Hello,

After my first post concerning the theoretic aspects of Permission Set Template (ACL Template/PST) coupled with Alias Set (AS) Documentum : ACL template, Permission Set Template with Alias Set (PART 1 : theory), in this post, I would like to illustrate this theory, via a simple use of AS and PST in security of “documents archiving”. The documents archived will have a READONLY restriction for all database users.

 


 
Creation of Template ACL or Permission Set Template (acl_class=1)
 
So, first, we can modify an existing PST or create a new PST MY_ACL_TEMPLATE with a new accessor entry for an alias %ReaderRestrictAccess:

API> begintran,c
...
OK
API> create,c,dm_acl
...
45xxxxxxx951
API> set,c,l,object_name
MY_ACL_TEMPLATE
...
OK
API> set,c,l,owner_name
dm_dbo
...
OK
API> set,c,l,acl_class
1
...
OK
API> set,c,l,description
Desc 4 MY_ACL_TEMPLATE
...
OK
API> grant,c,l,dm_world,AccessPermit,,3
...
OK
API> grant,c,l,dm_owner,AccessPermit,,3
...
OK
API> grant,c,l,%AS4MyGroup,AccessPermit,,6
...
OK
API> grant,c,l,%AS4SuperUser,AccessPermit,,7
...
OK
API> save,c,l
...
OK
API> commit,c
...
OK

Adding of an new accessor using the alias %ReaderRestrictAccess in PST:

API> begintran,c
...
OK
API> retrieve,c,dm_acl where object_name='MY_ACL_TEMPLATE'
...
45xxxxxxx951
API> grant,c,l,%ReaderRestrictAccess,AccessRestriction,,5
...
OK
API> save,c,l
...
OK
API> commit,c
...
OK

 
Some explanations:

  • The documents archived will have a READONLY restriction for all database users. This READONLY restriction feature is possible due to Trusted Content Services independently of use of ACL, PST and AS :
    Documentum : ACL, Permit Type, Trusted Content Services, TCS, Access Restriction.
  • A reminder of “dm_acl.r_permit_type” attribute:
    • Defines the kind of entry, some basic valid values: AccessPermit and ExtendedPermit
    • With a Trusted Content Services license, the following values are also valid entries: ApplicationPermit, AccessRestriction, ExtendedRestriction, ApplicationRestriction, RequiredGroup and RequiredGroupSet
    • Constant definitions for types of permits exist also in DFC interface com.documentum.fc.client.IDfPermitType for (IDfPermit):
      public static final int ACCESS_PERMIT = 0;
      public static final int EXTENDED_PERMIT = 1;
      public static final int APPLICATION_PERMIT = 2;
      public static final int ACCESS_RESTRICTION = 3;
      public static final int EXTENDED_RESTRICTION = 4;
      public static final int APPLICATION_RESTRICTION = 5;
      public static final int REQUIRED_GROUP = 6;
      public static final int REQUIRED_GROUP_SET = 7;
      
  • dm_world and dm_owner have an access PERMIT (r_permit_type=0 : IDfPermitType.ACCESS_PERMIT) with READ permission (r_accessor_permit=3 : IDfACL.DF_PERMIT_READ).
  • The alias %AS4MyGroup has an access PERMIT (r_permit_type=0 : IDfPermitType.ACCESS_PERMIT) with WRITE permission (r_accessor_permit=6 : IDfACL.DF_PERMIT_WRITE).
  • The alias %AS4SuperUser has an access PERMIT (r_permit_type=0 : IDfPermitType.ACCESS_PERMIT) with DELETE permission (r_accessor_permit=7 : IDfACL.DF_PERMIT_DELETE).
  • The alias %ReaderRestrictAccess has an access RESTRICTED (r_permit_type=3 : IDfPermitType.ACCESS_RESTRICTION) with VERSION permission (r_accessor_permit=5 : IDfACL.DF_PERMIT_VERSION).
    • The exclusive VERSION permission is assigned “%ReaderRestrictAccess=5” (IDfACL.DF_PERMIT_VERSION) to restrict users to RELATE “4” permission (IDfACL.DF_PERMIT_RELATE)
    • The permission type “3” corresponds to “IDfPermitType.ACCESS_RESTRICTION” available with the Trusted Content Services license.
    • The permission type IDfPermitType.ACCESS_RESTRICTION imposes that the permission to be EXCLUSIVE. For example, the “VERSION permission (r_accessor_permit=5)” => ALLOWING => “RELATE permission (r_accessor_permit=4)”.
  • No extended permission
  •  
    Dump of created Template ACL or Permission Set Template:

