FileNet P8 Platform, Version 5.2

Understanding security inheritance

Security inheritance is one of the powerful features of the FileNet® P8 security design.

Security inheritance refers to the passing of permissions from a parent object to a child object. For instance, a folder could be the parent of a subfolder or a document; a document could be the parent of an annotation. The child object can inherit the security permissions from its parent object. Because of inheritance, the security administrator can apply security updates to many objects in one operation by setting the permissions at the parent level which can then be inherited by the children at various, configurable levels.

Some important characteristics of inherited permissions are:

Inherited permissions have a source type of Inherited. For more information on the different source types, see About access rights.
You cannot modify inherited permissions on a child object. You must modify the permissions on the parent object. Inherited permissions are displayed as disabled in security interfaces like Administration Console for Content Platform Engine's security editor. Modifications made on the parent object will be automatically applied to the inherited permissions on the child objects after the next metadata refresh.
When you delete a parent, the parent's permissions that were previously inherited will also be deleted from the child objects.
When you change the inheritable permissions on a parent object, the change applies to all versions of a security child that is inheriting those permissions.
Inherited permissions are a lower precedence than other sources (default, direct, or template) and so can be overridden by them. This is an issue only when using deny permissions, since using only allow permissions causes them all to be combined, no matter what their source.
Security children can have multiple parents, and parents can themselves have parents. The effect of more than one parent is to combine all their permissions into a set of inherited denies and a set of inherited allows (the denies take precedence).
Normally, inherited access rights also apply to the parent object itself, for example when you use This object and all children. However, to apply inherited access rights only to children and not to the parent, use All children, but not this object or Immediate children, but not this object. This is particularly useful for access rights like Delete, where you want to allow the children to be deleted, but not the parent.
For more information, see Configure a folder's security inheritance and the Configure security inheritance.
To enable inheritance on folders, set Inherit parent permissions to True, on the folder's General tab.

Inheritable depth (Apply to)

Each ACE has an inheritable depth setting that is invoked if the ACE is configured to be inherited by a child object. The inheritable depths are:

This object only: This ACE would not be inherited even if it were configured for inheritance.
This object and immediate children: This ACE applies to the object and would be inherited by the parent object's children, but not by the child object's children. After inheritance takes place, the child ACE will have an inheritable depth of This object only.
This object and all children: This ACE applies to the object and would be inherited by every generation of the parent object's child objects. After inheritance takes place, the child object's ACE will have an inheritable depth of This object and all children.
All children, but not this object: This ACE would be inherited by every generation of the parent object's child objects, but does not affect the parent object itself.
Immediate children, but not this object: This ACE would be inherited only by the parent object's immediate children, but not by further generations, and does not affect the parent object itself.

The Administration Console for Content Platform Engine security editor lets you set inheritable depth. See Configure inheritable depth for more information.

Important: The setting for inheritable depth does not apply to situations where the ACE is being applied in non-inheritance conditions. For example, an ACE on a Default Instance Security ACL of a class will be applied to an instance of that class, even if the ACE has an inheritable depth of This object only, because the application of security from a Default Instance ACL is considered default security and not inherited security.

Security Folder, Security Proxy Type

You can configure the relationship between a parent and child object in several ways.

Security Folder: A Security Folder is a folder from which an object inherits security, but there is no requirement that its security children be filed in the folder. You can see the Security Folder property on all documents and custom objects: in Administration Console for Content Platform Engine, select the document or custom object, select Properties, then scroll down the list of properties.
Security Proxy Type: Content Platform Engine provides extensible security parent relationships by means of the Security Proxy Type property placed on the metadata of custom object-valued properties. This property would be added to a security child's class and the values set into it establish that child's security parent. You can add this property to any class of objects as required by your security design. An object can have many such Security Proxy Type properties, that is, many security parents with the inherited ACEs from each being merged together and contributing with equal priority to the access check that produces the final security mask.; You can apply the Security Proxy Type property to objects other than folders. For example, you could add a Security Proxy Type = Inherited property to the class of a document and then later set that property in the document (the security child) to a custom object (the security parent). You can see the Security Proxy property on all objects: in Administration Console for Content Platform Engine, select the object, then click the Properties tab and scroll down the list of properties.; If a security proxy object is marked for deletion (which places it in the Recovery Bin), the server continues to allow for the security proxy's permissions to be inherited by the child object. For example, if DocA is a security proxy for DocB and DocA is marked for deletion, then DocB continues to inherit its security from DocA, even though DocA cannot be queried or retrieved by users with typical access rights. Only users with the VIEW_RECOVERABLE_OBJECTS permission on the object store can access DocA. Although objects marked for deletion are not viewable by most users, the objects exist in the object store database, and they are potentially recoverable. Therefore, the server maintains the inherited security from security proxy objects that are recoverable. This behavior can result in an inheriting object granting more permissions than would be expected from inspection by someone without VIEW_RECOVERABLE_OBJECTS permission, potentially causing confusion, or, in unusual circumstances, being counter to the intention of marking the proxy object for deletion. To avoid these potential issues, it is recommended that objects whose primary purpose is to act as a security proxy not be marked for deletion. If the intent is to terminate the proxy relationship, a delete should be used instead.

