Content Management and Capture

Hello All,

Our client want to a report about user's permissions. How can I list which folders and content a user is authorized to? Can I query basically in Acce or do I need to prepare a SQL query in OS database? Is it possible to do?

Thanks

------------------------------
Mehmet Selim ARLI
Consultant
Aksis
Istanbul AE
+905309556707
------------------------------

There is no mechanism by which one user can see what objects another user has access to, even if the first user is an administrator.
And even for a user wanting to find that information for themself, the only way as through a CE API search executed while logged in as that user.  (ACCE search uses the API).
There is no way to determine access granted through direct access to the database.

------------------------------
Mike
------------------------------

Original Message:
Sent: Mon January 11, 2021 03:53 AM
From: Mehmet Selim ARLI
Subject: IBM Filenet user's permission list

Hello All,

Our client want to a report about user's permissions. How can I list which folders and content a user is authorized to? Can I query basically in Acce or do I need to prepare a SQL query in OS database? Is it possible to do?

Thanks

------------------------------
Mehmet Selim ARLI
Consultant
Aksis
Istanbul AE
+905309556707
------------------------------

For directory migrations IBM maintains a programm that can decode the ACL blob for from the database a given document from the database.

That would be a fit, unfortunately it is IBM internal only :-(

/Gerold

------------------------------
Gerold Krommer
------------------------------

Original Message:
Sent: Mon January 11, 2021 03:53 AM
From: Mehmet Selim ARLI
Subject: IBM Filenet user's permission list

Hello All,

Our client want to a report about user's permissions. How can I list which folders and content a user is authorized to? Can I query basically in Acce or do I need to prepare a SQL query in OS database? Is it possible to do?

Thanks

------------------------------
Mehmet Selim ARLI
Consultant
Aksis
Istanbul AE
+905309556707
------------------------------

This request is quite common in large organizations with complex business rules for security.

I suppose they are interested to check whether a user has access to content that should not be allowed to access, either by mistake or intentionally.

Unfortunately there is no such tool and the only way I can think of, is first getting user's LDAP group memberships and then using the API checking all objects that the user should not be allowed to view either by role, or doc class, or property value or any other business rule and check for exceptions.
The problem is that in large repositories with millions of documents, such a report may take days to complete.

BR

------------------------------
Christos Chorattides
Datatech
------------------------------

Original Message:
Sent: Mon January 11, 2021 03:53 AM
From: Mehmet Selim ARLI
Subject: IBM Filenet user's permission list

Hello All,

Our client want to a report about user's permissions. How can I list which folders and content a user is authorized to? Can I query basically in Acce or do I need to prepare a SQL query in OS database? Is it possible to do?

Thanks

------------------------------
Mehmet Selim ARLI
Consultant
Aksis
Istanbul AE
+905309556707
------------------------------

Thanks for the all answers!

Our client has complex security needs. Dynamic role implementation has been made for some units. If we have to fulfill this need, it seems necessary to use the CE API.

------------------------------
Mehmet Selim ARLI
Consultant
Aksis
Istanbul AE
+905309556707
------------------------------

Original Message:
Sent: Wed January 13, 2021 05:22 AM
From: Christos Chorattides
Subject: IBM Filenet user's permission list

This request is quite common in large organizations with complex business rules for security.

I suppose they are interested to check whether a user has access to content that should not be allowed to access, either by mistake or intentionally.

Unfortunately there is no such tool and the only way I can think of, is first getting user's LDAP group memberships and then using the API checking all objects that the user should not be allowed to view either by role, or doc class, or property value or any other business rule and check for exceptions.
The problem is that in large repositories with millions of documents, such a report may take days to complete.

BR

------------------------------
Christos Chorattides
Datatech

Original Message:
Sent: Mon January 11, 2021 03:53 AM
From: Mehmet Selim ARLI
Subject: IBM Filenet user's permission list

Hello All,

Our client want to a report about user's permissions. How can I list which folders and content a user is authorized to? Can I query basically in Acce or do I need to prepare a SQL query in OS database? Is it possible to do?

