Groups, roles, client capability oh my!

Posted on September 7, 2007 by | 7 Comments

Although these concepts may seem similar, they are very different and can significantly impact an application functionality.  Lets first start with definitions (as defined by EMC Documentum):

Group  –  A group is a set of users, groups, or a mixture of both.  It is normally used to assign permissions on an object.

Role – A role is a special kind of group; it too can contain a set of users, other groups, or both.  The difference is that a role is used by a client application to filter out certain operations.  WDK framework supports scoping of WDK components by role.  For example, the Administration node in Webtop is only visible if the user is an administrator.  Roles are NOT used to assign permissions on an object.

So what is client capability?

Client capability – Legacy setting that is defined for each user object.  The four values for client_capability attribute are consumer, contributor, coordinator, and (system) administrator.  The client capability setting is used as a “default role” for a user.   This setting was created long before the concept of roles was created.  WDK/Webtop uses the client capability role if the user is not assigned to any custom roles.   Once you start creating custom roles, you need to configure/remap the client_capability role to your custom roles, if you still want to use client_capability setting.  FYI – The list of actions available to a specific client capability role is listed in the WDK Development Guide.

To summarize:

  1. groups – permissions
  2. roles – filtering actions
  3. client capability – default roles

Feel free to post comments if you need further clarification.

This entry was posted in FAQs. Bookmark the permalink.

7 responses to “Groups, roles, client capability oh my!

  1. eikrid | September 11, 2007 at 10:17 am | Reply

    Now this is useful, it is less than obvious and I can see how many, rather most would get into this undesired place.

    Thank you

  2. ciaovivek | September 27, 2007 at 7:54 pm | Reply

    Roles can be used to form hierarchy. For example, There are two roles Manager and Employee. Manager is a part of employee role. or manager inherits from Employee.

    Now if a user is a part of role manager he will automatically be a part of role employee

    Cheers
    vivek

  3. johnnygee | September 27, 2007 at 8:41 pm | Reply

    Vivek, what are you trying to say? Both types can be used to support hierarchy. A user can belong to the manager group and the manager group can be part of the employee group. The content server will evaluate the user as part of the employee. My point of the blog is that groups are for security, while roles are for actions.

  4. ecmanil | October 24, 2007 at 11:07 pm | Reply

    I am not sure if webtop or the documentum server is using the legacy client capability anymore, maybe webpublisher still uses it. As far as the content server is concerned groups and roles are exactly the same object(of type dm_group) only applications like webtop is coded to recognize the group/role difference. Then there is dynamic groups and domain roles.

  5. Shivram Gowda | March 30, 2016 at 7:10 pm | Reply

    Can we add a role to a group?

    • johnnygee | March 30, 2016 at 8:10 pm | Reply

      Yes, a role is just a group. Its up to the client app to interpret the meaning of the group/role. That being said, if you are using Webtop, adding a role to a group may not give you the expected results.

  6. Raghavender Rao | January 28, 2020 at 10:38 am | Reply

    if possible add more real time examples.

    Thank you

Leave a reply to ciaovivek Cancel reply