Pinned topic Changing Active Directory security groups for an object store
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
Let's say I have created an object store and assigned specific AD security groups at the admin and user levels. Later on I need to remove those security groups and assign another set of groups to the admin and user levels. What is the industry standard for doing this if: (1) There is no user content or meta-data in the object store; (2) There is user content and meta-data in the object store?
Updated on 2013-02-14T18:17:33Z at 2013-02-14T18:17:33Z by JCanipe
RuthHildebrand-Lund 270000E6V819 Posts
Re: Changing Active Directory security groups for an object store2013-02-13T15:31:37ZThis is the accepted answer. This is the accepted answer.The procedure for updating groups assigned as object store administrators is documented here: http://pic.dhe.ibm.com/infocenter/p8docs/v5r1m0/index.jsp?topic=%2Fcom.ibm.p8.security.doc%2Fp8psh002.htm
The procedure covers updating existing content as well as setting the stage for future content.
Re: Changing Active Directory security groups for an object store2013-02-13T19:14:37ZThis is the accepted answer. This is the accepted answer.
- RuthHildebrand-Lund 270000E6V8
SystemAdmin 110000D4XK693 Posts
Re: Changing Active Directory security groups for an object store2013-02-14T17:47:58ZThis is the accepted answer. This is the accepted answer.
- JCanipe 060000CWUM
However, if you mean shifting from one group to another (two different SIDs) then things are much more complicated.
The link given earlier mentions the OSecurityUpdate script. That script will update a lot of objects (class defs, folders, subscriptions, etc.) but, unfortunately, would not remove references to "Group1" nor would it add references to your new "Group2" to any existing documents or any (except a select few) custom objects.
You could write a program to visit each object and update its security. Obviously this would be pretty slow if you had millions of objects. Alternatively, you might try to contact IBM's Lab Services and they might be able to do a custom SID replacement, effectively putting the SID for "Group2" in all ACLs that currently reference the SID for "Group1".
There is a way to kind of insulate your objects from this kind of change by using "Dynamic Default Instance Permissions" discussed here...
This technote doesn't get into all of the details, though, of what changes would be needed to class defs, event handlers, subscriptions, choice lists, property templates, security policies, and the other ancillary objects in object stores. For that you would probably need to initially create the object store with #AUTHENTICATED-USERS and then tighten up security using that dynamic technique on the few classes (documents/folders/custom objects) that you really care about.
Re: Changing Active Directory security groups for an object store2013-02-14T18:17:33ZThis is the accepted answer. This is the accepted answer.
- SystemAdmin 110000D4XK