top-image

LATEST ARTICLES

Hello,

In this post, I would like introduce to Accelerated Content Server (ACS) and Branch Office Caching Services (BOCS).
 
In Documentum Administrator (DA) under the “Repository/ Administration” node, there are informations concerning the Distributed Content in the System Information:

System Information	May 01, 2016 9:49:56 AM	
User :	mysuperuser/mysuperuser

++++++ Repository
Repository : MY_DOCBASE_DEV		Content Storage Service : Enabled
Federation : None			Content Intelligence : CIS disabled due to missing dar  
Global Repository : GLOBALR		

++++++ Content Server
Content Server : MY_DOCBASE_DEV			Hostname : myDctmServer
Server Version : 7.1.0190.0300 Win64.Oracle	Connection Broker : MYDCTMSERVER
Trusted Mode : Enabled	

++++++ Distributed Content
Network Locations : 0		ACS Server : MYDCTMSERVERACS1
BOCS Servers : 0		ACS Write : Enabled, Synchronous
ACS Read : Enabled		BOCS Pre-caching : Enabled

++++++ LDAP Servers
Enabled Servers : 5		Last Sync : 4/30/2016 10:06:14 AM	
Disabled Servers : 6

 
 


ACS
The Accelerated Content Server (ACS ) server is a content server dedicated to serving content. It does not process metadata nor write content to storage. It only processes content requests.
It gets installed automatically while installing the Documentum Content Server. After installation administrator needs to configure it for distributed environment.

 
In DA, the configuration of ACS are under “Repository/ Administration / Distributed Content Configuration / ACS Servers”.

Name=MYDCTMSERVERACS1	
Content Server=MY_DOCBASE_DEV 		
Content Access=Access from all stores 		
Projections & Stores=Associated content server

In “Info” tab:

Name :	MYDCTMSERVERACS1
Associated Content Server :	MY_DOCBASE_DEV

ACS Server Version :	2.3

Content Access : [X] Access all stores 	
		 []Access local stores only  
		 [] None(Disabled)

ACS Server Connections / Enter one connection for each unique base URL : http://myDctmServer:9080/ACS/servlet/ACS

Note : The URL http://myDctmServer:9080/ACS/servlet/ACS must return the ACS version like “ACS Server Is Running – Version : 7.1.0190.0156”.
 
In “Projections & Stores” tab:

Source / Use projections and stores from:
	[X] Associated content server : MY_DOCBASE_DEV 
 	[] Settings entered here

Note: The following informations are thus automatically extracted from associated content server : MY_DOCBASE_DEV.

Connection Broker Projections / Broadcast availability to these connection brokers
TARGET HOST = MYDCTMSERVER
PORT = 1489
ENABLED = T

Network Location Projections / Serve content to users logging in from these network locations
- No Network Location Projections

Local Stores / Content from local stores is immediately accessible
Local Store			Type
----------------		---------------
filestore_01			File Storage
thumbnail_store_01		File Storage
streaming_store_01		File Storage
centera_store_no_retention	Content Addressable Storage
replicate_temp_store		File Storage
replica_filestore_01		File Storage
encrypted_filestore_01		File Storage
my_other_filestore_01		File Storage

 

… so, in DA, under “Repository/ Administration / Storage Management / Storage” node, we retrieve the configuration concerning the dm_location and dm_storage respectively filestore_01 and storage_01:

Name=filestore_01 	Type=dm_filestore	Size=1.75GB	Status=Online

In "Info" tab:
Location or Path	:  storage_01

In "Space Info" tab:
Active Space/Files	:	12.73 GB / 388502912

Orphaned Space/Files	:	188.69 MB / 2204032
Name=storage_01 	Type=dm_location	Size=0KB 	Status=Online

In "Info" tab:
File System Path	:	Select Path \\MYFILESERVER\data\MY_DOCBASE_DEV\content_storage_01 

Path Type	: Directory	

Security Type	: [X] publicopen	 [] public  [] private

 
… then, in DA, under “Repository / Administration / Types” node, we retrieve the dm_location=filestore_01 for a custom type:

