Rules of association

Security policies have several rules of association which affect their behavior.

Here are the rules of association for security policies:

  • A security policy can contain both versioning and application templates.
  • A security policy can contain zero or more application security templates and from zero to four versioning security templates. Although it is permissible for security policies to have no templates, it is effectively only a placeholder until you add one or more templates.
  • A security template can have zero or many permissions assigned to it. A template containing no permissions is allowed programmatically.
  • A security policy can be assigned to zero or many folders, zero or many documents, or zero or many custom objects, or any combination of the three object types.
  • Documents, folders, and custom objects can have zero or one security policy.
  • The class definitions for documents, folders, custom objects, and their sub-classes can each have zero or one default security policy associated with them. When instances of the class are initially created, the instance will take the default security policy if there is one. In the case of documents, the default security policy will be passed to subsequent versions, unless a different security policy is explicitly provided. In this case, the new security policy is passed to subsequent versions; it will not automatically revert to the class default.
  • A single security policy can be associated with many document, folder, and custom object classes.
  • A single security template cannot be shared between security policies. Each security template belongs uniquely to the security policy it is associated with.
  • The versioning security templates in one security policy have no relationship with those in another security policy, even though they have the same default names (Released, In Process, Reservation, Superseded). These default names can be changed.

Changes to an existing security policy do not propagate to existing documents until the version state changes or the next version is created. If, however, you change the document's current policy to some other security policy by directly changing the document version's property sheet, then these changes are immediately applied to the version and the permissions applied by the former security policy are immediately removed.