Chapter 5. Security 99
5.1.3 Managing security through document life cycle
Document Manager provides you with building blocks so you can model your
organization’s business rules that govern document life cycle without any
programming. The life cycle building blocks have security features to help protect
your business documents. The building blocks are:
Users and groups
We have already discussed users, groups, and classes. In this section, we focus
on roles and states.
Roles allow you to define the actions that users or groups of users can perform
on documents of a particular class or state. When you define a role, you decide
what actions you want the person in this role to be able to do on the document.
The actions that users can perform on a document include:
Figure 5-2 shows you the Role Configuration window for the Creator role from
the Document Manager Designer.
100 IBM DB2 Document Manager with IBM Records Manager Solution Guide
Figure 5-2 The Role configuration window
You can create a role to include any number of actions. After you define the role,
you can associate users or groups to this role. This enables the users or groups
associated with this role to perform a list of the actions set in the role. For
example, if you did not select the
Checkout action for the role Creators, the users
of the Creators role will not be able to checkout the document, even though the
user has the right to edit the document based on the user’s privilege set and the
In a document life cycle, a document goes through multiple states. When you
define a state, you specify what actions users can perform at the state.
Basic security actions include:
Items can be added as this state.
New revisions can be created as this state.
Apply all access privilege modifications to single-parent children of same or
Items can be added as this state option in the state definition allows you to
add a document into the system at this state of a document life cycle. For
Chapter 5. Security 101
example, in the sample application, we define the Draft state with this option
selected. This means that users can add a new sales proposal in the system with
its state set to Draft. You can choose not to add documents into just any state.
For example, the Issued state usually represents documents that have gone
through the approval process and are published for general consumption. For
the Issued state definition, you do not want to check this option because you do
not want users to add proposal documents with Issued state; otherwise, the
proposals have bypassed the approval process set by company policy.
New revisions can be created as this state option allows you to start a
revised copy of a document at this state. This is a security feature because you
want to be selective where in the document life cycle you allow the user to start a
revised copy of the document. For example, in the sample application, the life
cycle of a sales proposal is: from Draft to Review to Approval to Issued. We want
the revise sales proposal document to begin its lifecyle at the Draft state because
that is the business rule. It is a violation of the business rule to allow a revised
copy to begin at another state. In the Draft state definition, we select this option.
In any other states, this option is not selected.
The last option,
Apply all access privilege modifications to single-parent
children of same or stateless class
, allows the system to apply the parent’s
security setting to the children if the children have only one parent (the current
item) with the same class affiliation as the parent or are of a stateless class.
Figure 5-3 shows you the State Configuration window for the Draft state from the
Document Manager Designer.
102 IBM DB2 Document Manager with IBM Records Manager Solution Guide
Figure 5-3 The security tab of the Modify State Configuration window
You can select any of the three options. In addition, you can set additional
security actions by clicking Set from the window. This displays the Security
Action Definitions window as shown in Figure 5-4.