IBM Support

How to update an existing object store's security either add or remove users and groups using the Security Script Wizard in the Administration Console for Content Platform Engine (ACCE)

Technical Blog Post


Abstract

How to update an existing object store's security either add or remove users and groups using the Security Script Wizard in the Administration Console for Content Platform Engine (ACCE)

Body

One of the most common tasks for an IBM FileNet Content Manager administrator is adding or removing users and groups to/from an existing object store.  The Administration Console for Content Platform Engine (ACCE) includes a Security Script wizard that can be used to assign security roles to both users and groups in order to create access control entries for objects in an object store.

The Security Script wizard requires a properly formatted JSON security role definition file that is referenced by a properly formatted JavaScript security script file. When you run the Security Script wizard, you select an object store, select a security role, and then add users and groups to that role through a query to your directory service. The Security Script wizard then converts this data to JSON data, appends this data to the JSON role definition file, and merges the combined JSON data structure with the JavaScript security script. The wizard then submits the populated security script to create the security principals for the object store and the objects.

Two sample files, UpdateOSSecurity.json and SecurityScript.js, are provided for use with the Security Script wizard. The UpdateOSSecurity.json JavaScript Object Notation file defines security roles and the permissions for those roles that are to be applied to the selected Content Platform Engine object or class. The SecurityScript.js security script file defines the actions that invoke the Content Platform Engine Java™ API that assigns permissions for the object store or objects to the security principals. The JSON file also establishes communication between the wizard and the security script by applying the actions that are defined for the permissions in the script file to the users and groups that are selected in the wizard.

 

You can also modify the provided JavaScript security script file to update the security added by the default scripts to remove a user or group from the classes and objects of an object store.  Save the JavaScript code below into a file called SecurityScript_delete_acl.js and use this file instead of the default SecurityScript.js file when running the Security Script Wizard in ACCE.  This will remove the security principal from the objects and classes that were added by the default script.  The following JavaScript code is solely provided as a sample without any expressed or implied warranty.

 

/*
importPackage(Packages.com.filenet.api.collection);
importPackage(Packages.com.filenet.api.constants);
importPackage(Packages.com.filenet.api.events);
importPackage(Packages.com.filenet.api.engine);
importPackage(Packages.com.filenet.api.exception);
importPackage(Packages.com.filenet.api.property);
importPackage(Packages.com.filenet.api.security);
importPackage(Packages.com.filenet.api.util);
importPackage(Packages.com.filenet.api.core);
importPackage(Packages.com.filenet.apiimpl.core);
importPackage(Packages.com.filenet.apiimpl.util);

importPackage(Packages.java.lang);
importPackage(Packages.com.ibm.json.java);
importPackage(Packages.com.filenet.acce.common);
*/
var ub = null;

var addPermissions = false;

function OnCustomProcess (CEObject, channel, domain)
{
    CEObject.refresh();
    
    for (var s  = 0; s < SecurityRoles.length; s++)
    {
        CEObject.refresh();
        ub = UpdatingBatch.createUpdatingBatchInstance(domain, RefreshMode.NO_REFRESH);
        System.out.println("Apply role " + SecurityRoles[s].Name);
        var permissions = SecurityRoles[s].Permissions;
        
        for (var p in permissions)
        {
            var permission = permissions[p];
            var grantees = Grantees[s];
            if (permission.SpecialUsers != undefined)
            {
                grantee = permission.SpecialUsers;
            }
            if (permission.Action == "UpdateOSPermission" )
            {
                System.out.println("to UpdateOSPermission");
                UpdateOSPermission(CEObject, permission, grantees, channel);
            }
            else if (permission.Action == "UpdateAllClassesPermission" )
            {
                System.out.println("to UpdateAllClassesPermission");
                UpdateAllClassesPermission(CEObject, SecurityRoles[s], permission, grantees, channel);
            }
            else if (permission.Action == "UpdateClassPermission" )
            {
                System.out.println("to UpdateClassPermission");
                UpdateClassPermission(CEObject, permission, grantees, channel);
            }
            else if (permission.Action == "UpdateCollectionPermission")
            {
                System.out.println("to UpdateCollectionPermission " + permission.Collection);
                UpdateCollectionPermission(CEObject, permission, grantees, channel);
            }        
            else if (permission.Action == "UpdateFolderPermission")
            {
                System.out.println("to UpdateFolderPermission");            
                UpdateFolderPermission(CEObject, permission, grantees, channel);
            }
            else if (permission.Action == "UpdateObjectPermission")
            {
                System.out.println("to UpdateObjectPermission");
                UpdateObjectPermission(CEObject, permission, grantees, channel);
            }
        }
        _ChannelSuccMsg(channel, "Update permission...");
        ub.updateBatch();
    }
    return CEObject.getProperties().get("DateCreated").getValue();
};

