IBM Business Automation Community Come for answers. Stay for best practices. All we’re missing is you. Join / Log in Ask a question
We will have documents in P8. The access to them is determined by the Active Directory (AD) groups. AFTER the documents have already gone into P8, the access to some of the documents can change from one AD group to another, Let me illustrate the scenario:
A document class DocClass1 has these documents in P8:
What options do I have to achieve the above behavior?
This a 100% use case for marking sets. Security is governed (additionally) by the value of a field.
Search the documentation and if you have more questions please come back.
Security proxy can be a good option for this scenario and security will be updated on all the documents dynamically based on the proxy object.
Thanks & Regards,
Sathish A Rajan
There are a number of options....some of these are
(a) Use an event to update the direct security on the documents -- trigger the event with an update of a property on the document
(b) Create a security parent that identifies the groups who should have access to the documents, and then update the security on the security parent based on the changing needs. More on security parents are here: Configure security inheritance
(c) Use dynamic roles as a way of updating the access. More on roles here: https://Security - Configuring role-based access
...and of course, you could go in and manually change the security on each object...
Depending on how the documents are accessed, there are other ways such as foldering to modify access.
Thank you Gerold, Sathish, and Ruth. It's good that there can be different ways to accomplish what I wanted to do. I will need to do some experiments.
I have a follow-up question: how do I iterate through all the documents? Example:
Sweep jobs have a target object type, so the object tp emust be known to the CPE. So the answer is no you cannot use sweep jobs.
You could run over all documents and check against the case table, but this sounds inefficient to me. IMHO a custom program is in order, but that is pretty trivial I would say...
Thanks Gerold for confirming. That's why proxies or markings are more efficient.
The scope of your question describes is an textbook example of security changing based on a property change and that would normally be a marking in a marking set (as Gerold has already answered). Your value of 1 or 2 (or more) would be individually listed as markings and those markings are then attached to your security groups. Changing the value changes the resultant marking that is evaluated which in turn changes the security on the object. The downside is that markings are a domain wide setting and they can become complex to manage for large sets of changing choices. You've only indicated a small part of the problem with no volume or timeline for the changes in your question.
There's also an answer from Sathish about Security Proxies, where your documents point to another object and inherit their security from that object, effectively proxying your security (or parts of it) from something else. You change the security of the single proxy and all objects that point to it are changed. That approach would also need an event handler to change the target object your documents point at when the value changes as well as some data model that allows you to identify which object to point to for each possible value. "if value is 1 point to this thing, if value is 2 point to this other thing etc".
Both approaches are simple and work immediately when the value is changed. In both cases you change either the marking security or the proxy security and all objects affected by that approach immediately have different security applied. So one change and everything else changes.
You could also use Roles as they're abstracted security setting that different objects point to. Changing the permissions in a role is more complicated than a marking and probably the same difficulty as a security proxy. There are a lot more concepts involved in a role so they're probably the most complex approach as there are more things you can do beyond what you've asked.
Marking require no code to meet your original question. Roles and security proxies would need some event handler to assign the correct proxy or role when the value is initialised and if the value changed. Markings require a base security model that understands that markings remove permissions if you don't have access, not add to them.
It's unlikely that a single approach works for everything or is sufficient for that one requirement. You may find that some classes of documents work well with Markings, others classes work well with a security proxy and still more need or work well with Roles. You may find that you allocate default security on creation, assign a security proxy or a role to accumulate some additional permissions, use a security policy to apply administrative controls that can't be changed, as well as use a marking to remove visibility based on property values. That's a model I use a lot.
Yes, you are right:
Thanks for your detailed discussion on this topic.