Type	 :	my_custom_document

In "Info" tab:
Type Name :	  my_custom_document	

Super Type Name :	  dm_document	 

Default Storage :	filestore_01	  	 

Default Group :	  [None Selected]   Select Default Group	 

Default Permission Set :	  [None Selected]   Select Default Permission Set	 

Default Assignment Policy :	  [No Policy Set]	 

Enable Indexing :	  Register for indexing

Partitioned :	False 

 

… in DQL, we will retrieve the storing path of a content on dm_location=storage_01. In our case, the location is a files server (ex: MYFILESERVER), however, it is possible to target a local folder (ex: d:\Documentum\data\my_docbase_dev\content_storage_01):
TEST 1 : with filestore targeting on local folder on content server

DQL>select distinct file_system_path from dm_location order by 1 ;
d:\Documentum\data\my_docbase_dev\content_storage_01  

DQL>select r_object_id, i_contents_id from aca_pj WHERE r_object_id='090xxxxxxxxx8f';
090xxxxxxxxx8f	060xxxxxxxa84

DQL>execute get_path for '060xxxxxxxa84';
D:\Documentum\data\my_docbase_dev\content_storage_01\000157e3\80\02\67\8a.pdf

TEST 2 : with filestore targeting a files server

select distinct file_system_path from dm_location order by 1 ;
\\MYFILESERVER\data\MY_DOCBASE_DEV\content_storage_01


DQL>select r_object_id, i_contents_id from my_custom_document WHERE r_object_id='0902yyyyyyyyya8a6';
0902yyyyyyyyya8a6	060yyyyyyyyya5e

DQL>execute get_path for '060yyyyyyyyya5e';
\\MYFILESERVER\data\MY_DOCBASE_DEV\content_storage_01\0xxxxc5\80\23\31\bb.htm

 
 


 
BOCS
Branch Office Caching Services (BOCS) is a lightweight server product running in the Apache Tomcat servlet container. BOCS serves content files to Web client end users from a local content cache. BOCS servers communicate only with ACS servers and do not interact with Content Servers or a repository’s supporting database. BOCS servers cannot write content to a repository. BOCS servers use the HTTP or HTTPS protocol to serve content. BOCS is used in distributed environments. BOCS is easily installed and has minimal administration requirements. The BOCS server is supported on the same platforms as Content Server. It needs to be configured for each repository. => BOCS can only be created in repositories that are designated as global registries (like GLOBALR). The current repository is not a global registry. Click the link below to log in to the global registry repository known to DFC on the Documentum Administrator host. You must have superuser privileges to create BOCS.
 
In DA, the configuration of BOCS are under “Repository/ Administration / Distributed Content Configuration / BOCS Servers”.
 
Here, 2 Documentum distributed models using BOCS servers (found on internet):
Example 1 : Single Repository distributed environments (Content is distributed across sites)

  • A Single Repository, with content stored at the primary site and accessed from remote sites using ACS Server. Optionally, BOCS servers can be used.
  • A Single Repository, with content stored in a distributed storage area and accessed from remote sites using Remote Content Servers, ACS Servers, and optionally BOCS Servers.


 

Example 2 : Multi-Repository distributed environments (Objects, content & metadata, are distributed across sites)

  • Multiple Repositories that replicate objects among themselves.
  • Multiple Repositories organized as a federation.

Best regards,

Huseyin OZVEREN

Hello,

After my first post concerning the theoretic aspects of Permission Set Template (ACL Template/PST) coupled with Alias Set (AS) Documentum : ACL template, Permission Set Template with Alias Set (PART 1 : theory), in this post, I would like to illustrate this theory, via a simple use of AS and PST in security of “documents archiving”. The documents archived will have a READONLY restriction for all database users.