function createNewSec(permission, granteeName)
{
    var ap = Factory.AccessPermission.createInstance();
    ap.set_GranteeName(granteeName);
    ap.set_AccessMask(permission.AccessMask);
    ap.set_AccessType(permission.AccessType == 1? AccessType.ALLOW: AccessType.DENY);
    ap.set_InheritableDepth(permission.InheritableDepth);
    return ap;
};

function removeSec(objectPermissions, permission, granteeName)
{
    var permToDelete = new Factory.AccessPermission.createList();
    var permsIter = objectPermissions.iterator();
    
    while (permsIter.hasNext())
       {
               var perm = permsIter.next();
              var accessType = permission.AccessType == 1? AccessType.ALLOW: AccessType.DENY
               if (perm.get_GranteeName() == granteeName &&  perm.get_AccessMask() == permission.AccessMask  &&  perm.get_AccessType()== accessType && perm.get_InheritableDepth()==permission.InheritableDepth)
                {
                   permToDelete.add(perm);
                }
        }
    
    var permToDeleteIter = permToDelete.iterator();
       while (permToDeleteIter.hasNext())
    {
      var permToRemove = permToDeleteIter.next();
      objectPermissions.remove(permToRemove);
    }
       
    return objectPermissions;
};

function addjustSec (secs, permission, granteeName)
{
    if (addPermissions)
    {
        var ap = createNewSec(permission, granteeName);
        secs.add(ap);
    }
    else
        secs = removeSec(secs, permission, granteeName);

    return secs;
};

function createNewDefSec(permission, granteeName)
{
    var ap = Factory.AccessPermission.createInstance();
    ap.set_GranteeName(granteeName);
    ap.set_AccessMask(permission.DefAccessMask);
    ap.set_AccessType(permission.AccessType == 1? AccessType.ALLOW: AccessType.DENY);
    ap.set_InheritableDepth(permission.InheritableDepth);
    return ap;
};

function removeDefSec(objectPermissions, permission, granteeName)
{
    var permToDelete = new Factory.AccessPermission.createList();
    var permsIter = objectPermissions.iterator();
    
    while (permsIter.hasNext())
       {
               var perm = permsIter.next();
              var accessType = permission.AccessType == 1? AccessType.ALLOW: AccessType.DENY
               if (perm.get_GranteeName() == granteeName &&  perm.get_AccessMask() == permission.DefAccessMask  &&  perm.get_AccessType() == accessType && perm.get_InheritableDepth() == permission.InheritableDepth)
                {
                   permToDelete.add(perm);
                }
        }
    
    var permToDeleteIter = permToDelete.iterator();
       while (permToDeleteIter.hasNext())
    {
      var permToRemove = permToDeleteIter.next();
      objectPermissions.remove(permToRemove);
    }
       
    return objectPermissions;
};

function addjustDefSec (secs, permission, granteeName)
{
    if (addPermissions)
    {
        var ap = createNewDefSec(permission, granteeName);
        secs.add(ap);
    }
    else
        secs = removeDefSec(secs, permission,  granteeName);

    return secs;
};

function UpdateObjectPermission(os, permission, grantees, channel)
{
    System.out.println("GetObjectPermission");
    //var obj = Factory.CustomObject.fetchInstance(os, new Id(id), null);
    var classId = permission.ClassId;
    var objectId = permission.ObjectId;
    try
    {
        var obj = os.fetchObject(classId, objectId, null);
        var perms = obj.get_Permissions();
        for (var g = 0; g < grantees.length; g++)
        {
            perms = addjustSec(perms, permission, grantees[g]);
        }
        ub.add(obj, null);
        //obj.save(RefreshMode.NO_REFRESH);
        _ChannelSuccMsg(channel, "Get Object " + classId + " " + objectId);
    }
    catch(ex)
    {
        if (ex.toString().indexOf("not found") >= 0)
        {
            System.out.println(ex.toString());
            _ChannelWarningMsg(channel, "Object not found " + objectId + ", " + ex.toString());
        }
        else
        {
            System.out.println(ex.toString());
            _ChannelFailMsg(channel, ex.toString());
        }
        