Configuring inheritance

For configuring inheritance on documents and custom objects, see Configure a document's security parent and Configure a folder to be a security parent.

Folders have an Inherit parent permissions property on the General tab of their property sheets in Administration Console for Content Platform Engine. This check box governs inheritance between folders. When you select it, the folder will inherit permissions from its parent folder if the parent folder has inheritable permissions. Changing the property from True to False removes any ACEs that were formerly inherited from the parent folder.

Subclassed permissions are copied, not inherited: When you make a new subclass from a class definition, some permissions are passed from the parent class definition to the new child class definition in a manner that is not inheritance. When you make a new subclass, those permissions of the originating class definition that have a Source type of Default or Direct and are of inheritable depth This object only are exactly copied to the new subclass with a source of Default and no change in inheritable depth.
During subclassing, the child class receives the ACEs of its parent as described in the following table. Notice that Default permissions with inheritable depth of This object only are not inherited by the child; rather they are copied without change and are therefore modifiable on the child object.

Table that maps how a child class receives the ACE of its parent and whether it is copied or inherited.

If the ACE on the parent class is marked...	...then the same ACE on the subclass will be marked...	Inheritance or copy?
Source = Default Inheritable depth = `This object only`	Source = Default Inheritable depth = `This object only`	Copy
Source = Direct Inheritable depth = `This object and immediate children`	Source = Inherited Inheritable depth = `This object only`	Inheritance
Source = Direct or Inherited Inheritable depth = `This object and all children`	Source = Inherited Inheritable depth = `This object and all children`	Inheritance
Source = Inherited Inheritable depth = `This object only`	Does not appear. Inheritance is stopped by the inheritable depth.	Not applicable
Source = Direct or Inherited Inheritable depth = `All children but not this object`	Source = Inherited Inheritable depth = `This object and all children`	Inherited
Source = Direct Inheritable depth = `Immediate children only, but not this object`	Source = Inherited Inheritable depth = `This object only`	Inherited

If the ACE on the parent class is marked...

...then the same ACE on the subclass will be marked...

Inheritance or copy?

Source = Default

Inheritable depth = This object only

Source = Default

Inheritable depth = This object only

Copy

Source = Direct

Inheritable depth = This object and immediate children

Source = Inherited

Inheritable depth = This object only

Inheritance

Source = Direct or Inherited

Inheritable depth = This object and all children

Source = Inherited

Inheritable depth = This object and all children

Inheritance

Source = Inherited

Inheritable depth = This object only

Does not appear. Inheritance is stopped by the inheritable depth.

Not applicable

Source = Direct or Inherited

Inheritable depth = All children but not this object

Source = Inherited

Inheritable depth = This object and all children

Inherited

Source = Direct

Inheritable depth = Immediate children only, but not this object

Source = Inherited

Inheritable depth = This object only

Inherited

Summary of security sources: The following table summarizes how objects receive initial security. Security inheritance takes place only if the source class or object has inheritable permissions:

Object	Initial security comes from...	Inherits additional security from...	Its security can be inherited by...
Folder	The DefaultInstancePermissions of its class, or directly set when creating. Security policy, if configured.	Its parent folder (the folder immediately above), if the Inherit parent permissions check box is selected on the child folder. Custom object-valued properties with Security Proxy Type set.	Child folders, if Inherit parent permissions is enabled on those child folders, and if there are inheritable ACEs. Documents or custom objects that consider the folder its security folder, if the folder has inheritable ACEs. By other objects (document, custom object, folder) through a Security Proxy Type property and acting as security parent.
Document	The DefaultInstancePermissions of its class, or directly set when creating. Security policy, if configured.	Security folder, if configured using Security Parent or Security Folder properties. Custom object-valued properties with Security Proxy Type set to Inheritance. See Configure security inheritance.	Any annotations assigned to the document version, if the document has inheritable ACEs. By other objects (document, custom object, folder) through Security Proxy and acting as security parent.
Custom object	The DefaultInstancePermissions of its class, or directly set when creating. Security policy, if configured.	Same as Document.	By other objects (document, custom object, folder) through Security Proxy and acting as security parent.
Annotation	The DefaultInstancePermissions of its class, or directly set when creating.	Document, Folder, Custom Object.	None.
Other Classes	Its parent class.	Any additional parent classes up to the top of the class hierarchy.	Child classes, if there are inheritable ACEs.