    API> dump,c,45xxxxxxx951
    ...
    USER ATTRIBUTES
      object_name                : MY_ACL_TEMPLATE
      description                : Desc 4 MY_ACL_TEMPLATE
      owner_name                 : MYDOCBASEDEV
      globally_managed           : F
      acl_class                  : 1
    
    SYSTEM ATTRIBUTES
      r_object_id                : 45xxxxxxx951
      r_is_internal              : F
      r_accessor_name         [0]: dm_world
                              [1]: dm_owner
                              [2]: %AS4MyGroup
                              [3]: %AS4SuperUser
                              [4]: %ReaderRestrictAccess
      r_accessor_permit       [0]: 3
                              [1]: 3
                              [2]: 6
                              [3]: 7
                              [4]: 5
      r_accessor_xpermit      [0]: 0
                              [1]: 0
                              [2]: 0
                              [3]: 0
                              [4]: 0
      r_is_group              [0]: F
                              [1]: F
                              [2]: F
                              [3]: F
                              [4]: F
      r_has_events               : F
      r_permit_type           [0]: 0
                              [1]: 0
                              [2]: 0
                              [3]: 0
                              [4]: 3
      r_application_permit    [0]: 
                              [1]: 
                              [2]: 
                              [3]: 
                              [4]: 
      r_template_id              : 0000000000000000
      r_alias_set_id             : 0000000000000000
    
    APPLICATION ATTRIBUTES
    
    INTERNAL ATTRIBUTES
      i_has_required_groups      : F
      i_has_required_group_set   : F
      i_has_access_restrictions  : T
      i_partition                : 0
      i_is_replica               : F
      i_vstamp                   : 1
    

     


     
    Creation of Alias Set (dm_alias_set)
     

    Assuming that we have the following 2 groups:

    • my_grp_no_body is a group containing no user
    • my_grp_all_users is a group containing all users

    .. we are creating 2 AliasSets MY_ALIASSET and MY_ALIASSET_ARCHIVED using the above 2 groups:

    • MY_ALIASSET/ReaderRestrictAccess = my_grp_no_body
    • MY_ALIASSET_ARCHIVED/ReaderRestrictAccess = my_grp_all_users
    API> begintran,c
    ...
    OK
    
    
    API> create,c,dm_alias_set
    ...
    66xxxxxd41
    API> set,c,l,object_name
    MY_ALIASSET
    ...
    OK
    API> set,c,l,owner_name
    dm_dbo
    ...
    OK
    API> set,c,l,object_description
    Desc 4 MY_ALIASSET
    ...
    OK
    API> append,c,l,alias_name
    AS4MyGroup
    ...
    OK
    API> append,c,l,alias_value
    my_grp_all_users
    ...
    OK
    API> append,c,l,alias_category
    2
    ...
    OK
    API> append,c,l,alias_usr_category
    -1
    ...
    OK
    API> append,c,l,alias_description
    Entry for a group alias (my_grp_all_users)
    ...
    OK
    API> append,c,l,alias_name
    AS4SuperUser
    ...
    OK
    API> append,c,l,alias_value
    myuser001
    ...
    OK
    API> append,c,l,alias_category
    1
    ...
    OK
    API> append,c,l,alias_usr_category
    -1
    ...
    OK
    API> append,c,l,alias_description
    Entry for a user alias (myuser001)
    ...
    OK
    API> append,c,l,alias_name
    ReaderRestrictAccess
    ...
    OK
    API> append,c,l,alias_value
    my_grp_no_body
    ...
    OK
    API> append,c,l,alias_category
    1
    ...
    OK
    API> append,c,l,alias_usr_category
    -1
    ...
    OK
    API> append,c,l,alias_description
    Entry for a user alias (my_grp_no_body)
    ...
    OK
    API> save,c,l
    ...
    OK
    
