Limiting administrative access

You can control access to Administration Console for Content Platform Engine. Or, you can allow users and groups to log on freely, and set access permissions for individual domains and object stores.

About this task

You can limit administrative access in any of the following ways:

Limiting access to Administration Console for Content Platform Engine
Limiting administrative access to users and groups

Limiting access to Administration Console for Content Platform Engine

When you enable the AdminOnlyMode in your deployment, you can control access to Administration Console for Content Platform Engine so that only domain administrators and users with Modify all properties on the domain object can log on to the console.

About this task

Enabling AdminOnlyMode in your Content Platform Engine deployment restricts the ACCE access to domain administrators and users who have Modify all properties access right for a domain. When the mode is enabled, users who do not have the Modify all properties access right for a domain cannot log in to ACCE.

Procedure

To enable only administrators to access the administration console:

Add the JVM flag com.filenet.acce.AdminOnlyMode to your Content Platform Engine. Set the value to true.
The method that you use to set the flag depends on the type of deployment you have.
Restart the Content Platform Engine after the JVM option is added to the deployment.

Limiting administrative access to users and groups

You can restrict the access that users or groups have to Administration Console for Content Platform Engine at the domain and object store levels. The access that users have to a domain or object store is determined by the access rights that administrators assign to users.

About this task

Security for all of the objects that you can access by using Administration Console for Content Platform Engine is controlled by the system at the object level. Each user is granted or denied permissions to the various actions that can be performed. For users of the administration console, you can further limit access for the domain and object stores to read-only access. For the domain, you limit access by explicitly or implicitly denying the user the Modify all properties access right. For the object store, you limit access by explicitly or implicitly denying the user the Modify existing properties, Create new objects, and Delete objects access rights. When these access rights are denied, the user has only read-only access to the objects.

Procedure

To enable limited administrative access:

Access the Security tab for the domain or the object store from the administration console:
- For domain: In the details pane for the domain, click the Security tab.
- For object store: In the navigation pane, click the object store that you want to modify, and then from the details pane, click the Security tab.
Select the user or group for which you want to limit administrative access.

Click Edit.

Option	Description
Limiting administrative access to a domain	If the permission type Allow is selected, make sure that Modify all properties is not selected. If the permission type Deny is selected, make sure that Modify all properties is selected.
Limiting administrative access to an object store	If the permission type Allow is selected, make sure that Modify existing objects, Create new objects, and Delete objects are not selected. If the permission type Deny is selected, make sure that Modify existing objects, Create new objects, and Delete objects are selected.

Save your changes.