Access rights required to take actions
FileNet® P8 has security requirements for access rights to take certain actions on objects.
| Action | Objects affected by the action | Rights required to perform the action on the affected object |
|---|---|---|
| Checkin major version | Document | MAJOR_VERSION |
| Checkin minor version | Document | MINOR_VERSION |
| Checkout | Document | MAJOR_VERSION or MINOR_VERSION |
| Cancel checkout | Document reservation | MAJOR_VERSION or MINOR_VERSION or DELETE If checkout is exclusive, it can only be canceled by the user who checked it out or who has both WRITE_OWNER and DELETE access to the reservation. |
| Demote Version | Document | MAJOR_VERSION |
| Promote Version | Document | MAJOR_VERSION |
| Freeze | Document | WRITE_ACL |
| View content | Document or Annotation | VIEW_CONTENT |
| Move Content | Document or Annotation or Version Series | WRITE |
| Lock | Document or Folder or Custom Object | WRITE |
| Unlock | Document or Folder or Custom Object | WRITE |
| Take Federated Ownership | Document | WRITE_ACL |
| Annotate | Document or Folder or Custom Object | All rights required for Create action using the annotation's class definition LINK |
| Create subscription on document | Document and Event Action | Document: LINK Event Action: LINK All rights required for Create action using the subscription's class definition |
| Delete subscription on document | Document and Event Action | Document: UNLINK Event Action: UNLINK Subscription: DELETE |
| Apply security template | Document, Folder, or Custom Object | WRITE_ACL |
| Change state | Document or Task | CHANGE_STATE |
| File | Folder | Object store: STORE_OBJECTS Folder: LINK Object being filed: READ |
| Unfile | Folder | Object store: REMOVE_OBJECTS Folder: UNLINK |
| Raise Event | Event | Event class definition: READ and CREATE_INSTANCE Object store: STORE_OBJECTS |
| Create class | Class definition | WRITE |
| Modify | Any object | Object store: MODIFY_OBJECTS |
| Change class | Any object | Object: WRITE and WRITE_ACL Class definition: READ and CREATE_INSTANCE |
| Set object-valued property | Any object | WRITE (can also be changed by Modification Access Required) Target: READ (can also be changed by Target Access Required) |
| View object properties | Any object | READ orObject store: WRITE_ANY_OWNER |
| Special rights for modifying Owner property | Any object | WRITE_OWNER Object store: WRITE_ANY_OWNER |
| Special rights for modifying Creator, DateCreated, LastModifier, DateLastModified, DateCheckedIn properties | Any object | WRITE Object store: PRIVILEGED_WRITE |
| Unset object-valued property | Any object | WRITE (can also be changed by Modification Access Required) |
| Modify object properties | Any object | WRITE (can also be changed by Modification Access Required) |
| View Permissions property | Any object | READ_ACL |
| Modify Permissions property | Any object | WRITE_ACL |
| Create | Object store objects, except class definitions | Class definition: READ and CREATE_INSTANCE Object store: STORE_OBJECTS |
| Delete | Objects from an object store | if relationship object: UNLINK if component relationship object: UNLINK or DELETE if reservation object: MINOR_VERSION or MAJOR_VERSION or DELETE if any other object: DELETE if an object-valued property's DeletionAction is set to PREVENT and references another object, this will prevent the deletion from taking place |
| Do anything in an object store (often interpreted as a Read right) | Object store | CONNECT |
| Create new instances (applies to Create, Link, or File) | Object store | STORE_OBJECTS |
| Modify existing objects (applies to all other modifying actions) | Object store | MODIFY_OBJECTS |
| Delete an object (applies to Delete, Unlink or Unfile) | Object store | REMOVE_OBJECTS |
| Install Addon | Domain | WRITE |
| Create GCD objects (including object store) | Domain | WRITE |
| Delete GCD objects (including object store) | Domain | DELETE |
| Modify properties on GCD objects (including object store) | Domain | WRITE |
| Mark an object for deletion | Version Series or Custom Object | DELETE |
| Recover item | CmRecoveryItem | DELETE on CmRecoveryItem. The RecoveryItem inherits permissions from CmRecoveryBin, so a user with DELETE on CmRecoveryBin can recover CmRecoveryItem. |
| Purge a recovery item | CmRecoveryItem | DELETE on the original object that was marked for deletion. |
| Special right for retrieving or modifying recoverable object. (Cannot check out a recoverable object.) | Object marked for deletion | Object store: VIEW_RECOVERABLE_OBJECTS |
More information about access rights required to take actions
- In addition to the rights that let you view, modify or delete, every action related to objects in an object store always require the object store CONNECT right, and could also require one or more of the following, depending on the action: STORE_OBJECTS, MODIFY_OBJECTS, REMOVE_OBJECTS.
- The owner of an object gets implicit READ, READ_ACL, WRITE_OWNER and WRITE_ACL rights to that object.
- Users with object store WRITE_ANY_OWNER rights also get implicit READ and WRITE_OWNER rights to all objects in that object store.
- Users with READ access to the domain, also implicitly have READ access to all object store objects, and can therefore view the properties of all object stores.
- Users with WRITE access to the domain will implicitly have WRITE_ACL access to all object store objects so can change the permissions of object stores (not the contents).