    
    API> create,c,dm_alias_set
    ...
    66xxxxxxd42
    API> set,c,l,object_name
    MY_ALIASSET_ARCHIVED
    ...
    OK
    API> set,c,l,owner_name
    dm_dbo
    ...
    OK
    API> set,c,l,object_description
    Desc 4 MY_ALIASSET_ARCHIVED
    ...
    OK
    API> append,c,l,alias_name
    AS4MyGroup
    ...
    OK
    API> append,c,l,alias_value
    my_grp_all_users
    ...
    OK
    API> append,c,l,alias_category
    2
    ...
    OK
    API> append,c,l,alias_usr_category
    -1
    ...
    OK
    API> append,c,l,alias_description
    Entry for a group alias (my_grp_all_users)
    ...
    OK
    API> append,c,l,alias_name
    AS4SuperUser
    ...
    OK
    API> append,c,l,alias_value
    myuser001
    ...
    OK
    API> append,c,l,alias_category
    1
    ...
    OK
    API> append,c,l,alias_usr_category
    -1
    ...
    OK
    API> append,c,l,alias_description
    Entry for a user alias (myuser001)
    ...
    OK
    API> append,c,l,alias_name
    ReaderRestrictAccess
    ...
    OK
    API> append,c,l,alias_value
    my_grp_all_users
    ...
    OK
    API> append,c,l,alias_category
    1
    ...
    OK
    API> append,c,l,alias_usr_category
    -1
    ...
    OK
    API> append,c,l,alias_description
    Entry for a user alias (my_grp_all_users)
    ...
    OK
    API> save,c,l
    ...
    OK
    
    
    API> commit,c
    ...
    OK
    

     
    Dump of created Alias Sets MY_ALIASSET:

    API> dump,c,66xxxxxd41
    ...
    USER ATTRIBUTES
      owner_name                 : dm_dbo
      object_name                : MY_ALIASSET
      object_description         : Desc 4 MY_ALIASSET
      alias_name              [0]: AS4MyGroup
                              [1]: AS4SuperUser
                              [2]: ReaderRestrictAccess
      alias_value             [0]: my_grp_all_users
                              [1]: myuser001
                              [2]: my_grp_no_body
      alias_category          [0]: 2
                              [1]: 1
                              [2]: 1
      alias_usr_category      [0]: -1
                              [1]: -1
                              [2]: -1
      alias_description       [0]: Entry for a group alias (my_grp_all_users)
                              [1]: Entry for a user alias (myuser001)
                              [2]: Entry for a user alias (my_grp_no_body)
    
    SYSTEM ATTRIBUTES
      r_object_id                : 66xxxxxd41
    
    APPLICATION ATTRIBUTES
    
    INTERNAL ATTRIBUTES
      i_is_replica               : F
      i_vstamp                   : 0
    

     
    Dump of created Alias Sets MY_ALIASSET_ARCHIVED:

    API> dump,c,66xxxxxxd42
    ...
    USER ATTRIBUTES
      owner_name                 : dm_dbo
      object_name                : MY_ALIASSET_ARCHIVED
      object_description         : Desc 4 MY_ALIASSET_ARCHIVED
      alias_name              [0]: AS4MyGroup
                              [1]: AS4SuperUser
                              [2]: ReaderRestrictAccess
      alias_value             [0]: my_grp_all_users
                              [1]: myuser001
                              [2]: my_grp_all_users
      alias_category          [0]: 2
                              [1]: 1
                              [2]: 1
      alias_usr_category      [0]: -1
                              [1]: -1
                              [2]: -1
      alias_description       [0]: Entry for a group alias (my_grp_all_users)
                              [1]: Entry for a user alias (myuser001)
                              [2]: Entry for a user alias (my_grp_all_users)
    
    SYSTEM ATTRIBUTES
      r_object_id                : 66xxxxxxd42
    
    APPLICATION ATTRIBUTES
    
    INTERNAL ATTRIBUTES
      i_is_replica               : F
      i_vstamp                   : 0
    

     


     
    Creation of instances of Template ACL (acl_class=2)
     
    An instance of an ACL template is created when an AliasSet and PST are associated to a document. It is not possible to create directly manually an instance of PST.
    The error DM_ACL_E_CANT_CHANGE_INSTANCE occurs if the user tries to modify a instance of PST (acl_class=2). To modify the instances of PST, it is necessary to modify the PST or PST/AliasSet associated to theses instances.

