The “Inherit from” server config setting is sometimes misunderstood or not even known. This security setting defines the default acl that will be assigned a newly created object that do not have an acl explicitly assigned to it. There are three options available for this setting: folder, type, and user. The default setting – inherit from user – will assign the acl defined in default_acl attribute for dm_user object to newly created objects. Since this setting works most of the time, most developers and administrators are not aware of this security mechanism.
The other two options are:
- Inherit from type – document gets acl that corresponds to default acl assigned to the object type definition
- Inherit from folder – documents gets acl_name that corresponds to acl_name assigned to the parent folder
Why should you care about this setting?
By using inherit from user, you potentially give the user the ability to grant/revoke permissions on individual documents. This leads to creation of unique acl for every document in the repository. The more acls that are created, the longer it takes for server to look up an acl to validate against. It is not uncommon for systems who have inherit from user to have 100,000s acls.
Inherit from type based is better than user, in that it is more likely to map to real world scenarios and the number of acls = number of types. For example, only accounting dept should have permissions on financial document. The problem with using this setting is that you have define a default acl for every sysobject object type in the repository (beyond just your custom types). The simplicity of this setting also makes it not very flexible. If you want to aggregate permissions for accounting dept, you would have to create more object types.
Inherit from folder mimics the typical permission inheritance that are used in most file systems. This setting is better than type, but requires management of acls at the folder level. The implication of this is that a user has to be careful where he/she imports a document.
In my experience, the best solution is to use TBOs (Type-based Business Objects) in conjunction with inherit from folder setting. TBOs allow you to explicitly define business rules on which acls to assign to which object types. Inherit from folder setting will allow you to persist the security on folder objects without the need to create a folder TBO.