 


 
Creation of Template ACL or Permission Set Template (acl_class=1)
 
So, first, we can modify an existing PST or create a new PST MY_ACL_TEMPLATE with a new accessor entry for an alias %ReaderRestrictAccess:

API> begintran,c
...
OK
API> create,c,dm_acl
...
45xxxxxxx951
API> set,c,l,object_name
MY_ACL_TEMPLATE
...
OK
API> set,c,l,owner_name
dm_dbo
...
OK
API> set,c,l,acl_class
1
...
OK
API> set,c,l,description
Desc 4 MY_ACL_TEMPLATE
...
OK
API> grant,c,l,dm_world,AccessPermit,,3
...
OK
API> grant,c,l,dm_owner,AccessPermit,,3
...
OK
API> grant,c,l,%AS4MyGroup,AccessPermit,,6
...
OK
API> grant,c,l,%AS4SuperUser,AccessPermit,,7
...
OK
API> save,c,l
...
OK
API> commit,c
...
OK

Adding of an new accessor using the alias %ReaderRestrictAccess in PST:

API> begintran,c
...
OK
API> retrieve,c,dm_acl where object_name='MY_ACL_TEMPLATE'
...
45xxxxxxx951
API> grant,c,l,%ReaderRestrictAccess,AccessRestriction,,5
...
OK
API> save,c,l
...
OK
API> commit,c
...
OK

 
Some explanations:

  • The documents archived will have a READONLY restriction for all database users. This READONLY restriction feature is possible due to Trusted Content Services independently of use of ACL, PST and AS :
    Documentum : ACL, Permit Type, Trusted Content Services, TCS, Access Restriction.
  • A reminder of “dm_acl.r_permit_type” attribute:
    • Defines the kind of entry, some basic valid values: AccessPermit and ExtendedPermit
    • With a Trusted Content Services license, the following values are also valid entries: ApplicationPermit, AccessRestriction, ExtendedRestriction, ApplicationRestriction, RequiredGroup and RequiredGroupSet
    • Constant definitions for types of permits exist also in DFC interface com.documentum.fc.client.IDfPermitType for (IDfPermit):
      public static final int ACCESS_PERMIT = 0;
      public static final int EXTENDED_PERMIT = 1;
      public static final int APPLICATION_PERMIT = 2;
      public static final int ACCESS_RESTRICTION = 3;
      public static final int EXTENDED_RESTRICTION = 4;
      public static final int APPLICATION_RESTRICTION = 5;
      public static final int REQUIRED_GROUP = 6;
      public static final int REQUIRED_GROUP_SET = 7;
      
  • dm_world and dm_owner have an access PERMIT (r_permit_type=0 : IDfPermitType.ACCESS_PERMIT) with READ permission (r_accessor_permit=3 : IDfACL.DF_PERMIT_READ).
  • The alias %AS4MyGroup has an access PERMIT (r_permit_type=0 : IDfPermitType.ACCESS_PERMIT) with WRITE permission (r_accessor_permit=6 : IDfACL.DF_PERMIT_WRITE).
  • The alias %AS4SuperUser has an access PERMIT (r_permit_type=0 : IDfPermitType.ACCESS_PERMIT) with DELETE permission (r_accessor_permit=7 : IDfACL.DF_PERMIT_DELETE).
  • The alias %ReaderRestrictAccess has an access RESTRICTED (r_permit_type=3 : IDfPermitType.ACCESS_RESTRICTION) with VERSION permission (r_accessor_permit=5 : IDfACL.DF_PERMIT_VERSION).
    • The exclusive VERSION permission is assigned “%ReaderRestrictAccess=5” (IDfACL.DF_PERMIT_VERSION) to restrict users to RELATE “4” permission (IDfACL.DF_PERMIT_RELATE)
    • The permission type “3” corresponds to “IDfPermitType.ACCESS_RESTRICTION” available with the Trusted Content Services license.
    • The permission type IDfPermitType.ACCESS_RESTRICTION imposes that the permission to be EXCLUSIVE. For example, the “VERSION permission (r_accessor_permit=5)” => ALLOWING => “RELATE permission (r_accessor_permit=4)”.
  • No extended permission
  •  
    Dump of created Template ACL or Permission Set Template:

    API> dump,c,45xxxxxxx951
    ...
    USER ATTRIBUTES
      object_name                : MY_ACL_TEMPLATE
      description                : Desc 4 MY_ACL_TEMPLATE
      owner_name                 : MYDOCBASEDEV
      globally_managed           : F
      acl_class                  : 1
    