    }
};

function UpdateFolderPermission(os, permission, grantees, channel)
{
    if (permission.ObjectId == null)
    {
        var rootFolder = os.get_RootFolder();
    }
    else
    {
        var rootFolder = os.fetchObject("Folder", permissions.ObjectId, null);
    }
    _UpdateFolderPermission(os, rootFolder, permission, grantees, channel)
};

function _UpdateFolderPermission(os, folder, permission, grantees, channel)
{
    System.out.println("GetFolderPermission");
    var subFolders = folder.get_SubFolders();
    var it = subFolders.iterator();
    while (it.hasNext())
    {
        var subfolder = it.next();
        System.out.println("Folder " + subfolder.get_FolderName());
        _UpdateFolderPermission(os, subfolder, permission, grantees, channel);
    }
    var perms = folder.get_Permissions();
    for (var g = 0; g < grantees.length; g++)
    {
        perms = addjustSec(perms, permission, grantees[g]);
    }
    try
    {
        //folder.save(RefreshMode.NO_REFRESH);
        ub.add(folder, null);
        _ChannelSuccMsg(channel, "Get Folder " + folder.get_Name());
    }
    catch(ex)
    {
        System.out.println("Exception " + ex.toString());
        _ChannelFailMsg(channel, ex.toString());
    }
};

function UpdateCollectionPermission(os, permission, grantees, channel){
    var collection = null;
    switch(permission.Collection)
    {
        case "ChoiceLists":
            collection = os.get_ChoiceLists();
            break;
        case "PropertyTemplates":
            collection = os.get_PropertyTemplates();
            break;
        case "DocumentClassificationActions":
            collection = os.get_DocumentClassificationActions();
            break;
        case "EventActions":
            collection = os.get_EventActions();
            break;
        case "Subscriptions":
            collection = os.get_Subscriptions();
            break;
        case "DocumentLifecycleActions":
            collection = os.get_DocumentLifecycleActions();
            break;
        case "DocumentLifecyclePolicies":
            collection = os.get_DocumentLifecyclePolicies();
            break;
        case "SecurityPolicies":
            collection = os.get_SecurityPolicies();
            break;
        case "StorageAreas":
            collection = os.get_StorageAreas();
            break;
        case "StoragePolicies":
            collection = os.get_StoragePolicies();
            break;
        case "IndexAreas":
            collection = os.get_IndexAreas();
            break;
        default:
            if (permission.customProcess != undefined)
            {
                System.out.println("use customProcess to get collection " + permission.Collection);
                collection = role.customProcess(os);
                break;
            }
            else
            {
                System.out.println("collection handler not implemented: " + permission.Collection);
                return;
            }
    }
    
    var it = collection.iterator();
    while (it.hasNext())
    {
        var obj = it.next();
        System.out.println("Get " + permission.Collection + " " + obj.get_DisplayName());
        var perms = obj.get_Permissions();
        for (var g = 0; g < grantees.length; g++)
        {
            perms = addjustSec(perms, permission, grantees[g]);
        }
        try
        {
            //obj.save(RefreshMode.NO_REFRESH);
            ub.add(obj, null);
            _ChannelSuccMsg(channel, "Get Collection " + obj.get_DisplayName());
        }
        catch(ex)
        {
            System.out.println("Exception " + ex.toString());
            _ChannelFailMsg(channel, ex.toString());
        }
    }
};

