Security editor

Administrators can view and modify the security of an object by opening its property sheet and going to the Security tab.

The Security tab contains several fields:

  • Name: The display name of the user or group. If you hover your mouse above the display name, you see the following information, depending on your directory service provider and depending on how you have configured it for login:
    • For Active Directory: The user principal name (UPN), for example, shawking@filenet.com.
    • For other directory service providers: The distinguished name (DN), for example, uid=shawking,cn=users,dc=filenet,dc=com.
  • Source: ACEs can have different source types. If an ACE is editable (which is the case if the permissions are Direct), you can tell because the various regions are not disabled. An ACE whose Source is Template or Inherited are not editable, and when selected the rest of the security editor becomes disabled.
  • Level: The possible levels for the object type are listed with radio buttons. The users and groups who are specified as object store administrative groups when the object store is created appear on all ACLs with Full Control. You can change the level by selecting one of the radio buttons associated with the Levels.
  • Apply to: Also called inheritable depth, you can change the value using the Apply to control box if the ACE is editable.
  • Type: Displays whether the ACE is allowed or denied, and also lets you change the value if the ACE is editable.
  • (list of) Levels: List of security levels appropriate to the object. Different objects have different sets of security levels. For documents, it includes such things as the ability to publish and to create minor and major versions. A folder would have a different set of security levels. When Full Control is selected, all the other lower levels are marked with an asterisk. The asterisk next to a Level means that it is included in the Level currently selected; this behavior is the meaning of All required bits are set.
  • (list of) Rights: When Full Control is selected as the Level, all Rights are selected. If you were to clear just one of them, View all properties, for example, the Level would automatically be changed to Custom, which means that the collection of all selected Rights does not exactly match the requirements of the predefined Levels. If you were to reselect View all properties so that all the Rights were selected, the Full Control level would again be automatically selected.
  • Add: Click to add users and groups.
  • Remove: Click to remove the selected ACE from the ACL. This does not remove the user or group from the directory server or from any other ACL the ACE might be present on.
  • Active Marking/Owner: Click to view or edit the ownership of this object.