Update object store with new users and groups

Use this procedure to add new user and group accounts to an object store when the new accounts must be able to access the existing objects.

About this task

You can add new users to an object store that is already in production by using the data design functions that are available in Administration Console for Content Platform Engine. However, a user that is added by this procedure has permissions only on those objects that are created after the addition of that user. See Add users and groups to a class for this procedure.

Adding new users so that they have default permissions to all existing objects requires a different procedure. This procedure uses the Administration Console for Content Platform Engine Security Script wizard. The Security Script wizard updates the security of an existing object store with users and groups as if those users and groups had been added when the object store was originally created. The users and groups can be given permissions as object store users or as object store administrators. For more information about these security levels and the rights granted by each level, see Object store security levels.

The Security Script wizard assigns security roles to user and group accounts to create security principals for the objects in an object store, with some exceptions. The exceptions include custom objects, documents, and non-root folders. The wizard uses two sample files, UpdateOSSecurity.json and SecurityScript.js. The UpdateOSSecurity.json JavaScript Object Notation file defines the security roles to be assigned and the permissions for the roles. The JSON file also establishes communication between the wizard and the SecurityScript.js security script by applying the actions that are defined for the permissions in the script file to the users and groups that are selected in the wizard.
Restriction: The JSON file and security script must be invoked through the use of the Security Script wizard.
The following information describes the actions that the Security Script wizard does when you run this procedure, and includes clarifications of actions that are not done:
  • It does set permissions on the Administration Console for Content Platform Engine root folder and modifies the security on securable objects.
  • It does not directly modify the security on custom objects, documents, and non-root folders. Therefore, running the Security Script wizard alone does not affect permissions on custom objects, documents, and non-root folders in the object store. After running the wizard, you can configure security parentage so that the root folder becomes the security parent of any folders, documents, and custom objects that should inherit the new permissions. This change to security parent configuration applies the same effective security as if all these custom objects, documents, and non-root folders had been directly modified. Remember, however, the different behavior between directly applied security and inherited security. For more information, see Understanding security inheritance.
  • It does not remove or modify existing permissions.


To update an object store with new users or groups:

  1. In the Administration Console for Content Platform Engine, access the object store where you want to run the Security Script wizard:
    1. In the domain navigation pane, click the object store.
    2. In the object store navigation pane, click the name of the object store (the top-level item).
  2. In the Actions menu, click Run Security Script Wizard.
    Important: The first time that you run the Security Script wizard on a workstation, you must download the sample files to that workstation. For more information, see The Security Script wizard.
  3. For the Select a role definition file field, select the UpdateOSSecurity.json file.
  4. For the Select a security script file field, select the SecurityScript.js file.
  5. For the Object Store Administrators and Object Store Users security roles, select the role in the Security Role field, and then click Add. Use Select Users and Groups to add the security principals that you want to add to that role.
  6. Click Finish.
    Remember: Depending upon the number of objects that must be updated, the changes to the object store can take some time.

What to do next

Log on to the Administration Console for Content Platform Engine as the object store administrator ID. From the object store node, browse to the root folder and examine the changes to the permissions. Depending on how you have configured the inheritance from the root folder and all generations of child folders, these new permissions might not yet have been inherited. Configure the folder security parentage as appropriate. For more information, see Configure security inheritance.