You can use the IBM® Content
Navigator administration
tool to modify the security of the users and groups who need to create
and use teamspaces and teamspace templates on your IBM Content
Manager repositories.
Overview of the security model for teamspaces
The
security of a teamspace is determined by the roles assigned to teamspace.
Each role in the teamspace is mapped to a privilege set in the
IBM Content
Manager library server. When a
user is assigned to a role in a teamspace, that user is added to a
privilege set on the access control list for the teamspace folder.
When an item is added to the teamspace, the ACL of the teamspace is
added to the security of the item.
Restriction: However,
several restrictions apply to the way items are managed in the teamspace:
- Items that are added to the teamspace from the repository do not
use the same security as the teamspace. The items retain the security
that is already defined in the repository.
- If a user or group is added to the teamspace at a later time,
the user or group will not have access to the items that were added
before the user or group was added to the teamspace. Therefore, it
is strongly recommended that you use groups to manage the security
of the teamspace. This means that you can add members to the group
without impacting the security of the teamspace.
By default, only the user who creates a teamspace
template has access to the template. The user must share the template
with other users and groups, to enable those users and groups to create
a teamspace from that template.
For a description of the different
components that are added to the data model on your IBM Content
Manager repository, see Teamspaces on IBM Content Manager Enterprise Edition servers.
Teamspace template roles
When you assign
a user or group to a teamspace template role, the user or group is
added to the appropriate access control lists (ACLs) and given the
required privileges. The changes to the security are applied after
you save your changes to the repository configuration in the IBM Content
Navigator administration tool.
The IBM Content
Navigator administration tool
defines the following teamspace template roles:
- Teamspace template creators
- Users who can create a teamspace template on the repository. When
you designate a user or group as a teamspace template creator, the
user or group is given the following permissions:
- The user or group is added to the clbTeamspaceTemplateACL ACL
with the clbOwnerPrivs privilege set. This setting
enables the user or group to create teamspace templates by using the ICMTeamspaceTemplate item
type.
- The user or group is added to the PublicReadACL ACL
with the clbOwnerPrivs privilege set. This setting
enables the user or group to create roles within the teamspace template
by using the ICMRole item type.
Teamspace roles
When you assign a user or
group to a teamspace role, the user or group is added to the appropriate
access control lists (ACLs) and given the required privileges. The
changes to the security are applied after you save your changes to
the repository configuration in the IBM Content
Navigator administration tool.
The IBM Content
Navigator administration tool
defines the following teamspace roles:
- Teamspace creators
- Users who can use a teamspace template to create a teamspace on
the repository. When you designate a user or group as a teamspace
creator, the user or group is given the following permissions:
- The user or group is added to the ClbTeamspaceTemplateACL ACL
with read-only access. This setting enables the user or group to us
an existing teamspace template as a blue print to create a teamspace
instance.
- The user or group is added to the ClbTeamspaceACL ACL
with the clbTeamspaceCreator privilege set and
the SystemDefinePrivs privilege. These settings
enable the user or group to create teamspaces by using the ICMTeamspace item
type.
- Teamspace user
- Users who can see the teamspaces on the repository. When you designate
a user or group as a teamspace user, the user or group is given the
following permissions:
- The user or group is added to the ClbTeamspaceACL ACL
with read-only access. This setting enables the user or group to view
teamspaces.
Important: A teamspace user can see the teamspaces
on the repository. However, the user must be a member of a teamspace
to access the teamspace. In addition, the users role within a teamspace
determines the actions that the user can take in the teamspace.
Customizing
the security settings outside of the IBM Content
Navigator administration tool
If
you want to manage teamspaces, documents, and folders separately,
you must use the
IBM Content
Manager system
administration client to manage the security of teamspaces and teamspace
templates.
By default, the security of the Document item
type and the Folder item type are controlled
by the ClbTeamspaceACL. This means that the same
ACL applies to documents, folders, and teamspaces.
If you want
to manage the access to documents, folders and teamspaces separately,
you can use the
IBM Content
Manager system
administration client to associate separate ACLs with the
Document and
Folder item
types:
- Change the ACL of the Document item type
from ClbTeamspaceACL to ClbDocumentACL.
- Change the ACL of the Folder item type from ClbTeamspaceACL to ClbFolderACL
The users or groups who are administrators for documents
or folders require the clbOwnerPrivs privilege
set assigned on the clbDocumentACL or the clbFolderACL access
control lists.
Important: If you modify the privilege
sets that are used to manage access to teamspaces and teamspace templates
outside of the IBM Content
Navigator administration
tool, do not include the ItemSuperAccess privilege
in any teamspace or teamspace template user privilege sets. If you
include this privilege, users with this privilege can bypass the ACL
rule that is defined for teamspaces and teamspace templates.
Permissions required to move items from teamspaces
A
user must have the ItemRemoveLink privilege to
use the Move from Teamspace action. However,
only teamspace owners have this privilege by default. If you want
other users to be able to move items from teamspaces, you must use
the IBM Content
Manager system administration
client to update the appropriate privilege sets in your environment
to include the privilege.