function UpdateOSPermission(os, permission, grantees, channel){
    System.out.println("UpdateOSPermission");
    try
    {
        var perms = os.get_Permissions();
        for (var g = 0; g < grantees.length; g++)
        {
            perms = addjustSec(perms, permission, grantees[g]);
        }
        //os.save(RefreshMode.NO_REFRESH);
        ub.add(os, null);
        _ChannelSuccMsg(channel, "Get Object Store " + os.get_Name());
    }
    catch(ex)
    {
        System.out.println("Exception " + ex.toString());
        _ChannelFailMsg(channel, ex.toString());
    }
};

function UpdateAllClassesPermission(os, role, permission, grantees, channel){
    var roleName = role.Name;
    var isAdmin = (roleName == "Object Store Administrators" ? true: false);

    var ClassDefPermsUser = 131329; //read + createInstance
    var allRootClasses = os.get_RootClassDefinitions();
    var it = allRootClasses.iterator();
    while (it.hasNext())
    {
        var rootClass = it.next();
        var symbolicName = rootClass.get_SymbolicName();
        if (symbolicName == "ClassDefinition")
        {
            if (isAdmin)
            {
                permission.AccessMask = role.AccessMasks.idmAccessLevelFullControlClassDef;
                permission.DefAccessMask = role.AccessMasks.idmAccessLevelFullControlClassDefault;
            }
            else
            {
                permission.AccessMask = role.AccessMasks.idmAccessLevelRead;
                permission.DefAccessMask = role.AccessMasks.idmAccessLevelRead;
            }
        }
        else if (symbolicName == "DocumentClassificationQueueItem" || symbolicName == "EventQueueItem" ||
                symbolicName == "SecurityPropagationQueueItem")
        {
            if (isAdmin)
            {
                permission.AccessMask = role.AccessMasks.idmAccessLevelFullControlClassDef;
                permission.DefAccessMask = role.AccessMasks.idmAccessLevelFullControlClassDef2;
            }
        }
        else if (symbolicName == "Document")
        {
            if (isAdmin)
            {
                permission.AccessMask = role.AccessMasks.idmAccessLevelFullControlClassDef;
                permission.DefAccessMask = role.AccessMasks.idmAccessLevelFullControlDocument;
            }
            else
            {
                permission.AccessMask = ClassDefPermsUser;
                permission.DefAccessMask = role.AccessMasks.idmAccessLevelView;
            }
        }
        else if (symbolicName == "CustomObject")
        {
            if (isAdmin)
            {
                permission.AccessMask = role.AccessMasks.idmAccessLevelFullControlClassDef;
                permission.DefAccessMask = role.AccessMasks.idmAccessLevelFullControlCustObj;
            }
            else
            {
                permission.AccessMask = ClassDefPermsUser;
                permission.DefAccessMask = role.AccessMasks.idmAccessLevelRead;
            }
        }
        else if (symbolicName == "EventAction")
        {
            if (isAdmin)
            {
                permission.AccessMask = role.AccessMasks.idmAccessLevelFullControlClassDef;
                permission.DefAccessMask = role.AccessMasks.idmAccessLevelFullControlCustObj;
            }
            else
            {
                permission.AccessMask = role.AccessMasks.idmAccessLevelRead;
                permission.DefAccessMask = role.AccessMasks.idmAccessLevelRead;
            }
        }
        else if (symbolicName == "ClassSubscription")
        {
            if (isAdmin)
            {
                permission.AccessMask = role.AccessMasks.idmAccessLevelFullControlClassDef;
                permission.DefAccessMask = role.AccessMasks.idmAccessLevelFullControlCustObj;
            }
            else
            {
                permission.AccessMask = role.AccessMasks.idmAccessLevelRead;
                permission.DefAccessMask = role.AccessMasks.idmAccessLevelRead;
            }
        }
        else if (symbolicName == "InstanceSubscription")
        {
            if (isAdmin)
            {
                permission.AccessMask = role.AccessMasks.idmAccessLevelFullControlClassDef;
                permission.DefAccessMask = role.AccessMasks.idmAccessLevelFullControlCustObj;
            }
            else
            {
                permission.AccessMask = role.AccessMasks.idmAccessLevelRead;
                permission.DefAccessMask = role.AccessMasks.idmAccessLevelRead;
            }
        }
        else if (symbolicName == "DocumentLifecyclePolicy")
        {
            if (isAdmin)
            {
                permission.AccessMask = role.AccessMasks.idmAccessLevelFullControlClassDef;
                permission.DefAccessMask = role.AccessMasks.idmAccessLevelFullControlCustObj;
            }
            else
            {
                permission.AccessMask = role.AccessMasks.idmAccessLevelRead;
                permission.DefAccessMask = role.AccessMasks.idmAccessLevelRead;
            }        
        }
        else if (symbolicName == "DocumentLifecycleAction")
        {
            if (isAdmin)
            {
                permission.AccessMask = role.AccessMasks.idmAccessLevelFullControlClassDef;