    SYSTEM ATTRIBUTES
      r_object_id                : 45xxxxxxx951
      r_is_internal              : F
      r_accessor_name         [0]: dm_world
                              [1]: dm_owner
                              [2]: %AS4MyGroup
                              [3]: %AS4SuperUser
                              [4]: %ReaderRestrictAccess
      r_accessor_permit       [0]: 3
                              [1]: 3
                              [2]: 6
                              [3]: 7
                              [4]: 5
      r_accessor_xpermit      [0]: 0
                              [1]: 0
                              [2]: 0
                              [3]: 0
                              [4]: 0
      r_is_group              [0]: F
                              [1]: F
                              [2]: F
                              [3]: F
                              [4]: F
      r_has_events               : F
      r_permit_type           [0]: 0
                              [1]: 0
                              [2]: 0
                              [3]: 0
                              [4]: 3
      r_application_permit    [0]: 
                              [1]: 
                              [2]: 
                              [3]: 
                              [4]: 
      r_template_id              : 0000000000000000
      r_alias_set_id             : 0000000000000000
    
    APPLICATION ATTRIBUTES
    
    INTERNAL ATTRIBUTES
      i_has_required_groups      : F
      i_has_required_group_set   : F
      i_has_access_restrictions  : T
      i_partition                : 0
      i_is_replica               : F
      i_vstamp                   : 1
    

     


     
    Creation of Alias Set (dm_alias_set)
     

    Assuming that we have the following 2 groups:

    • my_grp_no_body is a group containing no user
    • my_grp_all_users is a group containing all users

    .. we are creating 2 AliasSets MY_ALIASSET and MY_ALIASSET_ARCHIVED using the above 2 groups:

    • MY_ALIASSET/ReaderRestrictAccess = my_grp_no_body
    • MY_ALIASSET_ARCHIVED/ReaderRestrictAccess = my_grp_all_users
    API> begintran,c
    ...
    OK
    
    
    API> create,c,dm_alias_set
    ...
    66xxxxxd41
    API> set,c,l,object_name
    MY_ALIASSET
    ...
    OK
    API> set,c,l,owner_name
    dm_dbo
    ...
    OK
    API> set,c,l,object_description
    Desc 4 MY_ALIASSET
    ...
    OK
    API> append,c,l,alias_name
    AS4MyGroup
    ...
    OK
    API> append,c,l,alias_value
    my_grp_all_users
    ...
    OK
    API> append,c,l,alias_category
    2
    ...
    OK
    API> append,c,l,alias_usr_category
    -1
    ...
    OK
    API> append,c,l,alias_description
    Entry for a group alias (my_grp_all_users)
    ...
    OK
    API> append,c,l,alias_name
    AS4SuperUser
    ...
    OK
    API> append,c,l,alias_value
    myuser001
    ...
    OK
    API> append,c,l,alias_category
    1
    ...
    OK
    API> append,c,l,alias_usr_category
    -1
    ...
    OK
    API> append,c,l,alias_description
    Entry for a user alias (myuser001)
    ...
    OK
    API> append,c,l,alias_name
    ReaderRestrictAccess
    ...
    OK
    API> append,c,l,alias_value
    my_grp_no_body
    ...
    OK
    API> append,c,l,alias_category
    1
    ...
    OK
    API> append,c,l,alias_usr_category
    -1
    ...
    OK
    API> append,c,l,alias_description
    Entry for a user alias (my_grp_no_body)
    ...
    OK
    API> save,c,l
    ...
    OK
    
