IBM Content Navigator, Version 2.0.3 Supports: FileNet P8

Security settings for teamspaces on IBM FileNet P8 repositories

You can use the IBM® Content Navigator administration tool to modify the security of the users and groups who need to create and use teamspaces and teamspace templates on your IBM FileNet® P8 repositories.

Overview of the security model for teamspaces

The security of a teamspace or teamspace template is inherited from the security that is defined in the Roles custom object that is assigned to the teamspace or teamspace template. A member of the teamspace with sufficient privileges can add and remove members from the teamspace. When the Roles custom object is updated, the documents and folders in the teamspace are updated with the modified member list. However, items that are added to the teamspace from the repository do not use the same security as the teamspace. The items retain the security that is already defined in the repository.

By default, only the user who creates a teamspace template has access to the template. The user must share the template with other users and groups, to enable those users and groups to create a teamspace from that template. The user can also share the template with all IBM FileNet P8 users.

After the teamspace add-on is run on the repository, you can use the administration tool to specify the users and groups who can create and use teamspaces and teamspace templates.

Tip: It is recommended that you specify groups rather than users to simplify teamspace management.

In the IBM Content Navigator administration tool, if you create multiple repositories that point to the same IBM FileNet P8 object store, the security that you set for one of these repositories is used by all of the repositories that point to that object store.

Teamspace template roles

When you assign a user or group to a teamspace template role, the user or group is given the appropriate security settings on the required classes and folders on the repository. The changes to the security are applied after you save your changes to the repository configuration in the IBM Content Navigator administration tool.

The IBM Content Navigator administration tool defines the following teamspace template roles:

Teamspace template administrator

Users who have Full Control permissions for the repository (object store). You cannot change the list of teamspace template administrators from the administration tool.

Teamspace template administrators can delete or modify any teamspace template. The user that creates a teamspace template does not need to share the template with teamspace template administrators.

Teamspace template creator

Users who can create a teamspace template on the repository. When you designate a user or group as a teamspace template creator, the user or group is given the following security:

For the Role and Security Adapter custom object classes, the user or group is given Create Instance, View all properties, and Read Permissions security.
For the Teamspace Template folder class, the user or group is given View all properties, Create Instance, and Read Permissions security.
For the ClbRoles folder, the user or group is given View all properties, File in Folder, Unfile from Folder and Read Permissions security.
For the ClbTeamspace Template folder, the user or group is given View all properties, File in Folder, Unfile from Folder, Create Subfolders, and Read Permissions security.

Teamspace roles

When you assign a user or group to a teamspace role, the user or group is given the appropriate security settings on the required classes and folders on the repository. The changes to the security are applied after you save your changes to the repository configuration in the IBM Content Navigator administration tool.

The IBM Content Navigator administration tool defines the following teamspace roles:

Teamspace administrator

Users who have Full Control permissions for the repository. You cannot change the list of teamspace administrators from the administration tool.

Teamspace administrators can delete or modify any teamspace. The user that creates a teamspace does not need to share the teamspace with teamspace administrators.

Teamspace creator

Users who can use a teamspace template to create a teamspace on the repository. When you designate a user or group as a teamspace creator, the user or group is given the following security:

For the Role and Security Adapter custom object classes, the user or group is given Create Instance, View all properties, and Read Permissions security.
For the Teamspace folder class, the user or group is given View all properties, Create Instance, and Read Permissions security.
For the ClbRoles folder, the user or group is given View all properties, File in Folder, Unfile from Folder and Read Permissions security.
For the ClbTeamspace folder, the user or group is given View all properties, File in Folder, Unfile from Folder, Create Subfolders, and Read Permissions security.

Teamspace user

Users who can see the teamspaces on the repository. When you designate a user or group as a teamspace template user, the user or group is given the following security:

For the Role and Security Adapter custom object classes, the user or group is given View all properties and Read Permissions security.
For the Teamspace Template and Teamspace folder classes, the user or group is given View all properties and Read Permissions security.
For the ClbRoles, ClbTeamspace Template, and ClbTeamspace folders, the user or group is given View all properties and Read Permissions security.

Important: A teamspace user can see the teamspaces on the repository. However, the user must be a member of a teamspace to access the teamspace. In addition, the users role within a teamspace determines the actions that the user can take in the teamspace.

If you want all of the users in your environment to be able to see teamspaces, you can add the #AUTHENTICATED-USERS pseudo-account to the teamspace user role.