What's up with ... permissions for CE classes?

One thing that often confuses people is the difference between Content Engine class and property descriptions and CE class and property definitions.  There is also some confusion about security for classes.  This brief note should clear up the basics for you.  Of course, all of these things are covered in detail in the official product documentation.

 

 

A ClassDescription contains a list of PropertyDescriptions, and a ClassDefinition contains a list of PropertyDefinitions.  At first glance, these things look the same, but they are not.  The descriptions are read-only and contain a subset of the information in definitions.  You could think of the definitions as the more fundamental objects, with descriptions as a read-only "view".  The similarity of the names often makes it hard for people to remember which is which.  You might find it easier if you think about the corresponding verbs:  descriptions are how things are described, and definitions are how you define things.

 

Why have both?  In some contexts, the descriptions are a lighter-weight construct (because there is less data, but mostly because there is no bookkeeping apparatus associated with possible changes).

 

A big difference between the two is that definitions have access control, but descriptions do not.  In security terms, anyone who has access to an ObjectStore has access to all of the ClassDescriptions in that ObjectStore.  Since the descriptions are such a large subset of the information that is in the definitions, you would not be far wrong in thinking that anyone with access to an ObjectStore has read access to all of the ClassDefinitions.  (That's not technically true, but it's functionally pretty close.)  If everyone effectively has read access to the definition objects, why bother to put access control on them?  The main reason is to control who can make changes to metadata.  In other words, we want to control write access, and read access just comes along with it.  It's rarely the case that the information in class and property metadata is so sensitive that you don't want anyone to even see it.

 

Sometimes people restrict read access to certain class definitions because they want to control who can use those classes in various ways.  This does not usually give the desired results and often leads to confusing behavior in applications.  Almost all activity that uses metadata uses the description objects that everyone can read.  For those occasional application behaviors influenced by information in the definition (for example, can the current user instantiate a given class?), the applications usually need at least read access to the definitions anyway.

 

You will probably have an easier time of things if you make all of your definitions readable by anyone who has access to the containing ObjectStore.    Use selective access only for permissions related to various kinds of updates.