                permission.DefAccessMask = role.AccessMasks.idmAccessLevelFullControlCustObj;
            }
            else
            {
                permission.AccessMask = role.AccessMasks.idmAccessLevelRead;
                permission.DefAccessMask = role.AccessMasks.idmAccessLevelRead;
            }
        }
        else if (symbolicName == "Folder")
        {
            if (isAdmin)
            {
                permission.AccessMask = role.AccessMasks.idmAccessLevelFullControlClassDef;
                permission.DefAccessMask = role.AccessMasks.idmAccessLevelFullControlFldr;
            }
            else
            {
                permission.AccessMask = ClassDefPermsUser;
                permission.DefAccessMask = role.AccessMasks.idmAccessLevelRead;
            }
        }
        else if (symbolicName == "Annotation")
        {
            if (isAdmin)
            {
                permission.AccessMask = role.AccessMasks.idmAccessLevelFullControlClassDef;
                permission.DefAccessMask = role.AccessMasks.idmAccessLevelFullControlAnnotation;
            }
            else
            {
                permission.AccessMask = ClassDefPermsUser;
                permission.DefAccessMask = role.AccessMasks.idmAccessLevelRead;
            }
        }
        else if (symbolicName == "ReferentialContainmentRelationship")
        {
            if (isAdmin)
            {
                permission.AccessMask = role.AccessMasks.idmAccessLevelFullControlClassDef;
                permission.DefAccessMask = role.AccessMasks.idmAccessLevelFullControlClassDef2;
            }
            else
            {
                permission.AccessMask = ClassDefPermsUser;
                permission.DefAccessMask = role.AccessMasks.idmAccessLevelRead;
            }
        }
        else if (symbolicName == "Link")
        {
            if (isAdmin)
            {
                permission.AccessMask = role.AccessMasks.idmAccessLevelFullControlClassDef;
                permission.DefAccessMask = role.AccessMasks.idmAccessLevelFullControlClassDef2;
            }
            else
            {
                permission.AccessMask = ClassDefPermsUser;
                permission.DefAccessMask = role.AccessMasks.idmAccessLevelRead;
            }
        }
        else if (symbolicName == "SecurityPolicy")
        {
            if (isAdmin)
            {
                permission.AccessMask = role.AccessMasks.idmAccessLevelFullControlClassDef;
                permission.DefAccessMask = role.AccessMasks.idmAccessLevelFullControlClassDef2;
            }
            else
            {
                permission.AccessMask = ClassDefPermsUser;
                permission.DefAccessMask = role.AccessMasks.idmAccessLevelRead;
            }
        }
        else if (symbolicName == "ComponentRelationship")
        {
            if (isAdmin)
            {
                permission.AccessMask = role.AccessMasks.idmAccessLevelFullControlClassDef;
                permission.DefAccessMask = role.AccessMasks.idmAccessLevelFullControlClassDef2;
            }
            else
            {
                permission.AccessMask = ClassDefPermsUser;
                permission.DefAccessMask = role.AccessMasks.idmAccessLevelRead;
            }
        }
        else if (symbolicName == "IndexJob")
        {
            if (isAdmin)
            {
                permission.AccessMask = role.AccessMasks.idmAccessLevelFullControlClassDef;
                permission.DefAccessMask = role.AccessMasks.idmAccessLevelFullControlClassDef2;
            }
            else
            {
                permission.AccessMask = ClassDefPermsUser;
            }
        }
        else if (symbolicName == "Event")
        {
            if (isAdmin)
            {
                permission.AccessMask = role.AccessMasks.idmAccessLevelFullControlClassDef;
                permission.DefAccessMask = role.AccessMasks.idmAccessLevelFullControlClassDef2;
            }
            else
            {
                permission.AccessMask = ClassDefPermsUser;
            }
        }
        else if (symbolicName == "PublishRequest")
        {
            if (isAdmin)
            {
                permission.AccessMask = role.AccessMasks.idmAccessLevelFullControlClassDef;
                permission.DefAccessMask = role.AccessMasks.idmAccessLevelFullControlClassDef2;
            }
            else
            {
                permission.AccessMask = ClassDefPermsUser;
                permission.DefAccessMask = role.AccessMasks.idmAccessLevelRead;
            }
        }
        else
        {
            if (isAdmin)
            {
                permission.AccessMask = role.AccessMasks.idmAccessLevelFullControlClassDef;
                permission.DefAccessMask = role.AccessMasks.idmAccessLevelFullControlClassDef2;
            }
            else
            {
                permission.AccessMask = role.AccessMasks.idmAccessLevelRead;
                permission.DefAccessMask = role.AccessMasks.idmAccessLevelRead;
            }
        }
        _UpdateClassSecurity(os, rootClass, permission, grantees, channel );
    }
};

