Posts Tagged ‘NONE’

Alias Sets and Permission Sets

November 18, 2010 Comments off

In my previous post i discussed about the Aliases and Permission templates, today lets see what are Alias Sets and Permission sets and how exactly security works in Documentum.

What is Alias Set?

An alias set is simply a list of aliases (like “reviewer” or “supervisor”) and the values that they resolve to. Whenever an object is referenced the permission set applied on it will be taken and if this set refers to an alias set then the alias value will be resolved and applied on the object and access will be restricted based on it.

Please Note in some circumstances you may assign an empty alias value and let the client application prompt the user for a value when it is needed.

Alias Sets are an important part of a complex Documentum system’s architecture, providing a level of abstraction that can significantly reduce the effort needed to administer the Docbase. Alias sets remove the need to hard-code the names of users, groups, locations, and permission sets throughout your application and instead provide a means for setting these values dynamically as your personnel changes and your business processes evolve.

What are Permission Sets?

Access Control Lists (s) [ACLs] are Documentum’s method of restricting access to important documents and folders. ACLs control Documentum’s security layer, one of the most flexible and powerful security schemes around. The permission can also be applied on workflow access and lifecycle application also.

Access control lists are stored as persistent objects in the Docbase. Although ACLs are persistent objects having an object ID, they are not SysObjects. Version cannot be created for. If modification is done an, the server either overwrites with the changes or copies the changes the copy. What option it chooses depends on whether the directly to make the changes or reference an object that uses the.

Some Uses can be:

  • You can assign seven different levels of access to your documents in the system
  • You can assign access to individual users or to groups of users
  • Users can create their own private s that only they can use
  • System Admins can create System-Wide s that can be used by everyone
  • Extended Permissions let you really tweak what a user can do to an object
  • Different folders can have different ACLs based on requirement irrespective of their hierarchy.

This contains information about which users and groups have access to the document, and what level of access each has. When a user attempts to access an object, the Documentum Server looks in to determine which groups have access. It then looks in these groups to determine if the user is in any of the groups. It determines the user’s access level by awarding the user the highest level of access taking into account all the groups that the user is a member of.

Please Note even if you explicitly assign NONE access to a user, if they are also in a group that has READ access, the user will have READ access to the object. Always the individual privilege will be overridden by the group privilege.

Now does the Security feature Works in Documentum:

When an object is applied with some permission set then corresponding entry will be made in the backend with the reference to the applied ACL. Now when an object is accessed after that if the ACL is referring to any alias set then first the alias is converted in to actual value and from where it map’s the current accessing user’s access and provides access based on the ACL entries for that user to that specific Object that is being currently accessed. Because of this Documentum has provided wide variety for the application of security across the System. It can be like a person who is an administrator of one cabinet will have max permit of delete in those folders and cabinets where as in the other folders and cabinets and documents that are present in the system he will be having normal read permission or different based on the requirement.


Hope this is useful ,appreciate your comments and corrections if any.

%d bloggers like this: