Start of changeIBM FileNet P8, Version 5.2.1            

The Security Script wizard

The Security Script wizard assigns security roles to user and group accounts to create security principals for the objects in an object store.

The Security Script wizard requires a properly formatted JSON security role definition file that is referenced by a properly formatted JavaScript security script file. When you run the Security Script wizard, you select an object store, select a security role, and then add users and groups to that role through a query to your directory service. The Security Script wizard then converts this data to JSON data, appends this data to the JSON role definition file, and merges the combined JSON data structure with the JavaScript security script. The wizard then submits the populated security script to create the security principals for the object store and the objects.

Two sample files, UpdateOSSecurity.json and SecurityScript.js, are provided for use with the Security Script wizard. The UpdateOSSecurity.json JavaScript Object Notation file defines security roles and the permissions for those roles that are to be applied to the selected Content Platform Engine object or class. The SecurityScript.js security script file defines the actions that invoke the Content Platform Engine Java™ API that assigns permissions for the object store or objects to the security principals. The JSON file also establishes communication between the wizard and the security script by applying the actions that are defined for the permissions in the script file to the users and groups that are selected in the wizard.

The sample script file and the sample role definition file include function that applies to most common use cases for the Security Script wizard. These files can also be copied and then customized for other use cases. For an example that demonstrates how to run the Security Script wizard with the provided sample files, see Update an object store with new users and groups.

Example of a properly formatted JSON role definition file

A properly formatted JSON role definition file contains the following elements:
SecurityRoles
Each JSON role definition file must have one root element, SecurityRoles, that specifies a JSON array of security roles. When you run the Security Script wizard, you can select one or more values from a list of the security roles to apply to the object store. Each security role in the JSON array contains the following elements:
Name
For each role, a name that is displayed as one of the security role choices in the wizard.
AccessMasks
For each role, a list of access masks represented by a name mask and a Content Platform Engine access mask value. Using the name mask with the access mask value in the JSON role definition file make it easier to manage the role. For example, idmAccessLevelWriteFolder:135159.

The number in the access mask value is a bitmap mask that represents the sum of the constant field values for individual access rights. For example, idmAccessLevelWriteFolder:135159 comprises several individual access rights where sum of the constant field values for each access right equals 135159. The sample JSON role definition file contains access masks for the common use cases for the Security Script wizard. You can create a custom role definition file for other use cases that might require other access masks. To do this, you must be familiar with the information about the AccessRight class and about field constant values for those access rights. For more information, see Class AccessRight and Constant Field Values.

Permissions
For each role, one or more permissions. Each permission contains several required and optional elements. The required and optional elements for each permission are as follows:
Description
Optional. For each permission, descriptive text that can be used in the wizard progress screen.
AccessType
For each permission, the Content Platform Engine access type that denies or allows access.
0
Deny.
1
Allow.
InheritableDepth
For each permission, the Content Platform Engine InheritableDepth property that determines the maximum depth to which a permission can be inherited. For more information about the InheritableDepth property for permissions, see Permission.
0
No inheritance.
1
This object and immediate children only.
-1
This object and all children.
-2
All children, but not this object.
-3
Immediate children only, not this object.
AccessMask
For each permission, the Content Platform Engine access mask value. This value can also be specified as the name mask that is defined in the AccessMasks element in this JSON file.
Action
For each permission, the function that is used when the wizard makes the changes for this permission. This function must be defined in the JavaScript security script. In the security script, this function invokes the Content Platform Engine Java API to assign the security principals with specific access permission to the object store or objects.
ClassId
This element identifies the Content Platform Engine class that this permission is applied to. This element is required for actions on classes, but is ignored for other actions.
ObjectId
This element identifies the Content Platform Engine object that this permission is applied to. This element is required for actions on objects, but is ignored for other actions.
Collection
This element identifies the Content Platform Engine collection of objects that this permission is applied to. This element is required for actions on collections, but is ignored for other actions.