Thanks

------------------------------
Mehmet Selim ARLI
Consultant
Aksis
Istanbul AE
+905309556707
------------------------------

Well and if you're using Dynamic Roles the user won't be in direct ACLs anyway, only the role will appear. The user gets mapped in at runtime by the dynamic role implementation. You'd have to not only crawl for objects to which the user has been directly added, but also crawl for the roles they're a member of. This could be a very tedious process...

------------------------------
Eric Walk
Senior Technical Architect

O: 617-453-9983 | NASDAQ: PRFT | Perficient.com
------------------------------

Original Message:
Sent: Wed January 13, 2021 07:50 AM
From: Mehmet Selim ARLI
Subject: IBM Filenet user's permission list

Thanks for the all answers!

Our client has complex security needs. Dynamic role implementation has been made for some units. If we have to fulfill this need, it seems necessary to use the CE API.

------------------------------
Mehmet Selim ARLI
Consultant
Aksis
Istanbul AE
+905309556707

Original Message:
Sent: Wed January 13, 2021 05:22 AM
From: Christos Chorattides
Subject: IBM Filenet user's permission list

This request is quite common in large organizations with complex business rules for security.

I suppose they are interested to check whether a user has access to content that should not be allowed to access, either by mistake or intentionally.

Unfortunately there is no such tool and the only way I can think of, is first getting user's LDAP group memberships and then using the API checking all objects that the user should not be allowed to view either by role, or doc class, or property value or any other business rule and check for exceptions.
The problem is that in large repositories with millions of documents, such a report may take days to complete.

BR

------------------------------
Christos Chorattides
Datatech

Original Message:
Sent: Mon January 11, 2021 03:53 AM
From: Mehmet Selim ARLI
Subject: IBM Filenet user's permission list

Hello All,

Our client want to a report about user's permissions. How can I list which folders and content a user is authorized to? Can I query basically in Acce or do I need to prepare a SQL query in OS database? Is it possible to do?

Thanks

------------------------------
Mehmet Selim ARLI
Consultant
Aksis
Istanbul AE
+905309556707
------------------------------

Eric is 100% right. If you are making use of dynamic roles a users access to an object can vary from logon to logon, a report is pretty useless in that case.

/Gerold

------------------------------
Gerold Krommer
------------------------------

Original Message:
Sent: Wed January 13, 2021 07:50 AM
From: Mehmet Selim ARLI
Subject: IBM Filenet user's permission list

Thanks for the all answers!

Our client has complex security needs. Dynamic role implementation has been made for some units. If we have to fulfill this need, it seems necessary to use the CE API.

------------------------------
Mehmet Selim ARLI
Consultant
Aksis
Istanbul AE
+905309556707

Original Message:
Sent: Wed January 13, 2021 05:22 AM
From: Christos Chorattides
Subject: IBM Filenet user's permission list

This request is quite common in large organizations with complex business rules for security.

I suppose they are interested to check whether a user has access to content that should not be allowed to access, either by mistake or intentionally.

Unfortunately there is no such tool and the only way I can think of, is first getting user's LDAP group memberships and then using the API checking all objects that the user should not be allowed to view either by role, or doc class, or property value or any other business rule and check for exceptions.
The problem is that in large repositories with millions of documents, such a report may take days to complete.

BR

------------------------------
Christos Chorattides
Datatech

Original Message:
Sent: Mon January 11, 2021 03:53 AM
From: Mehmet Selim ARLI
Subject: IBM Filenet user's permission list

Hello All,

Our client want to a report about user's permissions. How can I list which folders and content a user is authorized to? Can I query basically in Acce or do I need to prepare a SQL query in OS database? Is it possible to do?

Thanks

------------------------------
Mehmet Selim ARLI
Consultant
Aksis
Istanbul AE
+905309556707
------------------------------