Walkthrough of configuring security inheritance by using a custom object-valued property

Body

I get a lot of questions regarding FileNet P8 security and how to configure the various methods available which include; direct, default, inherited and template. Inherited security seems to generate a lot of confusion and can be a bit tricky to setup and use. Security Inheritance is the passing of permissions from a parent object to a child object. There are three types of security inheritance available with FileNet P8, two involve using a folder as the security parent and the third uses a custom object-valued property. Whatever method you decide to use, the benefit is being able to change the security of the parent object and have those changes dynamically apply to the child object(s).

I am going to be presenting a walkthrough of configuring this third option using a custom object-valued property. The P8 knowledge center (http://www-01.ibm.com/support/knowledgecenter/SSNW2F_5.2.1/com.ibm.p8.security.doc/p8psh008.htm

) has a good topic on how to setup ovp based security inheritance, but unless you are really familiar with the ACCE administrative tool, it can be confusing. I have copied the instructions below and have added my comments and screenshots in the hopes of clarifying the procedure.

Configuring security inheritance by using a custom object-valued property

Another way to configure inheritance is to use a custom object-valued property.

Procedure

To designate a folder as a security parent by using a custom object-valued property:

1. Log in to Administration Console for Content Platform Engine as object store administrator (object_store_admin).

2. Copy the object reference of the object whose security will be inherited. (This object will become a security parent as a result of this procedure.) This object must have at least one inheritable ACE (one whose Apply to setting is either This object and immediate children or This object and all children).I've chosen to create a document object using the base document class as my security parent so the access rights will match the child objects to be created later.

3. Start the Create a Property Template Wizard to create the property that will establish the connection between the two objects.I have named my new property template "Custom OVP".

1. Give the new template a name.

2. On the Select the Data Type page of the wizard, select Object for the data type.

3. On the Single or Multi-Value? page of the wizard, select Single. Select the Set other attributes checkbox.

4. On the Additional Property Template Attributes page, select Read-Write for Settability and select Inherited for Security Proxy Type.

5. Finish the wizard.

4. Assign the new property template to a new or existing class. The following procedure assumes the class already exists.I've previously created a document class called "OVP Security Inheritance document class".

1. Open the class and click the Property Definitions tab. Click Add. This opens the Add Properties dialog box.

2. Select the property template you just created and click OK.

3. Click the property template you just added. The Property Definition dialog box opens.
4. For Required class, select the class of the object whose object reference you copied above. For example, if that proxying object is a document, you would select its exact document class or subclass.I choose "Document" because the security parent that I created above was a document object of class "Document".

5. Click OK and then click Save.

5. Assign a default value to the object-valued property. This step assumes that there is a single inheritance-providing object for this particular custom property.

1. Select the class ("OVP Security Inheritance document class") you used in the step above and select the Properties tab.
2. Scroll down and find the Property Definitions row. (This is not the same as selecting the Property Definitions tab of the property sheet.)
3. Click the down arrow in the Property Value column. The list of all custom properties drops down.
4. Select the object-valued property you just created. Its property tab will open.

5. On the Properties tab of the object-valued property, scroll down and find the Property Default Object row, click the down arrow button, and select Paste Object from the dropdown menu. The security parent object name will display in the Property Value field.

6. Select the class tab again and click Save.

6. Create a new document using the class we have been using in this procedure. I created a sample document of class "OVP Security Inheritance document class".

7. Examine the new document's Security tab and confirm that it has inherited ACEs from the security parent object. The inherited ACEs will show a Source type of Inherited. In order to change the access rights of this inherited ACE, you would change it on the security parent source document; the changes will automatically be updated on the target document.

Now wasn't that easy! I hope that clarifies how to setup Security inheritance using an object value custom property.