The following code fragment demonstrates how these elements appear in the UpdateOSSecurity.json JSON sample file:

{
	SecurityRoles:
	[
		{
			Name: 'Object Store Users',
			AccessMasks: {
				idmAccessLevelWriteFolder:135159,
				idmAccessRightCreateInstance:256, 
				idmAccessLevelRead:131073,
				idmAccessLevelUseOS:15728640,
				idmAccessLevelView:131201
			},
			Permissions:
			[
				{
					Description:'SecurityWizard_Permission_Desc_ObjectStore', 			
					AccessType: 1,
					InheritableDepth:0,
					AccessMask: 'idmAccessLevelUseOS',
					Action: 'UpdateOSPermission'
				},
				{
					Description: 'SecurityWizard_Permission_Desc_Folder',				
					AccessType: 1,
					InheritableDepth:0,
					AccessMask: 'idmAccessLevelWriteFolder',
					Action: 'UpdateFolderPermission'
				},
				...
			],
		},
	],
}

Example of a properly formatted security script file

The JavaScript security script file defines the actions, or functions, that invoke the Content Platform Engine Java API to assign the security principals with specific permissions for the object store or objects.

The script file does not specify any security role. The security roles are defined in the role definition JSON file. In this way, you can design the script functions and the security roles separately. The Security Script wizard then combines the two files, inserts the user and group account information that it collects at runtime, and submits the information for execution.

To enable the wizard to invoke the script functions, the script file needs an entry point function onCustomProcess. In this function, the script file must include the logic to map the action that is specified in the role permission definition to the script file code. For example, to run the UpdateOSPermission and UpdateFolderPermission actions that are in the JSON sample code, the script file must have the following code:
CEObject
The object store that the Security Script wizard acts on.
channel
The output channel for the script file to use to send the progress to the graphical user interface for the Security Script wizard.
domain
The Content Platform Engine domain that the wizard acts on.

The following code fragment from SecurityScript.js demonstrates a properly formatted JavaScript security script file. 

function OnCustomProcess (CEObject, channel, domain)
{
	CEObject.refresh();

	//The wizard constructs the SecurityRoles with the information provided
	//in the JSON role definition file.
	for (var s  = 0; s < SecurityRoles.length; s++)
	{
		CEObject.refresh();
		ub = UpdatingBatch.createUpdatingBatchInstance(domain, RefreshMode.NO_REFRESH);
		System.out.println("Apply role " + SecurityRoles[s].Name);
		var permissions = SecurityRoles[s].Permissions;

		//The wizard constructs the grantees list with the information
		//solicited from the directory service.  The list contains the
		//user and group accounts the security permission will be granted
		//to. 
		for (var p in permissions)
		{
			var permission = permissions[p];
			var grantees = Grantees[s];


			if (permission.Action == "UpdateOSPermission" )
			{
				System.out.println("to UpdateOSPermission");
				UpdateOSPermission(CEObject, permission, grantees, channel);
			}
			else if (permission.Action == "UpdateFolderPermission")
			{
				System.out.println("to UpdateFolderPermission");
				UpdateFolderPermission(CEObject, permission, grantees, channel);
			}
		...

How to run the Security Script wizard

To run the Security Script wizard:
  1. In the administration console, access the object store where you want to run the Security Script wizard:
    • In the domain navigation pane, click the object store.
    • In the object store navigation pane, click the name of the object store (the top-level item).
  2. In the Actions menu, click Run Security Script Wizard.
    Remember: The first time that you run the Security Script wizard on a workstation, you must download the sample files to that workstation. For more information, see How to download the sample files for the Security Script wizard.
  3. Follow the instructions in the wizard to select a JSON file for the role definition file and a script file for the security script file. Then select security roles and users or groups to add security principals for that role.

How to download the sample files for the Security Script wizard

To run the Security Script wizard, you must have a security script file and a security role definition file on the local workstation. Samples for both of these files are included on the application server for Content Platform Engine and can be downloaded from the wizard.

The sample script file SecurityScript.js and the sample role definition file UpdateOSSecurity.json include function that applies to most common use cases for the Security Script wizard. These files can also be copied and then customized for other use cases.

To download the sample script file and role definition file to your local workstation:
  1. In the administration console, access the object store where you want to run the Security Script wizard:
    • In the domain navigation pane, click the object store.
    • In the object store navigation pane, click the name of the object store (the top-level item).
  2. In the Actions menu, click Run Security Script Wizard.
  3. On the first page of the wizard, click the link to download the SecurityWizardScript.zip file to your local workstation.
  4. Navigate to the downloaded file. Use your file compression tool to uncompress the ZIP file.
Parent topic: Managing security

Last updated: March 2016
emsec_ssw_about.htm

© Copyright IBM Corporation 2017.
End of change