Setting Privileged Write Access on an Object Store

Users who run system-level tools, such as import/export, migration applications, and federation tools, require Privileged Write access to modify system-level properties. That right must be explicitly granted.

About this task

The Privileged Write access right (AccessRight.PRIVILEGED_WRITE) is not included as a standard right for administrative access to an object store. If selected users require the capability to modify system-level properties, you can include support in a FileNet P8 application to grant Privileged Write access.

Important: Do not grant the AccessRight.PRIVILEGED_WRITE permission to ordinary users or groups, or even to most administrators. This right must be granted only to users or groups who require this special access.

The following code examples grant a user privileged write access to an object store, and then, for that same user, modifies system-level properties on a newly created document.

Note that applications that support modification of system-level properties must accommodate the case where a privileged user who makes initial changes to system-level properties on an object attempts to make subsequent changes to those same system-level properties. In the code examples, a user changes the system-level properties of a Document object. If that same user then fetches the Document object and attempts to update any of the same system-level property values, a client-side read-only exception is thrown when the Save method is called on the Document object.

To avoid this exception before you update the property values and call Save, the application must call the removeFromCache method on the Properties interface to remove the system-level properties from the local property cache. That code is not included in the following examples.

Java Example


// Set write access.
private static void setWriteAccess(
    ObjectStore objStore,
    String granteeName,
    String granteePassword,
    String originalCreator,
    Date originalCreateDate,
    String originalModifier,
    Date originalModifyDate)
{
    // Create a new access permission object.
    AccessPermission ap = Factory.AccessPermission.createInstance();

    // Set access permissions  
    ap.set_GranteeName(granteeName);  
    ap.set_AccessType(AccessType.ALLOW);
    ap.set_AccessMask( 
        new Integer(AccessRight.WRITE_ANY_OWNER_AS_INT + AccessRight.REMOVE_OBJECTS_AS_INT +
        AccessRight.MODIFY_OBJECTS_AS_INT + AccessRight.STORE_OBJECTS_AS_INT + AccessRight.CONNECT_AS_INT +
        AccessRight.WRITE_ACL_AS_INT + AccessRight.READ_ACL_AS_INT + AccessRight.PRIVILEGED_WRITE_AS_INT));

    // Add the permission to the list for the Object Store.
    objStore.get_Permissions().add(ap);            
            
    // Save the object store with its permissions.
    objStore.save(RefreshMode.REFRESH);
            
    // Login in as the user who has the newly granted
    // privileged write access.
    Connection conn = objStore.getConnection();
    Subject sub = UserContext.createSubject(conn, granteeName, granteePassword, "FileNetP8");
    UserContext.get().pushSubject(sub);
    try
    {
        // Create a document "doc".
        Document doc = Factory.Document.createInstance(objStore, "Document");
            
        // Set system-level properties on the created document "doc". 
        doc.set_Creator(originalCreator);
        doc.set_DateCreated(originalCreateDate);
        doc.set_LastModifier(originalModifier);
        doc.set_DateLastModified(originalModifyDate);
            
        // Perform additional actions as desired.
            
        // Save the document.            
        doc.save(RefreshMode.REFRESH);
        System.out.println("Document created: " +  doc.get_Id());
    }
    finally
    {
        UserContext.get().popSubject();
    }
}

C# Example


// Set write access.
private static void SetWriteAccess(
    IObjectStore objStore,
    String granteeName,
    String granteePassword,
    String originalCreator,
    DateTime originalCreateDate,
    String originalModifier,
    DateTime originalModifyDate)
{
    // Create a new access permission object.
    IAccessPermission ap =
        Factory.AccessPermission.CreateInstance();

    // Set access permissions.  
    ap.GranteeName = granteeName;
    ap.AccessType = AccessType.ALLOW;
    ap.AccessMask = (int)AccessRight.WRITE_ANY_OWNER + (int)AccessRight.REMOVE_OBJECTS +
        (int)AccessRight.MODIFY_OBJECTS + (int)AccessRight.STORE_OBJECTS + (int)AccessRight.CONNECT +
        (int)AccessRight.WRITE_ACL + (int)AccessRight.READ_ACL + (int)AccessRight.PRIVILEGED_WRITE;

    // Set permissions.
    objStore.Permissions.Add(ap);

    // Save the object store with its permissions.
    objStore.Save(RefreshMode.REFRESH);

    // Login in as user with newly granted write access.
    UsernameToken token = new UsernameToken(granteeName, granteePassword, PasswordOption.SendPlainText);
    UserContext.SetThreadSecurityToken(token);
            
    // Create a document "doc".
    IDocument doc = Factory.Document.CreateInstance(objStore, "Document");

    // Set system-level properties.
    doc.Creator = originalCreator;
    doc.DateCreated = originalCreateDate;
    doc.LastModifier = originalModifier;
    doc.DateLastModified = originalModifyDate;

    // Perform additional actions as desired.

    // Save the document.
    doc.Save(RefreshMode.REFRESH);
    Debug.WriteLine("Document created: " + doc.Id);
}