Posted on November 21, 2007 by johnnygee
With D6, there is a new focus on Transactional Content Management. At the core of TCM is the Business Process Management (BPM) suite of products. The suite contains a wide range of products; a full list is available here on the EMC Documentum site. The design goal of D6 BPM is very similar to other D6 products – process without programming. Here is some information that I gathered from a recent demo of the D6 BPM suite:
- Process Engine (the program that controls the business processes) – no longer part of the Content Server. Process Engine needs to be installed separately. This enhances the scalability of the engine.
- Process Analyzer – can import Visio diagrams and automatically generate process templates that a process designer can configure the rest of the settings.
- Fault handling – can set up separate activity (different from original process flow) to handle faults
- Forms Builder – version of template and forms instances will NOT be supported till at least version 6.5. In D6, there is new print-friendly feature for forms.
- TaskSpace – can configure various Inbox views; pdf viewer does NOT support annotations – will need additional license for that support
Filed under: Word on the Street | 7 Comments »
Posted on November 19, 2007 by johnnygee
This might not be dirty little secrets, but I was recently stumped for a while trying to debug a problem in a custom application built by someone else. Let me describe the symptoms first:
- ACL assigned to object gave me (group) DELETE permissions on the object
- The attributes for the object were displayed as read-only
- When viewing the permissions on the object, Webtop said that I only had READ permissions
- When the extended privilege was set to superuser, I was able to edit the attributes – therefore, the data dictionary was set to read-only
After some investigation, I noticed that the a_controlling_app attribute was set to some custom value. I have seen this value being set before for Webpublisher and DCM application. I remember that this attribute allowed you to map control of an object with a specific application. In other words, you cant modify an object instance unless you are using the application that is specified in the a_controlling_app attribute. That makes sense, but where is the mapping defined?
Well, I had to go back to Content Server Fundamentals to find the answer:
“To identify to the system which objects it can modify, an application sets the application_code attribute in either the apiconfig or sessionconfig object when the application is started. (Setting the attribute in the apiconfig, rather than the session config, provides performance benefits.) The application_code attribute is a repeating attribute. On start-up, an application can set application_code to multiple application codes if users are allowed to modify objects controlled by multiple applications through that particular application.”
The issue here was that the client was using Records Management Administrator (RMA) to try to update the content (not the application defined by the a_controlling_app attribute). But why the READ permissions?
Again going back to Fundamentals, the content server will perform the following checks to grant the user his/her proper privilege:
- The content server checks the a_controlling_app attribute of the SysObject.
- If the attribute is blank, the user will be granted access based on the ACL; given that Docbase security is turned on.
- If the attribute contains a value, it will be compared with the values in the application_code attribute of apiconfig or sessionconfig objects.
- If there is a match, the ACL on the object will control the access.
- If no matching code is found, the user will be granted access as defined in the default_app_permit attribute of the docbase_config. The default value of this attribute is READ. So, if the user uses a different application to access the SysObject, he will get READ access. Please, note that the user will get the most restrictive access to the object whichever is more: default_app_permit or ACL
Ah hah, now the secret is known. To solve this problem, I can either
1) set the a_controlling_app attribute to null (or dmc_rm) or
2) set default_app_permit to something higher – DELETE.
I recommend Option 1. Option 2 sort of defeats the idea of having a controlling application.
Filed under: Design | Leave a Comment »