    
    API> create,c,dm_alias_set
    ...
    66xxxxxxd42
    API> set,c,l,object_name
    MY_ALIASSET_ARCHIVED
    ...
    OK
    API> set,c,l,owner_name
    dm_dbo
    ...
    OK
    API> set,c,l,object_description
    Desc 4 MY_ALIASSET_ARCHIVED
    ...
    OK
    API> append,c,l,alias_name
    AS4MyGroup
    ...
    OK
    API> append,c,l,alias_value
    my_grp_all_users
    ...
    OK
    API> append,c,l,alias_category
    2
    ...
    OK
    API> append,c,l,alias_usr_category
    -1
    ...
    OK
    API> append,c,l,alias_description
    Entry for a group alias (my_grp_all_users)
    ...
    OK
    API> append,c,l,alias_name
    AS4SuperUser
    ...
    OK
    API> append,c,l,alias_value
    myuser001
    ...
    OK
    API> append,c,l,alias_category
    1
    ...
    OK
    API> append,c,l,alias_usr_category
    -1
    ...
    OK
    API> append,c,l,alias_description
    Entry for a user alias (myuser001)
    ...
    OK
    API> append,c,l,alias_name
    ReaderRestrictAccess
    ...
    OK
    API> append,c,l,alias_value
    my_grp_all_users
    ...
    OK
    API> append,c,l,alias_category
    1
    ...
    OK
    API> append,c,l,alias_usr_category
    -1
    ...
    OK
    API> append,c,l,alias_description
    Entry for a user alias (my_grp_all_users)
    ...
    OK
    API> save,c,l
    ...
    OK
    
    
    API> commit,c
    ...
    OK
    

     
    Dump of created Alias Sets MY_ALIASSET:

    API> dump,c,66xxxxxd41
    ...
    USER ATTRIBUTES
      owner_name                 : dm_dbo
      object_name                : MY_ALIASSET
      object_description         : Desc 4 MY_ALIASSET
      alias_name              [0]: AS4MyGroup
                              [1]: AS4SuperUser
                              [2]: ReaderRestrictAccess
      alias_value             [0]: my_grp_all_users
                              [1]: myuser001
                              [2]: my_grp_no_body
      alias_category          [0]: 2
                              [1]: 1
                              [2]: 1
      alias_usr_category      [0]: -1
                              [1]: -1
                              [2]: -1
      alias_description       [0]: Entry for a group alias (my_grp_all_users)
                              [1]: Entry for a user alias (myuser001)
                              [2]: Entry for a user alias (my_grp_no_body)
    
    SYSTEM ATTRIBUTES
      r_object_id                : 66xxxxxd41
    
    APPLICATION ATTRIBUTES
    
    INTERNAL ATTRIBUTES
      i_is_replica               : F
      i_vstamp                   : 0
    

     
    Dump of created Alias Sets MY_ALIASSET_ARCHIVED:

    API> dump,c,66xxxxxxd42
    ...
    USER ATTRIBUTES
      owner_name                 : dm_dbo
      object_name                : MY_ALIASSET_ARCHIVED
      object_description         : Desc 4 MY_ALIASSET_ARCHIVED
      alias_name              [0]: AS4MyGroup
                              [1]: AS4SuperUser
                              [2]: ReaderRestrictAccess
      alias_value             [0]: my_grp_all_users
                              [1]: myuser001
                              [2]: my_grp_all_users
      alias_category          [0]: 2
                              [1]: 1
                              [2]: 1
      alias_usr_category      [0]: -1
                              [1]: -1
                              [2]: -1
      alias_description       [0]: Entry for a group alias (my_grp_all_users)
                              [1]: Entry for a user alias (myuser001)
                              [2]: Entry for a user alias (my_grp_all_users)
    
    SYSTEM ATTRIBUTES
      r_object_id                : 66xxxxxxd42
    
    APPLICATION ATTRIBUTES
    
    INTERNAL ATTRIBUTES
      i_is_replica               : F
      i_vstamp                   : 0
    

     


     
    Creation of instances of Template ACL (acl_class=2)
     
    An instance of an ACL template is created when an AliasSet and PST are associated to a document. It is not possible to create directly manually an instance of PST.
    The error DM_ACL_E_CANT_CHANGE_INSTANCE occurs if the user tries to modify a instance of PST (acl_class=2). To modify the instances of PST, it is necessary to modify the PST or PST/AliasSet associated to theses instances.

