Topic
  • 4 replies
  • Latest Post - ‏2013-02-14T18:17:33Z by JCanipe
JCanipe
JCanipe
31 Posts

Pinned topic Changing Active Directory security groups for an object store

‏2013-02-13T15:03:25Z |
Let's say I have created an object store and assigned specific AD security groups at the admin and user levels. Later on I need to remove those security groups and assign another set of groups to the admin and user levels. What is the industry standard for doing this if: (1) There is no user content or meta-data in the object store; (2) There is user content and meta-data in the object store?
Updated on 2013-02-14T18:17:33Z at 2013-02-14T18:17:33Z by JCanipe
  • RuthHildebrand-Lund
    RuthHildebrand-Lund
    19 Posts

    Re: Changing Active Directory security groups for an object store

    ‏2013-02-13T15:31:37Z  
    The procedure for updating groups assigned as object store administrators is documented here: http://pic.dhe.ibm.com/infocenter/p8docs/v5r1m0/index.jsp?topic=%2Fcom.ibm.p8.security.doc%2Fp8psh002.htm

    The procedure covers updating existing content as well as setting the stage for future content.
  • JCanipe
    JCanipe
    31 Posts

    Re: Changing Active Directory security groups for an object store

    ‏2013-02-13T19:14:37Z  
    The procedure for updating groups assigned as object store administrators is documented here: http://pic.dhe.ibm.com/infocenter/p8docs/v5r1m0/index.jsp?topic=%2Fcom.ibm.p8.security.doc%2Fp8psh002.htm

    The procedure covers updating existing content as well as setting the stage for future content.
    Thank you for this information. I do see how you can update the default security group for object stores, child objects... What I am unclear on is: Let's say I am using AD group "Group1" for my default Users group. I now store numerous objects using the security object "Group1". Now I want to change my default User's groups to "Group2" and all child objects as well. In other words, I want "Group1" to totally be removed from ALL levels and child objects, and everything to only have security object Group2.
  • SystemAdmin
    SystemAdmin
    693 Posts

    Re: Changing Active Directory security groups for an object store

    ‏2013-02-14T17:47:58Z  
    • JCanipe
    • ‏2013-02-13T19:14:37Z
    Thank you for this information. I do see how you can update the default security group for object stores, child objects... What I am unclear on is: Let's say I am using AD group "Group1" for my default Users group. I now store numerous objects using the security object "Group1". Now I want to change my default User's groups to "Group2" and all child objects as well. In other words, I want "Group1" to totally be removed from ALL levels and child objects, and everything to only have security object Group2.
    If you are simply renaming a group, then there is nothing to do. Security within P8 CE is controlled by security IDs (SIDs) rather than group or user names and a rename doesn't change the SID. On AD this means that the objectSid is used for SIDs by default.

    However, if you mean shifting from one group to another (two different SIDs) then things are much more complicated.

    The link given earlier mentions the OSecurityUpdate script. That script will update a lot of objects (class defs, folders, subscriptions, etc.) but, unfortunately, would not remove references to "Group1" nor would it add references to your new "Group2" to any existing documents or any (except a select few) custom objects.

    You could write a program to visit each object and update its security. Obviously this would be pretty slow if you had millions of objects. Alternatively, you might try to contact IBM's Lab Services and they might be able to do a custom SID replacement, effectively putting the SID for "Group2" in all ACLs that currently reference the SID for "Group1".

    There is a way to kind of insulate your objects from this kind of change by using "Dynamic Default Instance Permissions" discussed here...

    http://www-01.ibm.com/support/docview.wss?uid=swg21425080

    This technote doesn't get into all of the details, though, of what changes would be needed to class defs, event handlers, subscriptions, choice lists, property templates, security policies, and the other ancillary objects in object stores. For that you would probably need to initially create the object store with #AUTHENTICATED-USERS and then tighten up security using that dynamic technique on the few classes (documents/folders/custom objects) that you really care about.

    Regards,
    --Rick
  • JCanipe
    JCanipe
    31 Posts

    Re: Changing Active Directory security groups for an object store

    ‏2013-02-14T18:17:33Z  
    If you are simply renaming a group, then there is nothing to do. Security within P8 CE is controlled by security IDs (SIDs) rather than group or user names and a rename doesn't change the SID. On AD this means that the objectSid is used for SIDs by default.

    However, if you mean shifting from one group to another (two different SIDs) then things are much more complicated.

    The link given earlier mentions the OSecurityUpdate script. That script will update a lot of objects (class defs, folders, subscriptions, etc.) but, unfortunately, would not remove references to "Group1" nor would it add references to your new "Group2" to any existing documents or any (except a select few) custom objects.

    You could write a program to visit each object and update its security. Obviously this would be pretty slow if you had millions of objects. Alternatively, you might try to contact IBM's Lab Services and they might be able to do a custom SID replacement, effectively putting the SID for "Group2" in all ACLs that currently reference the SID for "Group1".

    There is a way to kind of insulate your objects from this kind of change by using "Dynamic Default Instance Permissions" discussed here...

    http://www-01.ibm.com/support/docview.wss?uid=swg21425080

    This technote doesn't get into all of the details, though, of what changes would be needed to class defs, event handlers, subscriptions, choice lists, property templates, security policies, and the other ancillary objects in object stores. For that you would probably need to initially create the object store with #AUTHENTICATED-USERS and then tighten up security using that dynamic technique on the few classes (documents/folders/custom objects) that you really care about.

    Regards,
    --Rick
    Thank you for these answers. The final response was the confirmation I needed on understanding of changing security groups and existing objects.