries. Other users in a repository can view only those audit trail entries that record information about objects other than ACLs, groups, and users.

Only repository owners and Superusers may grant and revoke extended user privileges, but they may not grant or revoke these privileges for themselves.

 

 

What object-level permissions are

Objectlevel permissions are access permissions assigned to every SysObject (and SysObject subtype) in the repository. They are defined as entries in ACL objects. The entries in the ACL identify users and groups and define their objectlevel permissions to the object with which the ACL is associated. Each SysObject (or SysObject subtype) object has an associated ACL. For most sysObject subtypes, the permissions control the access to the object. For dm_folder, however, the permissions are not used to control access unless folder security is enabled. In such cases, the permissions are used to control specific sorts of access, such as the ability to link a document to the folder.

There are two kinds of objectlevel permissions: base permissions and extended permissions.

 

Base object-level permissions

Level

Permission Description

1

None No access is permitted

2

Browse The user can look at property values but not at associated content.

3

Read The user can read content but not update.

4

Relate The user can attach an annotation to the object.

5

Version The user can version the object, but cannot overwrite the existing version.

6

Write The user can write and update the object. Write permission confers the ability to overwrite the existing version.

7

Delete The user can delete the object.

These permissions are hierarchical. For example, a user with Version permission also has the access accompanying Read and Browse permissions. Or, a user with Write permission also has the access accompanying Version permission.

 

Extended object-level permissions

 

Change Location

In conjunction with the appropriate base permission level, allows the user to move an object from one folder to another. All users having at least Browse permission on an object are granted Change Location permission by default for that object.

Note: Browse permission is not adequate to move an object.

Change Ownership

The user can change the owner of the object.

Change Permission

The user can change the basic permissions of the object.

Change State

The user can change the document lifecycle state of the object.

Delete Object

The user can delete the object. The delete object extended permission is not equivalent to the base Delete permission. Delete Object extended permission does not grant Browse, Read, Relate, Version, or Write permission.

Execute Procedure

The user can run the external procedure associated with the object.

All users having at least Browse permission on an object are granted Execute Procedure permission by default for that object.

Change Folder Links

Allows a user to link an object to a folder or unlink an object from a folder.

The permission must be defined in the ACL associated with the folder.

The extended permissions are not hierarchical. You must assign each explicitly.

 

Default permissions

Object owners, because they have Delete permission on the objects they own by default, also have Change Location and Execute Procedure permissions on those objects also. By default, Superusers have Read permission and all extended permissions except Delete Object on any object.

 

Folder security

What folder security is

Folder security is a supplemental level of repository security. When folder security is turned on, for some operations the server checks and applies permissions defined in the ACL associated with the folder in which an object is stored or on the objects primary folder. These checks are in addition to the standard objectlevel permission checks associated with the objects ACL. In new repositories, folder security is turned on by default.

Folder security does not prevent users from working with objects in a folder. It provides an extra layer of security for operations that involve linking or unlinking, such as creating a new object, moving an object, deleting an object, and copying an object.

 

 

ACL and object-level permissions

 

Each SysObject has an associated ACL(object-level permission)

 

      SysObject    (*)                                                             User(has acl_name attribute) (*)

 

  has acl_name attribute                                  grant to user, ACL.grant(accessor,permit,xpermit)

  ACL is assigned to an sysobj                         an ACL can be granted to multi-accessors

                             

ACL(1) (accessor_name,accessor_permit,accessor_xpermit,application_permit)

 

With grant operation, Users(assessors)  associate with an ACL, so, the users have object-level permissions. The other way, each SysObject object has an ACL. Through the two steps, object-level permission is available when users access a SysObject object,

 

What an ACL is

ACL is the acronym for access control list. ACLs are the mechanism that Content Server uses to impose objectlevel permissions on SysObjects. An ACL has one or more entries that identify a user or group and the objectlevel permissions accorded that user or group by the ACL.

Each SysObject object has an ACL. The ACL assigned to most SysObjects is used to control access to the object. Folders are the exception to this. The ACLs assigned to folders are not used to defined access to the folder. Instead, they are used by folder security and may be used as default ACLs for objects stored in the folder.

Implementation overview

An ACL is represented in the repository as an object of type dm_acl. An ACLs entries are recorded in repeating properties in the object. Each ACL is uniquely identified within the repository by its name and domain. (The domain represents the owner of the ACL.) When an ACL is assigned to an object, the objects acl_name and acl_domain properties are set to the name and domain of the ACL.

After an ACL is assigned to an object, the ACL is not unchangeable. You can modify the

ACL itself or you can remove it and assign a different ACL to the object.

 

ACL is for object level permission, and RBAC is for operations control.

 

role, group, queue ? http://johnnygee.wordpress.com/page/14/

 

还是没太弄明白...

