FileNet P8 Platform, Version 5.2.1

Authorization

When a security principal that has already been authenticated attempts to access FileNet® P8 objects, Content Platform Engine will attempt to retrieve that principal's user and group memberships from the directory service provider. If successful, the user or group will be authorized to carry out actions described by the access rights placed on the objects. The topics in this section describe authorization: the various features used to manage security and apply security to objects, as well as the details of security behavior

About access rights
FileNet P8 provides a full-featured system of access rights that let you control access to objects.
Default security
Objects have security settings applied automatically by the system.
Security for integrated components and third-party products
FileNet P8 is integrated with several FileNet and third-party software products. The topics in this section briefly describe the security features of some of those products and the requirements when used in conjunction with FileNet P8.
Mapping security levels to individual access rights
FileNet P8 security levels are logically defined sets of individual permissions, intended to simplify the process of assigning permissions to objects.
Markings
This section explains what markings are and how they affect the effective security on objects. Primarily designed for use by the IBM® Enterprise Records application, markings are available to any application that needs the kind of property-based layer of security that markings provide.
Object access rights and security
The topics in this section describe the access rights that apply to securable objects and also provide some security details.
Object ownership
Property modification access
To be able to edit a property, a user generally needs Write access to the property. However, Content Platform Engine provides an optional way to add another layer to the required access rights to modify custom properties. System administrators can do this by configuring the Modification Access of property templates. (Because this feature depends on a system property called Modification Access Required, the acronym for modification access behavior is MAR.)
Required minimum access rights by operation
Explanation of the required minimum access rights required by Content Platform Engine to carry out document-oriented operations.
Security policies
A security policy serves as a collection of security templates, each of which contains a predefined list of permissions, or Access Control Entries, that can be configured to apply to a document, custom object, or folder.
Storage area security
FileNet P8 objects, including document objects, are stored in the object store's database. This is handled automatically when you successfully complete the object store wizard, and no additional set up is required. However, the files referenced by the content element property of a document object must be stored in one or more of the supported content storage areas.
Target access required
Target Access Required is a feature of object-valued properties that allows an application designer to specify the access rights that are necessary on the target object in order to assign it to a property.
Understanding security inheritance
Security inheritance is one of the powerful features of the FileNet P8 security design.