 

function _UpdateClassSecurity(os, cls, permission, grantees, channel){
    
    if (permission.InheritableDepth == 0)
    {
        var subClasses = cls.get_ImmediateSubclassDefinitions();
        var it = subClasses.iterator();
        while (it.hasNext())
        {
            var subClass = it.next();
            _UpdateClassSecurity(os, subClass, permission, grantees);
        }
    }
    
    _UpdateClassPerm(os, cls, permission, grantees, channel);
};

function UpdateClassPermission(os, permission, grantees, channel)
{
    var cls = Factory.ClassDefinition.fetchInstance(os, permission["ClassId"], null);
    _UpdateClassPerm(os, cls, permission, grantees, channel);
};

function _UpdateClassPerm(os, cls, permission, grantees, channel){

    System.out.println("class=" + cls.get_SymbolicName());
    //System.out.println("AccessMask=" + permission.AccessMask);
    //System.out.println("DefAccessMask=" + permission.DefAccessMask);
    
    try
    {
        var secs = cls.get_Permissions();
        var defsecs = cls.get_DefaultInstancePermissions();
        for (var g = 0; g < grantees.length; g++)
        {
            if (permission.AccessMask != null)
            {
                secs = addjustSec(secs, permission, grantees[g]);
            }
            if (permission.DefAccessMask != null)
            {
                defsecs  = addjustDefSec(defsecs, permission, grantees[g]);
            }
        }
        //cls.save(RefreshMode.NO_REFRESH);
        ub.add(cls, null);
        _ChannelSuccMsg(channel, "Get Class Definition " + cls.get_SymbolicName());
    }
    catch(ex)
    {
        System.out.println(cls.get_SymbolicName() + " Exception " + ex.toString());
        _ChannelFailMsg(channel, ex.toString());
    }
    
};


function _ChannelSuccMsg(channel, msg)
{
     if (channel == null)
         return;
     var jsonMsg = new JSONObject();
     jsonMsg.put("status", 1000);
     jsonMsg.put("customMsg", msg);
     channel.putMessage(jsonMsg);
};

function _ChannelWarningMsg(channel, msg)
{
     if (channel == null)
         return;
     var jsonMsg = new JSONObject();
     jsonMsg.put("status", 998);
     jsonMsg.put("customMsg", msg);
     channel.putMessage(jsonMsg);
};

function _ChannelFailMsg(channel, msg)
{
    if (channel == null)
         return;
     var jsonMsg = new JSONObject();
     jsonMsg.put("status", 999);
     jsonMsg.put("customMsg", msg);
    channel.putMessage(jsonMsg);
};

 

 

For more information on the Security Script Wizard:
https://www.ibm.com/support/knowledgecenter/SSNW2F_5.2.1/com.ibm.p8.ce.admin.tasks.doc/securityeditor/emsec_ssw_about.htm

 

If you are still using FileNet Enterprise Manager with IBM FileNet Content Manager 5.2.0 and below then checkout blog post about using FEM to add and remove users and groups with the Security Script Wizard.

/support/pages/node/1280326

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSNVNV","label":"FileNet Content Manager"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

UID

ibm11280584