Security on IBM Content Manager Enterprise Edition servers

(V3.0.10 and later. Microsoft Office Online is renamed to Microsoft Office for the web.) When you configure IBM Content Manager repositories in IBM Content Navigator, the administration tool updates the data model on the repository. The data model includes item types, access control lists (ACLs), and privilege sets that are used to control security for searches, browsing, entry templates, Office Online templates, Office Online drafts, and teamspaces.

By default, IBM Content Navigator defines three types of users for searches, Office Online templates, and entry templates: creators, editors and users. You can use the IBM Content Navigator administration tool to assign users to these roles with the default security. However, if the default security does not meet your needs, you can use the IBM Content Manager system administration client to customize your security.

IBM Content Navigator also defines three types of users for IBM Content Navigator drafts: creators, editors, and users. However, anyone who needs to collaboratively edit IBM Content Navigator documents must be a creator. You can use the IBM Content Navigator administration tool to assign users to these roles with the default security. However, if the default security does not meet your needs, you can use the IBM Content Manager system administration client to customize your security.

For information about changes to your data model to support teamspaces, see Teamspaces on IBM Content Manager Enterprise Edition servers.

Important: From the IBM Content Navigator administration tool, you must log in to the repository as a library server administrator (such as icmadmin) to update the data model on the repository.

If you upgrade IBM Content Navigator, you must reconnect to all of your configured IBM Content Manager repositories as the library server administrator to ensure that any changes to the data model are picked up.

Changes to your IBM Content Manager data model for browse

When you add an IBM Content Manager repository in the IBM Content Navigator administration tool, IBM Content Navigator adds the RootFolderACL to your data model to support browsing the repository.

To enable users to browse the repository, you must use IBM Content Manager system administration client to add users and groups to the RootFolderACL.

Changes to your IBM Content Manager data model for searches

When you add an IBM Content Manager repository in the IBM Content Navigator administration tool, IBM Content Navigator adds the following items to your data model to support searches:
  • ICMSearch item type
  • clbSearchACL ACL
  • clbOwnerPrivs, clbEdit, and clbReadOnly privilege sets

You can use the IBM Content Navigator administration tool to add users and groups to the clbSearchACL with the appropriate privilege sets. For more information, see Security settings for searches on IBM Content Manager.

Changes to your IBM Content Manager data model for entry templates

When you enable the entry template management feature on an IBM Content Manager repository, IBM Content Navigator adds the following items to your data model to support entry templates:
  • ICMEntryTemplate item type
  • clbEntryTemplateACL ACL
  • clbOwnerPrivs, clbEdit, and clbReadOnly privilege sets

The ICMEntryTemplate item type and clbEntryTemplateACL ACL items are added only if you enable entry template management.

You can use the IBM Content Navigator administration tool to add users and groups to the clbEntryTemplateACL with the appropriate privilege sets. For more information, see Security settings for entry templates on IBM Content Manager.

Changes to your IBM Content Manager data model for Office Online

When you enable the Office Online Server integration feature on an IBM Content Manager repository, IBM Content Navigator adds the following items to your data model to support Office Online templates:
  • clbOfficeTemplate item type
  • clbOfficeTemplateACL ACL
  • clbOwnerPrivs, clbEdit, and clbReadOnly privilege sets

The clbOfficeTemplate item type and clbOfficeTemplateACL ACL items are added only if you enable Office Online Server integration.

You can use the IBM Content Navigator administration tool to add users and groups to the clbOfficeTemplateACL with the appropriate privilege sets. For more information, see Security settings for Office Online integration on IBM Content Manager.

Additionally, IBM Content Navigator adds the following items to your data model to support Office Online drafts:
  • ICMDraft item type
  • ClbDocumentACL ACL
  • clbOwnerPrivs, clbEdit, and clbReadOnly privilege sets

Updating the privilege sets on your IBM Content Manager system

On an IBM Content Manager system, each user is assigned to a user privilege set. When you use the IBM Content Navigator administration tool to assign users to the default search and entry template roles, the users are assigned a privilege set that includes the privileges they need to complete the tasks that are associated with their role. For example, a search creator is assigned to the clbOwnerPrivs privilege set.

However, if the default security does not meet your needs, you can use the IBM Content Manager system administration client to customize your security. You can extend permissions by adding privileges to a privilege set or limit permissions by removing privileges from a privilege set. For example, to allow users to change the security settings of a document, create a privilege set that includes the clbOwnerPrivs privilege, at a minimum. Users that are assigned a user privilege set that includes the clbOwnerPrivs privilege can do the following actions:
  • Search for users and groups
  • Generate a privilege set
  • Generate a new access control list
  • Assign users and groups to an access control list
  • Assign an access control list to the document

Updating the access control lists on your IBM Content Manager system

On IBM Content Manager, the security of items is controlled by an access control list (ACL). An ACL is a list of user IDs or user groups and their associated privileges and privilege sets. When you use the IBM Content Navigator administration tool to assign users to the default search and entry template roles, the users are added to the ACL that is used to control that type of item.

IBM Content Navigator has three levels of security:
  • Creator (or owner), which is controlled by the clbOwnerPrivs privilege set
  • Editor (or author), which is controlled by the clbEdit privilege set
  • User (or reader), which is controlled by the clbReadOnly privilege set

When you use the IBM Content Navigator administration tool to associate users and groups with search and entry template roles, the users are added to the appropriate ACL with the privilege set that is associated with their role.

However, the IBM Content Navigator administration tool does not enable you to associate users and groups with the RootFolderACL ACL. To enable users and groups to browse the repository, assign the appropriate privilege sets to the following ACLs:
  • By default, IBM Content Manager Enterprise Edition Version 8.4.3 uses the RootFolderACL access control list to control the default root folder. If your repository supports hierarchical folders and uses the default root folder, assign the appropriate privilege set to the users and groups in the RootFolderACL ACL.
  • If you used the IBM Content Navigator administration to specify a root folder for the repository, assign the appropriate privilege set to the users and groups in the ACL that is associated with the specified root folder.