The scope of your question describes is an textbook example of security changing based on a property change and that would normally be a marking in a marking set (as Gerold has already answered). Your value of 1 or 2 (or more) would be individually listed as markings and those markings are then attached to your security groups. Changing the value changes the resultant marking that is evaluated which in turn changes the security on the object. The downside is that markings are a domain wide setting and they can become complex to manage for large sets of changing choices. You've only indicated a small part of the problem with no volume or timeline for the changes in your question.
There's also an answer from Sathish about Security Proxies, where your documents point to another object and inherit their security from that object, effectively proxying your security (or parts of it) from something else. You change the security of the single proxy and all objects that point to it are changed. That approach would also need an event handler to change the target object your documents point at when the value changes as well as some data model that allows you to identify which object to point to for each possible value. "if value is 1 point to this thing, if value is 2 point to this other thing etc".
Both approaches are simple and work immediately when the value is changed. In both cases you change either the marking security or the proxy security and all objects affected by that approach immediately have different security applied. So one change and everything else changes.
You could also use Roles as they're abstracted security setting that different objects point to. Changing the permissions in a role is more complicated than a marking and probably the same difficulty as a security proxy. There are a lot more concepts involved in a role so they're probably the most complex approach as there are more things you can do beyond what you've asked.
Marking require no code to meet your original question. Roles and security proxies would need some event handler to assign the correct proxy or role when the value is initialised and if the value changed. Markings require a base security model that understands that markings remove permissions if you don't have access, not add to them.
It's unlikely that a single approach works for everything or is sufficient for that one requirement. You may find that some classes of documents work well with Markings, others classes work well with a security proxy and still more need or work well with Roles. You may find that you allocate default security on creation, assign a security proxy or a role to accumulate some additional permissions, use a security policy to apply administrative controls that can't be changed, as well as use a marking to remove visibility based on property values. That's a model I use a lot.
------------------------------
David Alfredson
------------------------------
Original Message:
Sent: Tue July 25, 2023 06:55 PM
From: Walter Fu
Subject: FileNet document access updates
We will have documents in P8. The access to them is determined by the Active Directory (AD) groups. AFTER the documents have already gone into P8, the access to some of the documents can change from one AD group to another, Let me illustrate the scenario:
A document class DocClass1 has these documents in P8:
- Case "1" documents: Documents whose CaseNum field value is "1"
- Case "2" documents: Documents whose CaseNum field value is "2"
- On January 1st:
- Case "1" documents and Case "2" documents can be accessed by users in AD Group1.
- On February 1st:
- Case "1" documents should continue to be accessible by users in AD Group1.
- Case "2" documents should be accessible only by users in AD Group2.
- On March 1st:
- Case "1" and Case "2" documents can be accessed by users in AD Group1.
What options do I have to achieve the above behavior?
Thanks,
Walter