     
    We are creating 2 documents (dm_document) using the previous PST and AS :

    • a document named Test DOC HUO WITH AS AND PST not ARCHIVED associated to PST MY_ACL_TEMPLATE and AS MY_ALIASSET in order to generate/use an ACL MY_ACL having r_accessor_name (ReaderRestrictAccess) = my_grp_no_body (permission exclusive VERSION “5”)
       
    • a document Test DOC HUO WITH AS AND PST ARCHIVED associated to PST MY_ACL_TEMPLATE and AS MY_ALIASSET_ARCHIVED in order to generate/use an ACL MY_ACL_ARCHIVED having r_accessor_name (ReaderRestrictAccess) = my_grp_all_users (permission exclusive VERSION “5”)

    Actually, the association between document, AliasSet and Templace ACL generates an instance of Templace ACL (acl_class=2) with name like dm_450xxxxxxx94_xxxxd3e. This instance is created only if its is not already exist.
     
    The unique difference between MY_ACL and MY_ACL_ARCHIVED will be the read-only right of people having already access to documents. By using AccessRestriction permit type with basic permission VERSION (5):

    • with the MY_ACL, the system dosen’t restrict explicitly users to access and modify the document because the my_grp_no_body group contains no user,
    • with the MY_ACL_ARCHIVED, the system restricts all users to only BROWSE, READ, and RELATE the document (not “VERSION”!!!!) EVENT IF these users belong to groups which have more permissive rights.

     

    API> begintran,c
    ...
    OK
    
    
    API> create,c,dm_document
    ...
    09xxxxxxxxx88
    API> set,c,l,object_name
    Test DOC HUO WITH AS AND PST not ARCHIVED
    ...
    OK
    API> set,c,l,a_content_type
    pdf
    ...
    OK
    API> setfile,c,l,C:\temp\test.pdf
    ...
    OK
    API> link,c,l,'/Temp'
    ...
    OK
    API> set,c,l,r_alias_set_id
    66xxxxxd41
    ...
    OK
    API> set,c,l,acl_domain
    dm_dbo
    ...
    OK
    API> set,c,l,acl_name
    MY_ACL_TEMPLATE
    ...
    OK
    API> save,c,l
    ...
    OK
    
    
    API> create,c,dm_document
    ...
    09xxxxxxxxxx89
    API> set,c,l,object_name
    Test DOC HUO WITH AS AND PST ARCHIVED
    ...
    OK
    API> set,c,l,a_content_type
    pdf
    ...
    OK
    API> setfile,c,l,C:\temp\test.pdf
    ...
    OK
    API> link,c,l,'/Temp'
    ...
    OK
    API> set,c,l,r_alias_set_id
    66xxxxxxd42
    ...
    OK
    API> set,c,l,acl_domain
    dm_dbo
    ...
    OK
    API> set,c,l,acl_name
    MY_ACL_TEMPLATE
    ...
    OK
    API> save,c,l
    ...
    OK
    
    
    API> commit,c
    ...
    OK
    

     
    Dump of created document Test DOC HUO WITH AS AND PST not ARCHIVED:

    API> dump,c,09xxxxxxxxx88
    ...
    USER ATTRIBUTES
      object_name                : Test DOC HUO WITH AS AND PST not ARCHIVED
      acl_domain                 : MYDOCBASEDEV
      acl_name                   : dm_45xxxxxxx951_xxxxxd41
    
    SYSTEM ATTRIBUTES
      r_object_id                : 09xxxxxxxxx88
      r_object_type              : dm_document
    

     

    Dump of created document Test DOC HUO WITH AS AND PST ARCHIVED:

    API> dump,c,09xxxxxxxxxx89
    ...
    USER ATTRIBUTES
      object_name                : Test DOC HUO WITH AS AND PST ARCHIVED
      acl_domain                 : MYDOCBASEDEV
      acl_name                   : dm_45xxxxxxx9511_xxxxxd42
    
    SYSTEM ATTRIBUTES
      r_object_id                : 09xxxxxxxxxx89
      r_object_type              : dm_document
    

     
     
    So, the instances of PST used for these new documents are:
    The document Test DOC HUO WITH AS AND PST not ARCHIVED uses the instance of Template ACL (acl_class=2) dm_45xxxxxxx951_xxxxxd41:

    DQL> select r_object_id from dm_acl where object_name IN('dm_45xxxxxxx951_xxxxxd41','dm_45xxxxxxx9511_xxxxxd42')
    ...
    r_object_id
    45xxxxxx952
    45xxxxxx953
    