 

 

分享到:
评论

相关推荐

    EMC Documentum用户指南.pdf

    ### EMC Documentum D2 用户指南知识点汇总 #### 一、EMC Documentum D2 概览 **1.1 产品介绍** - **D2** 是由EMC提供的企业级内容管理和协作平台,旨在帮助组织高效地管理和共享文档及内容。 - **D2Configuration...

    documentum xplore

    知识点:EMC Documentum xPlore 1.2版本的管理与开发指南 一、xPlore介绍 Documentum xPlore是EMC公司推出的一款先进的企业搜索解决方案,旨在为用户提供快速、准确的信息检索能力。它能跨越多个文档库、数据库和...

    documentum-rest-client-java:Documentum REST Java客户端的参考实现

    Documentum REST Java客户端参考实现 该Java项目包含用Java代码编写的Documentum REST Services客户端的参考实现。 该项目的目的是演示开发超媒体驱动的REST客户端以使用Documentum REST服务的一种方法。 它并不表示...

    Documentum_Administrator_UserGuide

    综上所述,《Documentum Administrator User Guide》为Documentum系统的管理员提供了一套全面的操作指南。通过阅读本文档,管理员不仅可以熟悉系统的基本操作流程,还能深入理解高级配置选项,从而有效地管理和维护...

    工程设计中文件管理documentum平台构建-工程设计-设计.pdf

    工程设计文件管理Documentum平台构建 本文档系统旨在解决工程设计中文件管理的难题,通过Documentum平台构建了一套工程文档管理系统(Engineering Documents Management System,简称EDMS)。该系统对工程设计过程...

    Documentum DMCL Trace Log Analyzer-开源

    dmclTLA将获取一个dmcl跟踪文件(级别= 10),并汇总关键信息,例如每种调用类型的平均持续时间以及执行时间最长的命令。 HTML和纯文本文件被创建。

    Documentum

    ### Documentum部署手册知识点概述 #### 一、Documentum简介 - **定义**: Documentum是EMC公司(现为戴尔科技集团的一部分)推出的一款企业级文档管理和内容管理系统。 - **版本**: 本手册适用于Documentum 6.5 SP2...

    Documentum 6.5 Architecture Overview

    ### Documentum 6.5 架构概览 #### Documentum 技术架构概述 Documentum 6.5 的架构设计旨在提供一个高度可扩展、灵活且可靠的企业内容管理系统(ECM)。该版本强调了服务导向架构(SOA)的重要性,并在多个层面上...

    emc-dfs-sdk-6.5 开发工具包

    EMC DFS SDK 6.5 开发工具包是专为Documentum内容管理平台设计的一套软件开发工具,它提供了一组API和库,使开发者能够利用Documentum的Web服务(DFS,Documentum Foundation Services)进行应用程序开发。...

    Documentum 产品介绍

    ### Documentum 产品介绍 #### 一、Documentum 产品概述 Documentum 是一款由 EMC 公司开发的企业级内容管理平台,旨在帮助企业管理和优化其内部的信息和文档资源。随着数字化转型的步伐加快,内容管理成为了现代...

    DFC接口手册 V1.0汇编.pdf

    DFC 能够使程序员通过 High-level 的操作或者 Low-level 的对象方法调用来访问内容管理。 DFC 是基于 JAVA 的,如果客户端程序是由 JAVA 实现的话,就能够直接通过接口访问 DFC。DFC 还提供 Documentum Java-...

    documentum

    ### Documentum WebPublisher Administration Guide V5.2.5SP2 关键知识点解析 #### 标题:“Documentum” - **Documentum**:Documentum 是一个领先的企业内容管理系统(ECM),由 EMC 公司开发并拥有。它为组织...

    Documentum-WebTop使用指南.pdf

    ### Documentum-WebTop 使用指南知识点汇总 #### 一、Documentum-WebTop 概述 **Documentum-WebTop** 是一款强大的企业级文档管理系统,由EMC Corporation开发。它提供了一个统一的平台,用于管理和共享组织内的...

    OpenText Documentum D2 4.7 2000 User Benchmark Report.pdf

    在分析给定文件内容时,我们可以抽取出与OpenText Documentum D2 4.7版本用户基准报告相关的多个知识点。这份报告主要关注的是产品的性能评估,特别是在微软Azure平台上2000用户场景的基准测试。以下是根据文件内容...

    Documentum资料

    Documentum是一款由EMC公司(现已被Dell收购)开发的企业级内容管理(ECM,Enterprise Content Management)系统。它提供了全面的文档管理和协作功能,适用于各种规模的企业,尤其在金融、医疗、政府和制造等行业...

    Documentum_Environment_and_System_Requirements_Guide

    ### Documentum环境与系统需求指南知识点概述 #### 一、Documentum环境与系统需求指南简介 **Documentum环境与系统需求指南**是EMC公司发布的一份重要文档,旨在为用户提供关于Documentum软件部署和运行所需的环境...

    Documentum 6.5 DFC Guide

    ### Documentum 6.5 DFC Guide:深入解析与应用实践 #### 一、Documentum Foundation Classes (DFC) 概览 **Documentum 6.5 DFC Guide** 是针对EMC®Documentum® Foundation Classes (DFC) 的开发指南,主要介绍...

Global site tag (gtag.js) - Google Analytics