Access control

The IBM® Content Manager access control model comprises the following elements: privileges and privilege sets, controlled entities, users and user groups, and access control lists.

The access control elements work as follows: Each IBM Content Manager user is granted a set of user privileges that specify the operations that they can perform. The effective access rights of a user never exceed the defined privileges of the user.

The access control model of IBM Content Manager is applied to the controlled entity. A controlled entity is a unit of protected user data. In IBM Content Manager, the controlled entity can be at the level of item, item-type, or at the level of the entire library. For example, you can bind an ACL to an item type to enforce access control at the item type level. Operations on controlled entities are regulated by one or more control rules, called access control lists (ACLs). Every controlled entity in Content Manager system must be bound to an ACL.

When a user initiates an operation on an item, the system checks the privilege of the user and the ACL that is bound to the item to determine if the user has the rights to do such an operation on the item. Logically, the rights to access an item also requires the rights to access the item type, where the item is defined. The following figure shows an example of how the system determines the access rights of a user to an item based on privileges and ACLs.