    API> dump,c,45xxxxxx952
    ...
    USER ATTRIBUTES
      object_name                : dm_45xxxxxxx951_xxxxxd41
      description                : dm_45xxxxxxx951_xxxxxd41
      owner_name                 : MYDOCBASEDEV
      globally_managed           : F
      acl_class                  : 2
    
    SYSTEM ATTRIBUTES
      r_object_id                : 45xxxxxx952
      r_is_internal              : T
      r_accessor_name         [0]: dm_world
                              [1]: dm_owner
                              [2]: my_grp_all_users
                              [3]: myuser001
                              [4]: my_grp_no_body
      r_accessor_permit       [0]: 3
                              [1]: 3
                              [2]: 6
                              [3]: 7
                              [4]: 5
      r_accessor_xpermit      [0]: 0
                              [1]: 0
                              [2]: 0
                              [3]: 0
                              [4]: 0
      r_is_group              [0]: F
                              [1]: F
                              [2]: T
                              [3]: F
                              [4]: T
      r_has_events               : F
      r_permit_type           [0]: 0
                              [1]: 0
                              [2]: 0
                              [3]: 0
                              [4]: 3
      r_application_permit    [0]: 
                              [1]: 
                              [2]: 
                              [3]: 
                              [4]: 
      r_template_id              : 45xxxxxxx951
      r_alias_set_id             : 66xxxxxd41
    
    APPLICATION ATTRIBUTES
    
    INTERNAL ATTRIBUTES
      i_has_required_groups      : F
      i_has_required_group_set   : F
      i_has_access_restrictions  : T
      i_partition                : 0
      i_is_replica               : F
      i_vstamp                   : 1
    

     
    The document Test DOC HUO WITH AS AND PST ARCHIVED uses the instance of Template ACL (acl_class=2) dm_45xxxxxxx9511_xxxxxd42:

    API> dump,c,45xxxxxx953
    ...
    USER ATTRIBUTES
      object_name                : dm_45xxxxxxx9511_xxxxxd42
      description                : dm_45xxxxxxx9511_xxxxxd42
      owner_name                 : MYDOCBASEDEV
      globally_managed           : F
      acl_class                  : 2
    
    SYSTEM ATTRIBUTES
      r_object_id                : 45xxxxxx953
      r_is_internal              : T
      r_accessor_name         [0]: dm_world
                              [1]: dm_owner
                              [2]: my_grp_all_users
                              [3]: myuser001
                              [4]: my_grp_all_users
      r_accessor_permit       [0]: 3
                              [1]: 3
                              [2]: 6
                              [3]: 7
                              [4]: 5
      r_accessor_xpermit      [0]: 0
                              [1]: 0
                              [2]: 0
                              [3]: 0
                              [4]: 0
      r_is_group              [0]: F
                              [1]: F
                              [2]: T
                              [3]: F
                              [4]: T
      r_has_events               : F
      r_permit_type           [0]: 0
                              [1]: 0
                              [2]: 0
                              [3]: 0
                              [4]: 3
      r_application_permit    [0]: 
                              [1]: 
                              [2]: 
                              [3]: 
                              [4]: 
      r_template_id              : 45xxxxxxx951
      r_alias_set_id             : 66xxxxxxd42
    
    APPLICATION ATTRIBUTES
    
    INTERNAL ATTRIBUTES
      i_has_required_groups      : F
      i_has_required_group_set   : F
      i_has_access_restrictions  : T
      i_partition                : 0
      i_is_replica               : F
      i_vstamp                   : 1
    

    Important note: any modification of PST and/or AS will impact all instances of PST (ACL) associated with these elements..

    Best regards,

    Huseyin OZVEREN

    This content is password protected. To view it please enter your password below:

    Hello,

    I would like expose here some explanations concerning the Extended Permissions or Xpermit or r_accessor_xpermit of ACL.
     
