Permission Set Templates – Friend or Foe? Part 2

Now that you have seen the power of PSTs, the next question you probably have is when should PST be used (vs regular ACLs).

Based on my experience, PSTs should be used when the following conditions exist – especially if ALL the conditions are true:

  1. Your company/organization has well defined groups/roles. Examples of groups are departments and contractors. Examples of roles are content authors, managers, and vice presidents.
  2. You plan on implementing lifecycle security. This means that permissions on documents will change over the lifecycle of the document.
  3. You want to actively manage permissions at an enterprise level. This is important from an application support perspective. Typical end users are not knowlegable enough about Documentum security to properly dictate what permissions should be assigned to documents.

PSTs should not be used (or used sparingly) in the following situations:

  1. Your organization is not well defined. Without some level of organization, defining meaningfull alias sets becomes very difficult.
  2. Your organization is small and/or you do not plan to use lifecycle security. The number of PSTs or alias sets is limited, so the additional layer of complexity outweighs the benefit of PST.
  3. Your business processes are not well defined and your security requirements are ad-hoc in nature. If the user requires the ability to grant/revoke permissions on documents at will, then you cannot manage security at a central level.

There are probably other circumstances where PSTs can be a “great friend” or an “evil foe“. I am definitely interested to hear how other architects use PSTs or have tried to use PSTs and failed given the environment they were working in.

Advertisements

26 responses to “Permission Set Templates – Friend or Foe? Part 2

  1. Hi Johnny,
    Thank You for these great posts. Hope they help people not doing mistakes when dealing with security things

  2. Hi Johnny
    I have gone through all your posts.Thanks for all this.I have one question on PST.As per PST: Part 1 I tried implementing all PSTs for all depts.However question is that I have ten dept and for each of them there is a folder seperately.So what I did I created ten aliases and then one PST and added all aliases in it.Then given alias set to the user.By this each groups is having access to all the folders.Through this approach how can we restrict group access to that folder only is that possible.I mean having ten alias set and one PST can we restrict access to ten folders such that one group is havingaccess to only one folder.

  3. You dont want to assign all 10 aliases to PST. Your PST should only have one alias – eg %dept. For each dept folder, you would assign the corresponding alias set (%dept = “Accounting”), such that alias gets resolved to appropriate folder (Accounting – WRITE).

    In other words, all of your folders/docs will have the same PST assigned to them (stored in acl_name); the alias set values (stored in r_alias_set_id) will be different for folder/doc for each dept .

  4. Thanks for reply but what if this folder are created automatically.Because it depends on the user selectionof the attributes of document my folders are created.How I will be able to access alias set to the folder?I was thinking to apply the alias set to Users instead of folders.Really this feature is good but I think I am not able to implement it.Can you throw some more light on this.

    Regards
    Deepak

  5. If you implement alias set on User, then a User can only create folders/docs belonging to one document. What I have done in the past is to create xml map that maps the alias set with folder location. Then I write a TBO that reads this xml map whenever a user creates a new folder/doc. XML map allows for more flexibility in assigning alias set to either Folder or User.

  6. Hi
    Thanks for replly.Its working for me but the only concern is that changes are not reflected.For example I have an aliass set with one group.Now I have requirement of adding another group in the same alias set.Now will these changes be applied to the objects which were previously created with an alias set consisting of only one group.I mean changes in alias set will they be reflected in objects created previously with no changes in alias set.

    Regards
    Deepak

  7. Hi Johnny
    PST fails as we update a particular alias set and add another group then its not reflected on the document on which already PST is applied before this changes.When we do change in PST from DAB it gives DM_ACL_F_REFRESH_SELECT_INSTANCE which means we need to changes acl on the previous documents then do changes in PST and then again update all the documents with NEW PST in ACL_NAME.This is double effort and how can we track this.

    Its like we have great and good feature but of no use.Please tell me if I am wrong on this.
    Regards
    Deepak

  8. When you change the alias set, you need to reapply the PST to the object, so that the content server knows that it needs to re-evaluate the alias values. You do not need to update PST if your acl template has not changed. The easiet way to do this is to run an UPDATE DQL similar to this:
    UPDATE dm_document OBJECTS
    SET acl_name = name_pst
    WHERE folder(‘/cabinet1/folder1’,descend).

  9. Hi Johnny,

    Your Inputs are very useful .
    Here is the situation like 10 HR groups accessing 20 types of documents at 30 different locations(with Hierarichal structure) .
    1.HRs were having their own roles restricted to access 40 types of documents .
    2.Locations categerised with Three Hierarical Structure Lower Location HR should not view thier higher branches.
    3.Objects(Employee documents) are not stable they can move from one location to another.
    4.HR users are also not stable they can change from one group to another and also location.
    Actually we are not using PST we just create acls on each object and
    want to confirm whether we can go by that or can u Suggest me how to go with PST

    Reagrds
    Robin

  10. Hi Robin,
    You can always use regular acls. PSTs were created to support the management of acls. See my other post on how to use PSTs:
    https://johnnygee.wordpress.com/2006/09/12/permission-set-templates-friend-or-foe-part-1/

  11. Thanks Johny
    In our Case , For More Flexibility better use of Regular ACLS which we already done.
    Bcz the organization is not well defined structure.
    Thanks for ur input.

