Chapter 5. Security 95
Table 5-1 Content Manager default settings for users who can declare records
5.1.2 Managing security through document access control
In Document Manager, document access control is based on Content Manager’s
access control model.
A user can only gain access to the Document Manager system when the user
has a login ID and password defined in Content Manager. The login ID has a set
of privileges associated with it. That set specifies the maximum actions the user
can perform in the system.
Any document that you add to the Document Manager system is associated with
a Document Manager class. A
Document Manager class is derived from an item
type. When you create an
item type, you specify the ACL to which it is bound. A
Document Manager class derived from the item type inherits the ACL of the item
type. A document by default inherits the ACL of the Document Manager class.
When you initiate an operation on a document in Document Manager, the system
checks your privileges and the ACL that is bound to the document. The system
allows you to proceed if you have the privilege to perform the action. For
example, if you initiate a search action, the search result only returns documents
that you have the right to see. Furthermore, you can only check out documents
that you have the right to edit.
There are two ways you can bind ACL to an item type, at the item type level or at
the item level. You can also change the ACL setting of a document in Document
Manager objects if the ACL is bound at the item level.
Binding ACL to an item type at item type or item level
When defining an item type, you bind the ACL to the item type at the item type
level or at the item level.
If you bind the ACL at the
item type level, all documents created under that item
type inherit the item type’s ACL. You cannot change the ACL of any individual
Setting Value Comment
Maximum privilege
set
RMEUserAllPrivs Default privilege set provided by Records
Enabler
Default item access
control list
RMEClientACL Default ACL provided by Records Enabler
PublicReadACL Add the user or
the user’s group
Must have access to RMEConfig item
type, which is assigned to PublicReadACL
96 IBM DB2 Document Manager with IBM Records Manager Solution Guide
document because the system only checks the access right at the item type level
and not at the individual document level.
If you bind the ACL at the
item level, documents created under that item type by
default inherit the item type’s ACL; however, you can change the ACL of an
individual document because the system always checks the access right at the
individual document level.
Figure 5-1 shows the Access Control tab of an item type configuration window
using the Content Manager system administration client. You select the ACL to
bind the item type from the drop-down list. You also select whether you want the
ACL checking to be at the item type level or item level. In the sample window, the
ACL
PublicReadACL is bound to the item type at the item level.
Figure 5-1 Item type ACL selection
Note: When you enable an item type to store records, if at the time the item
type’s ACL checking is set at
item type level, Records Enabler automatically
changes the ACL checking to
item level. Records Enabler does this because it
manages the access control of a record at the individual item or document
level.
Get IBM DB2 Document Manager with IBM Records Manager Solution Guide now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
