Content Management and Capture

 View Only
  • 1.  FileNet document access updates

    Posted Tue July 25, 2023 06:55 PM

    We will have documents in P8. The access to them is determined by the Active Directory (AD) groups. AFTER the documents have already gone into P8, the access to some of the documents can change from one AD group to another, Let me illustrate the scenario:


    A document class DocClass1 has these documents in P8:

    • Case "1" documents: Documents whose CaseNum field value is "1"
    • Case "2" documents: Documents whose CaseNum field value is "2"


    1. On January 1st:
    • Case "1" documents and Case "2" documents can be accessed by users in AD Group1.


    1. On February 1st:
    • Case "1" documents should continue to be accessible by users in AD Group1.
    • Case "2" documents should be accessible only by users in AD Group2.


    1. On March 1st:
    • Case "1" and Case "2" documents can be accessed by users in AD Group1.


    What options do I have to achieve the above behavior?







  • 2.  RE: FileNet document access updates

    IBM Champion
    Posted Wed July 26, 2023 06:46 AM

    This a 100% use case for marking sets. Security is governed (additionally) by the value of a field.

    Search the documentation and if you have more questions please come back.

    Kind regards,


    Gerold Krommer

  • 3.  RE: FileNet document access updates

    Posted Wed July 26, 2023 08:39 AM

    Security proxy can be a good option for this scenario and security will be updated on all the documents dynamically based on the proxy object.

    Thanks & Regards,

    Sathish A Rajan

    Sathish Rajan

  • 4.  RE: FileNet document access updates

    Posted Wed July 26, 2023 03:02 PM


    There are a number of options....some of these are

    (a) Use an event to update the direct security on the documents -- trigger the event with an update of a property on the document

    (b) Create a security parent that identifies the groups who should have access to the documents, and then update the security on the security parent based on the changing needs. More on security parents are here: Configure security inheritance

    Ibm remove preview
    Configure security inheritance
    FileNet P8 gives you tools to configure security inheritance, which is the passing of permissions from a parent object to a child object.
    View this on Ibm >

    (c) Use dynamic roles as a way of updating the access. More on roles here: https://Security - Configuring role-based access

    Ibm remove preview
    Security - Configuring role-based access
    You use the Administration Console for Content Platform Engine to create and assign security roles for you content objects.
    View this on Ibm >

    ...and of course, you could go in and manually change the security on each object...

    Depending on how the documents are accessed, there are other ways such as foldering to modify access.

    RUTH Hildebrand-Lund

  • 5.  RE: FileNet document access updates

    Posted Wed July 26, 2023 09:02 PM

    Thank you Gerold, Sathish, and Ruth. It's good that there can be different ways to accomplish what I wanted to do. I will need to do some experiments.


    I have a follow-up question: how do I iterate through all the documents? Example:

    1. I have a table Conf_Cases, with a column CaseNum.
    2. I want to iterate through those documents whose CaseNum match the records in the table Conf_Cases. Is it possible to use a Sweep? It does not look like it. Perhaps I need to have a custom application locating and iterate through these documents.



  • 6.  RE: FileNet document access updates

    IBM Champion
    Posted Thu July 27, 2023 05:22 AM

    Sweep jobs have a target object type, so the object tp emust be known to the CPE. So the answer is no you cannot use sweep jobs.

    You could run over all documents and check against the case table, but this sounds inefficient to me. IMHO a custom program is in order, but that is pretty trivial I would say...



    Gerold Krommer

  • 7.  RE: FileNet document access updates

    Posted Thu July 27, 2023 10:46 PM

    Thanks Gerold for confirming. That's why proxies or markings are more efficient.

  • 8.  RE: FileNet document access updates

    Posted Thu July 27, 2023 04:01 AM

    The scope of your question describes is an textbook example of security changing based on a property change and that would normally be a marking in a marking set (as Gerold has already answered).  Your value of 1 or 2 (or more) would be individually listed as markings and those markings are then attached to your security groups.  Changing the value changes the resultant marking that is evaluated which in turn changes the security on the object.  The downside is that markings are a domain wide setting and they can become complex to manage for large sets of changing choices.  You've only indicated a small part of the problem with no volume or timeline for the changes in your question.

    There's also an answer from Sathish about Security Proxies, where your documents point to another object and inherit their security from that object, effectively proxying your security (or parts of it) from something else.  You change the security of the single proxy and all objects that point to it are changed. That approach would also need an event handler to change the target object your documents point at when the value changes as well as some data model that allows you to identify which object to point to for each possible value. "if value is 1 point to this thing, if value is 2 point to this other thing etc".

    Both approaches are simple and work immediately when the value is changed.  In both cases you change either the marking security or the proxy security and all objects affected by that approach immediately have different security applied.  So one change and everything else changes.

    You could also use Roles as they're abstracted security setting that different objects point to.  Changing the permissions in a role is more complicated than a marking and probably the same difficulty as a security proxy.  There are a lot more concepts involved in a role so they're probably the most complex approach as there are more things you can do beyond what you've asked.

    Marking require no code to meet your original question.  Roles and security proxies would need some event handler to assign the correct proxy or role when the value is initialised and if the value changed.  Markings require a base security model that understands that markings remove permissions if you don't have access, not add to them.

    It's unlikely that a single approach works for everything or is sufficient for that one requirement.  You may find that some classes of documents work well with Markings, others classes work well with a security proxy and still more need or work well with Roles.  You may find that you allocate default security on creation, assign a security proxy or a role to accumulate some additional permissions, use a security policy to apply administrative controls that can't be changed, as well as use a marking to remove visibility based on property values.  That's a model I use a lot.

    David Alfredson

  • 9.  RE: FileNet document access updates

    Posted Thu July 27, 2023 11:06 PM

    Hi David,

    Yes, you are right:

    1. There are many different case numbers. New case numbers can be introduced.
    2. Each document has a case number.
    3. Additional documents will be added.
    4. It is rare but possible for a document to change from one case number to another.
      • If a marking or proxy is linked to a case number, the association between documents and markings/proxies can change.
    5. A given case number can transition between regular and confidential status.


    Thanks for your detailed discussion on this topic.