Content Management and Capture

Expand all | Collapse all

IBM Filenet user's permission list

  • 1.  IBM Filenet user's permission list

    Posted Mon January 11, 2021 03:53 AM
    Hello All,

    Our client want to a report about user's permissions. How can I list which folders and content a user is authorized to? Can I query basically in Acce or do I need to prepare a SQL query in OS database? Is it possible to do?

    Thanks

    ------------------------------
    Mehmet Selim ARLI
    Consultant
    Aksis
    Istanbul AE
    +905309556707
    ------------------------------


  • 2.  RE: IBM Filenet user's permission list

    Posted Mon January 11, 2021 09:37 AM
    There is no mechanism by which one user can see what objects another user has access to, even if the first user is an administrator.
    And even for a user wanting to find that information for themself, the only way as through a CE API search executed while logged in as that user.  (ACCE search uses the API).
    There is no way to determine access granted through direct access to the database.

    ------------------------------
    Mike
    ------------------------------



  • 3.  RE: IBM Filenet user's permission list

    Posted Tue January 12, 2021 04:16 AM
    For directory migrations IBM maintains a programm that can decode the ACL blob for from the database a given document from the database.

    That would be a fit, unfortunately it is IBM internal only :-(

    /Gerold

    ------------------------------
    Gerold Krommer
    ------------------------------



  • 4.  RE: IBM Filenet user's permission list

    Posted Wed January 13, 2021 05:23 AM
    Edited by Christos Chorattides Wed January 13, 2021 05:25 AM
    This request is quite common in large organizations with complex business rules for security.

    I suppose they are interested to check whether a user has access to content that should not be allowed to access, either by mistake or intentionally.

    Unfortunately there is no such tool and the only way I can think of, is first getting user's LDAP group memberships and then using the API checking all objects that the user should not be allowed to view either by role, or doc class, or property value or any other business rule and check for exceptions.
    The problem is that in large repositories with millions of documents, such a report may take days to complete.

    BR

    ------------------------------
    Christos Chorattides
    Datatech
    ------------------------------



  • 5.  RE: IBM Filenet user's permission list

    Posted Wed January 13, 2021 07:50 AM
    Thanks for the all answers!

    Our client has complex security needs. Dynamic role implementation has been made for some units. If we have to fulfill this need, it seems necessary to use the CE API.

    ------------------------------
    Mehmet Selim ARLI
    Consultant
    Aksis
    Istanbul AE
    +905309556707
    ------------------------------



  • 6.  RE: IBM Filenet user's permission list

    Posted Thu January 14, 2021 09:01 AM
    Well and if you're using Dynamic Roles the user won't be in direct ACLs anyway, only the role will appear. The user gets mapped in at runtime by the dynamic role implementation. You'd have to not only crawl for objects to which the user has been directly added, but also crawl for the roles they're a member of. This could be a very tedious process...

    ------------------------------
    Eric Walk
    Senior Technical Architect

    O: 617-453-9983 | NASDAQ: PRFT | Perficient.com
    ------------------------------



  • 7.  RE: IBM Filenet user's permission list

    Posted Thu January 14, 2021 09:20 AM
    Eric is 100% right. If you are making use of dynamic roles a users access to an object can vary from logon to logon, a report is pretty useless in that case.

    /Gerold

    ------------------------------
    Gerold Krommer
    ------------------------------