This topic has been locked.
4 replies Latest Post - 2013-02-14T18:17:33Z by JCanipe
Pinned topic Changing Active Directory security groups for an object store
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
Let's say I have created an object store and assigned specific AD security groups at the admin and user levels. Later on I need to remove those security groups and assign another set of groups to the admin and user levels. What is the industry standard for doing this if: (1) There is no user content or meta-data in the object store; (2) There is user content and meta-data in the object store?
Updated on 2013-02-14T18:17:33Z at 2013-02-14T18:17:33Z by JCanipe
RuthHildebrand-Lund 270000E6V819 PostsACCEPTED ANSWER
Re: Changing Active Directory security groups for an object store2013-02-13T15:31:37Z in response to JCanipeThe procedure for updating groups assigned as object store administrators is documented here: http://pic.dhe.ibm.com/infocenter/p8docs/v5r1m0/index.jsp?topic=%2Fcom.ibm.p8.security.doc%2Fp8psh002.htm
The procedure covers updating existing content as well as setting the stage for future content.
Re: Changing Active Directory security groups for an object store2013-02-13T19:14:37Z in response to RuthHildebrand-LundThank you for this information. I do see how you can update the default security group for object stores, child objects... What I am unclear on is: Let's say I am using AD group "Group1" for my default Users group. I now store numerous objects using the security object "Group1". Now I want to change my default User's groups to "Group2" and all child objects as well. In other words, I want "Group1" to totally be removed from ALL levels and child objects, and everything to only have security object Group2.
SystemAdmin 110000D4XK693 PostsACCEPTED ANSWER
Re: Changing Active Directory security groups for an object store2013-02-14T17:47:58Z in response to JCanipeIf you are simply renaming a group, then there is nothing to do. Security within P8 CE is controlled by security IDs (SIDs) rather than group or user names and a rename doesn't change the SID. On AD this means that the objectSid is used for SIDs by default.
However, if you mean shifting from one group to another (two different SIDs) then things are much more complicated.
The link given earlier mentions the OSecurityUpdate script. That script will update a lot of objects (class defs, folders, subscriptions, etc.) but, unfortunately, would not remove references to "Group1" nor would it add references to your new "Group2" to any existing documents or any (except a select few) custom objects.
You could write a program to visit each object and update its security. Obviously this would be pretty slow if you had millions of objects. Alternatively, you might try to contact IBM's Lab Services and they might be able to do a custom SID replacement, effectively putting the SID for "Group2" in all ACLs that currently reference the SID for "Group1".
There is a way to kind of insulate your objects from this kind of change by using "Dynamic Default Instance Permissions" discussed here...
This technote doesn't get into all of the details, though, of what changes would be needed to class defs, event handlers, subscriptions, choice lists, property templates, security policies, and the other ancillary objects in object stores. For that you would probably need to initially create the object store with #AUTHENTICATED-USERS and then tighten up security using that dynamic technique on the few classes (documents/folders/custom objects) that you really care about.