Object store access rights

When running the Object Store wizard, you specify the users and groups that should be object store administrators and those who should have non-administrative access rights. You can view and modify these security assignments any time while running Administration Console for Content Platform Engine.

With one exception, administrative users and groups get Full Control on the object store ACL and likewise on all security ACLs of all securable objects. Note that this does not include the permission to create object stores, file storage areas, content cache areas, and related actions like deleting and moving. These permissions belong only to the user and groups who were specified as GCD administrators (gcd_admin) when the IBM® Content Cortex domain was created. A user or group can, of course, belong to both the object store administrators group object_store_admin_group and the GCD administrators (gcd_admin) group.

The exception mentioned above is the permission Modify certain system properties which determines which users can set certain system properties (Creator, DateCreated, LastModifier, DateLastModified) that are normally system only. Users and groups who will be running system level tools (like import and migration tools) might need this permission.

Non-administrative users and groups get the following security levels:

  • On the object store access control list (ACL):
    • Use object store
    • View all object store properties
  • Modify Properties on the root folder.
  • View Properties and Create Instance on all classes.
  • A Custom level on the Default Instance Security of document classes that includes View All Properties and Create Instance.

See the Reference section for more information about these security levels.

Relationship of object store permissions to permissions on objects contained by the object store

Several permissions that appear on the Security tab of each object store's property sheet have a hierarchical relationship to other permissions on classes and objects contained in that object store:

  • If a user or group is granted rights to Delete objects, Create new objects, or Modify existing objects on the Security tab of the object store, and if the user or group also has the right to delete or modify on the Security tab of the actual object instance as well as the Create instance permission on the Security tab of the object's class (for example, a document class), the user or group can delete, modify, or create the objects based on these classes.
  • If a user or group is allowed these permissions on the object store, but does not have the delete, modify, or create permissions on the object instance or its class, the user or group cannot delete, modify, or create the object.
  • If a user or group is denied these permissions on the object store, the user or group cannot delete, modify, or create the objects even if the object's instance or class gives the user or group these permissions.