Security inheritance is one of the powerful features of the FileNet® P8 security design.
Security inheritance refers to the passing of permissions from a parent object to a child object. For instance, a folder could be the parent of a subfolder or a document; a document could be the parent of an annotation. The child object can inherit the security permissions from its parent object. Because of inheritance, the security administrator can apply security updates to many objects in one operation by setting the permissions at the parent level which can then be inherited by the children at various, configurable levels.
Each ACE has an inheritable depth setting that is invoked if the ACE is configured to be inherited by a child object. The inheritable depths are:
The Administration Console for Content Platform Engine security editor lets you set inheritable depth. See Configure inheritable depth for more information.
You can configure the relationship between a parent and child object in several ways.
For configuring inheritance on documents and custom objects, see Configure a document's security parent and Configure a folder to be a security parent.
Folders have an Inherit parent permissions property on the General tab of their property sheets in Administration Console for Content Platform Engine. This check box governs inheritance between folders. When you select it, the folder will inherit permissions from its parent folder if the parent folder has inheritable permissions. Changing the property from True to False removes any ACEs that were formerly inherited from the parent folder.
During subclassing, the child class receives the ACEs of its parent as described in the following table. Notice that Default permissions with inheritable depth of This object only are not inherited by the child; rather they are copied without change and are therefore modifiable on the child object.
If the ACE on the parent class is marked... | ...then the same ACE on the subclass will be marked... | Inheritance or copy? |
---|---|---|
Source = Default Inheritable depth = This object only |
Source = Default Inheritable depth = This object only |
Copy |
Source = Direct Inheritable depth = This object and immediate children |
Source = Inherited Inheritable depth = This object only |
Inheritance |
Source = Direct or Inherited Inheritable depth = This object and all children |
Source = Inherited Inheritable depth = This object and all children |
Inheritance |
Source = Inherited Inheritable depth = This object only |
Does not appear. Inheritance is stopped by the inheritable depth. | Not applicable |
Source = Direct or Inherited Inheritable depth = All children but not this object |
Source = Inherited Inheritable depth = This object and all children |
Inherited |
Source = Direct Inheritable depth = Immediate children only, but not this object |
Source = Inherited Inheritable depth = This object only |
Inherited |
Object | Initial security comes from... | Inherits additional security from... | Its security can be inherited by... |
---|---|---|---|
Folder | The DefaultInstancePermissions of its class, or directly set
when creating. Security policy, if configured. |
Its parent folder (the folder immediately above), if the Inherit parent permissions check box is selected on the child folder. Custom object-valued properties with Security Proxy Type set. |
Child folders, if Inherit parent permissions is
enabled on those child folders, and if there are inheritable ACEs. Documents or custom objects that consider the folder its security folder, if the folder has inheritable ACEs. By other objects (document, custom object, folder) through a Security Proxy Type property and acting as security parent. |
Document | The DefaultInstancePermissions of its class, or directly set
when creating. Security policy, if configured. |
Security folder, if configured using Security Parent or Security
Folder properties. Custom object-valued properties with Security Proxy Type set to Inheritance. See Configure security inheritance. |
Any annotations assigned to the document version, if the document has inheritable ACEs. By other objects (document, custom object, folder) through Security Proxy and acting as security parent. |
Custom object | The DefaultInstancePermissions of its class, or directly set
when creating. Security policy, if configured. |
Same as Document. | By other objects (document, custom object, folder) through Security Proxy and acting as security parent. |
Annotation | The DefaultInstancePermissions of its class, or directly set when creating. | Document, Folder, Custom Object. | None. |
Other Classes | Its parent class. | Any additional parent classes up to the top of the class hierarchy. | Child classes, if there are inheritable ACEs. |