     
    We are creating 2 documents (dm_document) using the previous PST and AS :

    • a document named Test DOC HUO WITH AS AND PST not ARCHIVED associated to PST MY_ACL_TEMPLATE and AS MY_ALIASSET in order to generate/use an ACL MY_ACL having r_accessor_name (ReaderRestrictAccess) = my_grp_no_body (permission exclusive VERSION “5”)
       
    • a document Test DOC HUO WITH AS AND PST ARCHIVED associated to PST MY_ACL_TEMPLATE and AS MY_ALIASSET_ARCHIVED in order to generate/use an ACL MY_ACL_ARCHIVED having r_accessor_name (ReaderRestrictAccess) = my_grp_all_users (permission exclusive VERSION “5”)

    Actually, the association between document, AliasSet and Templace ACL generates an instance of Templace ACL (acl_class=2) with name like dm_450xxxxxxx94_xxxxd3e. This instance is created only if its is not already exist.
     
    The unique difference between MY_ACL and MY_ACL_ARCHIVED will be the read-only right of people having already access to documents. By using AccessRestriction permit type with basic permission VERSION (5):

    • with the MY_ACL, the system dosen’t restrict explicitly users to access and modify the document because the my_grp_no_body group contains no user,
    • with the MY_ACL_ARCHIVED, the system restricts all users to only BROWSE, READ, and RELATE the document (not “VERSION”!!!!) EVENT IF these users belong to groups which have more permissive rights.

     

    API> begintran,c
    ...
    OK
    
    
    API> create,c,dm_document
    ...
    09xxxxxxxxx88
    API> set,c,l,object_name
    Test DOC HUO WITH AS AND PST not ARCHIVED
    ...
    OK
    API> set,c,l,a_content_type
    pdf
    ...
    OK
    API> setfile,c,l,C:\temp\test.pdf
    ...
    OK
    API> link,c,l,'/Temp'
    ...
    OK
    API> set,c,l,r_alias_set_id
    66xxxxxd41
    ...
    OK
    API> set,c,l,acl_domain
    dm_dbo
    ...
    OK
    API> set,c,l,acl_name
    MY_ACL_TEMPLATE
    ...
    OK
    API> save,c,l
    ...
    OK
    
    
    API> create,c,dm_document
    ...
    09xxxxxxxxxx89
    API> set,c,l,object_name
    Test DOC HUO WITH AS AND PST ARCHIVED
    ...
    OK
    API> set,c,l,a_content_type
    pdf
    ...
    OK
    API> setfile,c,l,C:\temp\test.pdf
    ...
    OK
    API> link,c,l,'/Temp'
    ...
    OK
    API> set,c,l,r_alias_set_id
    66xxxxxxd42
    ...
    OK
    API> set,c,l,acl_domain
    dm_dbo
    ...
    OK
    API> set,c,l,acl_name
    MY_ACL_TEMPLATE
    ...
    OK
    API> save,c,l
    ...
    OK
    
    
    API> commit,c
    ...
    OK
    

     
    Dump of created document Test DOC HUO WITH AS AND PST not ARCHIVED:

    API> dump,c,09xxxxxxxxx88
    ...
    USER ATTRIBUTES
      object_name                : Test DOC HUO WITH AS AND PST not ARCHIVED
      acl_domain                 : MYDOCBASEDEV
      acl_name                   : dm_45xxxxxxx951_xxxxxd41
    
    SYSTEM ATTRIBUTES
      r_object_id                : 09xxxxxxxxx88
      r_object_type              : dm_document
    

     

    Dump of created document Test DOC HUO WITH AS AND PST ARCHIVED:

    API> dump,c,09xxxxxxxxxx89
    ...
    USER ATTRIBUTES
      object_name                : Test DOC HUO WITH AS AND PST ARCHIVED
      acl_domain                 : MYDOCBASEDEV
      acl_name                   : dm_45xxxxxxx9511_xxxxxd42
    
    SYSTEM ATTRIBUTES
      r_object_id                : 09xxxxxxxxxx89
      r_object_type              : dm_document
    