    Regards
    Robin

  12. Hi Johnny

    We use Documentum 5.3 but do not yet use Records Manager. Our current use of Documentum is not at the level of full business process management. We have a long-established block numeric file classification structure, and have implemented business unit permission sets for administrative document creation.

    We want the Records team to have View and Browse access to all administrative documents, except sensitive HR documents (have own restrictive permission set). The CEO and his PA have their own permission set, but it is being applied to both sensitive and routine records by default. The CEO and his PA prefer the restricrtive permission set being applied to all their documents, but do not want to have “opt out” of it, to “opt in” to a different document Browse permission set. Some of their documents are deemed too sensitive for the Records team to even have Browse access to the titles.

    My understanding of Documentum permission sets is that we can assign permission sets at folder or document level, but not both.

    Solution options discussed so far, in order of feasability:
    – New permission sets
    – Secret (Owner, CEO and PA – READ, WRITE)
    – Confidential (Owner – READ, WRITE: Records team – BROWSE)
    – Duplicate file structure for confidential documents (problem: too much work)
    – Renaming sensitive documents (problem: access to documents when needed)

    Notes: Records Team canaccess all physical records, except for personnel and sensitive CEO records. We print and file documents, and will continue to do so until our electronic recordkeeping systems comply with legislation and recordkeeping standards. Related issue: need for appraisal for retention and disposal purposes

    regards

    Graeme

  13. Security imposed on folders on restrict browsing through folders to get to files. The search feature in Documentum by-passes the security on the folders, and only queries for security on documents. So its best practice to develop your security model around your documents. I have implemented “restricted” security on past projects by creating an custom attribute (eg restricted_acl) and mapping the dropdown values to their corresponding acl objects. The assignment of the acl was done using TBOs and extending doSave().

  14. Thanks Johnny

    Currently the documents in question are assigned a default restrictive acl for the users that blocks access to everything theyn create. We do not think most of them need to be restricted. You have confirmed a business process change is needed whereby the CEO and his PA have to opt in to a range of custom security classification acls . Thank you again for your help.

    regards

    Graeme

  15. Hi Johnny,

    Just a quick one. We have just come to a site that has changed their naming conventions. They are using Documentum 5.3 Sp1 soon to be sp2. They have Permission Sets and would like to change the names of them to align with the new naming conventions. Is there perhaps a DQL statement that could do this. If i create new ones then i would have to go search all the folders to find where the others are and update with the new ones. Seems very tedious this way.

    So the long and the short of it is.
    Can we run a DQL statement to simply change the name? If so what would it be? If Not what would be the best way to approach this process?
    Maybe there is a way to locate the main folder where the PTS is sitting? if so i can just change the main folder and then run the dql statement to update all objects with the new permission set.

    Thanks very much

    Mark Hancock

  16. Hi Mark,
    I havent tried changing the name before. But, you should be able to create a copy of PST and rename it relatively easily through DAB. Then you all you would need to do is to update all the objects that are using the old PST by searching for the acl_name that contains part of object ID of the PST. Your UPDATE DQL would look something like this:

    UPDATE dm_sysobject OBJECTS
    SET acl_name=’new PST name’
    SET acl_domain=’owner name’
    WHERE acl_name like ‘%’

  17. Thanks Johnny this worked perfectly

  18. This is a great article. We are enabling DCE Rooms to use template ACLs, and I agree that template ACLs are a powerful but complicated feature.

    Great blog!

  19. Hi Johnny

    Is there a special way of deleting Old unused Permission Sets? I get an error message saying that the Permission Sets might be linked to objects but when i view the Memberships there are no objects attached to the permission sets. We would obviously like to clean up the unused ones.

    Thanks very much.

  20. There is method argument for dm_clean job that will delete unreferenced acls (including PSTs).

  21. Hi Johnny,

    So if I ran the dmclean method in the DA that will get rid of the unused acls? or must i pass it an argument? if so could you please let me know how this is done?

    Thank you

  22. Read the Content Server Admin guide for more details on the job arguments.

  23. Pingback: Aliases! 2: Living the Dream « ♪ उत्त्कर्ष

  24. Pingback: Aliases! 3: The Dream « ♪ उत्त्कर्ष

  25. Pingback: Aliases! The Dream Begins! « ♪ उत्त्कर्ष

  26. Pingback: JavaBlog.fr / Java.lu - Documentum : ACL template, Permission Set Template with Alias Set (PART 1 : theory)

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s