    For example, below the détails of an dm_ACL:

    r_accessor_name         [0]: dm_world 	[1]: dm_owner	[2]: grp_adm	[3]: docu
    r_accessor_permit       [0]: 3		[1]: 1		[2]: 6		[3]: 7
    r_accessor_xpermit      [0]: 1048576	[1]: 3		[2]: 0		[3]: 0
    r_is_group              [0]: F		[1]: F		[2]: T		[3]: T
    r_permit_type           [0]: 0		[1]: 0		[2]: 0		[3]: 0
    r_application_permit    [0]: 		[1]: 		[2]: 		[3]: 
    

     
    Reminder:

    • dm_world = This is an alias for all of the users in a docbase.
    • dm_owner = This is an alias for the current owner of the document.
    • ACL is a regular ACL (acl_class=0 ; case of ‘dm_45%’), a template (acl_class=1) or an instance of a template (acl_class= 2). The default is zero.
    • ACLs owned by users other than the repository owner are called user ACLs. User ACLs can be public (acl_class=3) or private (acl_class=0).
    • Private ACLs can only be used by the ACL owner. User ACLs are managed by the object owner (repository owner) or superusers.


     

    Presentation of Extended permissions
    Extended permissions are a feature only available in version 4i and later. They greatly enhance the security capabilities of the server by letting certain users access admin functions on a per-document basis. For example, in pre-4i docbases, only two types of users could change the permissions on a document: the owner of that document and a superuser. In 4i, you can use the extended permissions to allow certain normal users to change the permissions.
    For example, an ACL for the Marketing department might allow the marketing_managers group to change the permissions on the document.

     
    The extended permissions are described below:

    • execute_proc: Allows the user to execute the procedure (if it is a procedure)
    • change_location: Allows the user to change the location of the document.
    • change_state: Allows the user to change the state of the document using the document lifecycle.
    • change_permit: Allows the user to change the object’s permissions.
    • change_owner: Allows the user to change the owner of the object.
    • delete_object: Delete permission. Delete Object extended permission does not grant Browse, Read, Relate, Version, or Write permission.
    • change_folder_links: Allows the user to create a document in a folder without having the write right on this folder.

     
    More the Extended permissions are stored in the r_accessor_xpermit attribute of an dm_ACL. The value of this attribute is an integer that has been converted from a 4-bytes binary number (or 32-bits binary number) to a decimal number. Each permission is governed by the value of a bit in a particular place: 1 : signifies the permission is granted, 0 : signifies it is not.
    Warning : For some reason, execute_proc and change_location are reversed, “1” signifies the permission is not granted and “0” signifies it is granted.
     
    The bit locations of the extended permissions are defined like this (from right):

    • bit 01 : execute_proc
    • bit 02 : change_location
    • bit 17 : change_state
    • bit 18 : change_permissions
    • bit 19 : change_owner
    • bit 20 : extended_delete
    • bit 21 : change_folder_links

     
    For conversion decimal<->binary, use the site http://www.binaryhexconverter.com/decimal-to-binary-converter.
     
     
    Examples
    dm_acl.r_accessor_xpermit=0:

    0 => 00000000 -> 32 bits : 00000000000000000000000000000000
    	- bit 01 : execute_proc ("0" warning : reverse for this permission)
    	- bit 02 : change_location ("0" warning : reverse for this permission)
    

     
    dm_acl.r_accessor_xpermit=3:

    3 => 00000011 -> 32 bits : 00000000000000000000000000000011
    	- none
    

     
    dm_acl.r_accessor_xpermit=1048576:

    1048576 => 100000000000000000000 -> 32 bits : 00000000000100000000000000000000
    	- bit 01 : execute_proc ("0" warning : reverse for this permission)
    	- bit 02 : change_location ("0" warning : reverse for this permission)
    	- bit 21 : change_folder_links ("1")
    

     
    dm_acl.r_accessor_xpermit=1048579:

    1048579 => 100000000000000000011 -> 32 bits : 00000000000100000000000000000011
    	- bit 21 : change_folder_links ("1")
    

     
     

    That’s all!!!

    Huseyin OZVEREN

    Page 1 of 48:1 2 3 4 »Last »
    bottom-img
    Copyright ® 2012 Huseyin Ozveren. No reproduction, even partial, can be used from this site and all its contents including text, documents, images, etc.. without the express permission of the author.