     
     
    So, the instances of PST used for these new documents are:
    The document Test DOC HUO WITH AS AND PST not ARCHIVED uses the instance of Template ACL (acl_class=2) dm_45xxxxxxx951_xxxxxd41:

    DQL> select r_object_id from dm_acl where object_name IN('dm_45xxxxxxx951_xxxxxd41','dm_45xxxxxxx9511_xxxxxd42')
    ...
    r_object_id
    45xxxxxx952
    45xxxxxx953
    
    API> dump,c,45xxxxxx952
    ...
    USER ATTRIBUTES
      object_name                : dm_45xxxxxxx951_xxxxxd41
      description                : dm_45xxxxxxx951_xxxxxd41
      owner_name                 : MYDOCBASEDEV
      globally_managed           : F
      acl_class                  : 2
    
    SYSTEM ATTRIBUTES
      r_object_id                : 45xxxxxx952
      r_is_internal              : T
      r_accessor_name         [0]: dm_world
                              [1]: dm_owner
                              [2]: my_grp_all_users
                              [3]: myuser001
                              [4]: my_grp_no_body
      r_accessor_permit       [0]: 3
                              [1]: 3
                              [2]: 6
                              [3]: 7
                              [4]: 5
      r_accessor_xpermit      [0]: 0
                              [1]: 0
                              [2]: 0
                              [3]: 0
                              [4]: 0
      r_is_group              [0]: F
                              [1]: F
                              [2]: T
                              [3]: F
                              [4]: T
      r_has_events               : F
      r_permit_type           [0]: 0
                              [1]: 0
                              [2]: 0
                              [3]: 0
                              [4]: 3
      r_application_permit    [0]: 
                              [1]: 
                              [2]: 
                              [3]: 
                              [4]: 
      r_template_id              : 45xxxxxxx951
      r_alias_set_id             : 66xxxxxd41
    
    APPLICATION ATTRIBUTES
    
    INTERNAL ATTRIBUTES
      i_has_required_groups      : F
      i_has_required_group_set   : F
      i_has_access_restrictions  : T
      i_partition                : 0
      i_is_replica               : F
      i_vstamp                   : 1
    

     
    The document Test DOC HUO WITH AS AND PST ARCHIVED uses the instance of Template ACL (acl_class=2) dm_45xxxxxxx9511_xxxxxd42:

    API> dump,c,45xxxxxx953
    ...
    USER ATTRIBUTES
      object_name                : dm_45xxxxxxx9511_xxxxxd42
      description                : dm_45xxxxxxx9511_xxxxxd42
      owner_name                 : MYDOCBASEDEV
      globally_managed           : F
      acl_class                  : 2
    
    SYSTEM ATTRIBUTES
      r_object_id                : 45xxxxxx953
      r_is_internal              : T
      r_accessor_name         [0]: dm_world
                              [1]: dm_owner
                              [2]: my_grp_all_users
                              [3]: myuser001
                              [4]: my_grp_all_users
      r_accessor_permit       [0]: 3
                              [1]: 3
                              [2]: 6
                              [3]: 7
                              [4]: 5
      r_accessor_xpermit      [0]: 0
                              [1]: 0
                              [2]: 0
                              [3]: 0
                              [4]: 0
      r_is_group              [0]: F
                              [1]: F
                              [2]: T
                              [3]: F
                              [4]: T
      r_has_events               : F
      r_permit_type           [0]: 0
                              [1]: 0
                              [2]: 0
                              [3]: 0
                              [4]: 3
      r_application_permit    [0]: 
                              [1]: 
                              [2]: 
                              [3]: 
                              [4]: 
      r_template_id              : 45xxxxxxx951
      r_alias_set_id             : 66xxxxxxd42
    
    APPLICATION ATTRIBUTES
    
    INTERNAL ATTRIBUTES
      i_has_required_groups      : F
      i_has_required_group_set   : F
      i_has_access_restrictions  : T
      i_partition                : 0
      i_is_replica               : F
      i_vstamp                   : 1
    

    Important note: any modification of PST and/or AS will impact all instances of PST (ACL) associated with these elements..

    Best regards,

    Huseyin OZVEREN