Access requirements for specific actions
| Action | Objects affected by the action | Access rights that are required to complete the action |
|---|---|---|
| Check in major version | Document | MAJOR_VERSION |
| Check in minor version | Document | MINOR_VERSION |
| Check out | Document | MAJOR_VERSION or MINOR_VERSION |
| Cancel checkout | Document reservation | MAJOR_VERSION or MAJOR_VERSION or
DELETE If checkout is exclusive, it can be canceled only by the user who checked it out or who has both WRITE_OWNER and DELETE access to the reservation. |
| Demote Version | Document | MAJOR_VERSION |
| Promote Version | Document | MAJOR_VERSION |
| Freeze | Document | WRITE_ACL |
| View content | Document or Annotation | VIEW_CONTENT |
| Move Content | Document or Annotation or Version Series | WRITE |
| Lock | Document or Folder or Custom Object | WRITE |
| Unlock | Document or Folder or Custom Object | WRITE |
| Take Federated Ownership | Document | WRITE_ACL |
| Annotate | Document or Folder or Custom Object | All rights that are required for Create action by using the annotation's class definition LINK |
| Create subscription on document | Document and Event Action | Document: LINK Event Action: LINK All rights that are required for Create action by using the subscription's class definition |
| Delete subscription on document | Document and Event Action | Document: UNLINK Event Action: UNLINK Subscription: DELETE |
| Apply security template | Document, Folder, or Custom Object | WRITE_ACL |
| Change state | Document or Task | CHANGE_STATE |
| Delegate | Document or Folder | DELEGATE |
| File | Folder | Object store: STORE_OBJECTS Folder: LINK Object being filed: READ |
| Unfile | Folder | Object store: REMOVE_OBJECTS Folder: UNLINK |
| Raise Event | Event | Event class definition: READ and CREATE_INSTANCE Object store: STORE_OBJECTS |
| Create class | Class definition | WRITE |
| Modify | Any object | Object store: MODIFY_OBJECTS |
| Change class | Any object | Object: WRITE and WRITE_ACL Class definition: READ and CREATE_INSTANCE |
| Set object-valued property | Any object | WRITE (can also be changed by Modification Access Required) Target: READ (can also be changed by Target Access Required) |
| View object properties | Any object |
READ
or Object store: WRITE_ANY_OWNER |
| Special rights for modifying Owner property | Any object | WRITE_OWNER Object store: WRITE_ANY_OWNER |
| Special rights for modifying Creator, DateCreated, LastModifier, DateLastModified, DateCheckedIn properties | Any object | WRITE Object store: PRIVILEGED_WRITE |
| Unset object-valued property | Any object | WRITE (can also be changed by Modification Access Required) |
| Modify object properties | Any object | WRITE (can also be changed by Modification Access Required) |
| View Permissions property | Any object | READ_ACL |
| Modify Permissions property | Any object | WRITE_ACL |
| Create | Object store objects, except class definitions | Class definition: READ and CREATE_INSTANCE Object store: STORE_OBJECTS |
| Delete | Objects from an object store | If relationship object: UNLINK If component relationship object: UNLINK or DELETE If reservation object: MINOR_VERSION or MAJOR_VERSION or DELETE If any other object: DELETE Restriction: If an object-valued property's DeletionAction is set to
PREVENT and references another object, the object is not deleted.
|
| Do anything in an object store (often interpreted as a Read right) | Object store | CONNECT |
| Create new instances (applies to Create, Link, or File) | Object store | STORE_OBJECTS |
| Modify existing objects (applies to all other modifying actions) | Object store | MODIFY_OBJECTS |
| Delete an object (applies to Delete, Unlink, or Unfile) | Object store | REMOVE_OBJECTS |
| Create Addon | Domain | WRITE |
| Install Addon | Object store | WRITE_ANY_OWNER and REMOVE_OBJECTS and MODIFY_OBJECTS and STORE_OBJECTS and CONNECT and WRITE_ACL and READ_ACL |
| Create GCD objects (including object store) | Domain | WRITE |
| Delete GCD objects (including object store) | Domain | DELETE |
| Modify properties on GCD objects (including object store) | Domain | WRITE |
| Mark an object for deletion | Version Series or Custom Object | DELETE |
| Recover item | CmRecoveryItem | DELETE on CmRecoveryItem. The RecoveryItem inherits permissions from CmRecoveryBin, so a user with DELETE on CmRecoveryBin can recover CmRecoveryItem. |
| Purge a recovery item | CmRecoveryItem | DELETE on the original object that was marked for deletion. |
| Special right for retrieving or modifying recoverable object. (Cannot check out a recoverable object.) | Object marked for deletion | Object store: VIEW_RECOVERABLE_OBJECTS |
More information about access rights that are required to complete specific actions
- Every action that is related to objects in an object store requires the object store CONNECT right, and might also require one or more of the following rights, depending on the action: STORE_OBJECTS, MODIFY_OBJECTS, REMOVE_OBJECTS.
- The owner of an object gets implicit READ, READ_ACL, WRITE_OWNER, and WRITE_ACL rights to that object.
- Users with object store WRITE_ANY_OWNER rights also get implicit READ and WRITE_OWNER rights to all objects in that object store.
- Users with READ access to the domain also implicitly have READ access to all object store objects, and can therefore view the properties of all object stores.
- Users with WRITE access to the domain implicitly have WRITE_ACL access to all object store objects so can change the permissions of object stores (not the contents).
- DELEGATE access is an element of the sharing feature, which allows a person
(not the owner) who has WRITE_ACL permissions on a document or folder to share
with external users. The user who has DELEGATE access can pass on rights to an
external share user. These rights are less than or equal to the access given by the delegation
access. Tip: Provide DELEGATE access conservatively. The more users that have DELEGATE access, the more you risk losing control of your data. Consider reserving DELEGATE access to internal users only.