You can use the IBM® Content
Navigator administration
tool to modify the security of the users and groups who need to create
and use teamspaces and teamspace templates on your IBM FileNet® P8 repositories.
Overview of the security model for teamspaces
The
security of a teamspace or teamspace template is inherited from the
security that is defined in the Roles custom
object that is assigned to the teamspace or teamspace template. A
member of the teamspace with sufficient privileges can add and remove
members from the teamspace. When the Roles custom
object is updated, the documents and folders in the teamspace are
updated with the modified member list. However, items that are added
to the teamspace from the repository do not use the same security
as the teamspace. The items retain the security that is already defined
in the repository.
By default, only the user who creates a teamspace
template has access to the template. The user must share the template
with other users and groups, to enable those users and groups to create
a teamspace from that template. The user can also share the template
with all IBM FileNet P8 users.
After
the teamspace add-on is run on the repository, you can use the administration
tool to specify the users and groups who can create and use teamspaces
and teamspace templates.
Tip: It is recommended that
you specify groups rather than users to simplify teamspace management.
In the IBM Content
Navigator administration
tool, if you create multiple repositories that point to the same IBM FileNet P8 object store, the security
that you set for one of these repositories is used by all of the repositories
that point to that object store.
Teamspace template roles
When
you assign a user or group to a teamspace template role, the user
or group is given the appropriate security settings on the required
classes and folders on the repository. The changes to the security
are applied after you save your changes to the repository configuration
in the IBM Content
Navigator administration
tool.
The IBM Content
Navigator administration
tool defines the following teamspace template roles:
- Teamspace template administrator
- Users who have Full Control permissions for the
repository (object store). You cannot change the list of teamspace
template administrators from the administration tool.
Teamspace
template administrators can delete or modify any teamspace template.
The user that creates a teamspace template does not need to share
the template with teamspace template administrators.
- Teamspace template creator
- Users who can create a teamspace template on the repository. When
you designate a user or group as a teamspace template creator, the
user or group is given the following security:
- For the Role and Security Adapter custom
object classes, the user or group is given Create Instance, View
all properties, and Read Permissions security.
- For the Teamspace Template folder class,
the user or group is given View all properties, Create
Instance, and Read Permissions security.
- For the ClbRoles folder, the user or group
is given View all properties, File in Folder, Unfile
from Folder and Read Permissions security.
- For the ClbTeamspace Template folder, the
user or group is given View all properties, File
in Folder, Unfile from Folder, Create
Subfolders, and Read Permissions security.
Teamspace roles
When
you assign a user or group to a teamspace role, the user or group
is given the appropriate security settings on the required classes
and folders on the repository. The changes to the security are applied
after you save your changes to the repository configuration in the IBM Content
Navigator administration tool.
The IBM Content
Navigator administration tool
defines the following teamspace roles:
- Teamspace administrator
- Users who have Full Control permissions for the
repository. You cannot change the list of teamspace administrators
from the administration tool.
Teamspace administrators can delete
or modify any teamspace. The user that creates a teamspace does not
need to share the teamspace with teamspace administrators.
- Teamspace creator
- Users who can use a teamspace template to create a teamspace on
the repository. When you designate a user or group as a teamspace
creator, the user or group is given the following security:
- For the Role and Security Adapter custom
object classes, the user or group is given Create Instance, View
all properties, and Read Permissions security.
- For the Teamspace folder class, the user
or group is given View all properties, Create
Instance, and Read Permissions security.
- For the ClbRoles folder, the user or group
is given View all properties, File in Folder, Unfile
from Folder and Read Permissions security.
- For the ClbTeamspace folder, the user or
group is given View all properties, File
in Folder, Unfile from Folder, Create
Subfolders, and Read Permissions security.
- Teamspace user
- Users who can see the teamspaces on the repository. When you designate
a user or group as a teamspace template user, the user or group is
given the following security:
- For the Role and Security Adapter custom
object classes, the user or group is given View all properties and Read
Permissions security.
- For the Teamspace Template and Teamspace folder
classes, the user or group is given View all properties and Read
Permissions security.
- For the ClbRoles, ClbTeamspace
Template, and ClbTeamspace folders,
the user or group is given View all properties and Read
Permissions security.
Important: A teamspace user can see the teamspaces
on the repository. However, the user must be a member of a teamspace
to access the teamspace. In addition, the users role within a teamspace
determines the actions that the user can take in the teamspace.
If
you want all of the users in your environment to be able to see teamspaces,
you can add the #AUTHENTICATED-USERS pseudo-account to the teamspace
user role.