Content Management and Capture

 View Only
Expand all | Collapse all

Troubles with Filenet Deployment of role-based access classes and instances

  • 1.  Troubles with Filenet Deployment of role-based access classes and instances

    Posted Wed July 06, 2022 10:16 AM
    Hi everyone,

    My project team and I have been working on the implementation of role-based access security on our Filenet application. To do so, we created several static role classes, with each having their own access definitions, with a different access mask for each class. Role instances were then created, and members of instances were added so that the members of said role class instance have their access to all the documents and folder classes based on the role class access definition of said class.

    Now onto the main issue : During the last deployment, we've imported new classes that now have the role instances applied on their default instance security, so that all the members of these role instances have their access to the new instance of the class regulated by their role class definition for this particular class.

    However, one of the restrictions of Filenet Deployment is the following :

    This means that, despite not importing any security for the new classes on the assets options as well as on the import options, each class that has role instances applied on their default instance security needs these role instances to exist in the target environment ObjectStore. However, for these role instances to be imported, they need the role class definition that they are an instance of to exist first. But these role classes need all the classes that are present in their access definitions to exist before importation.

    So, regardless of the order of import, we've encountered a problem with these role classes and instances, and for now the two solutions we've found are either to delete all the access definitions of the role classes, import them first with their instances, then all the other elements, or deleting the role instances from the default instance security of each class, and import these classes first, and then the role classes with their instances, which isn't ideal either way.

    This is why I would like to know if any of you encountered a similar problem, and if so, what solution did you choose to resolve/avoid these problems?

    ------------------------------
    David CORMERAIS
    ------------------------------


  • 2.  RE: Troubles with Filenet Deployment of role-based access classes and instances

    Posted Wed July 06, 2022 04:20 PM
    I found the import process too restrictive so built code to do the process reliably, doing much that you described - create the all the class definitions without any specifics in them and then fill them in afterwards with a series of updates coded - which is much the way they're built manually if you use ACCE.  i also moved some role access to security policies and applied them to the classes.  That removes the dependency on the default instance security as the security policy becomes the provider of that part of the security model and they can be imported separately.


    ------------------------------
    David Alfredson
    ------------------------------



  • 3.  RE: Troubles with Filenet Deployment of role-based access classes and instances

    Posted Mon July 11, 2022 04:13 AM
    Hi, thank you for your response, regarding the security policies, we decided not to use them since they are not very dynamic and we cannot modify or manipulate the security they apply by code. We will probably choose to delete the roles instances in the default security instance and then use code like you've done it yourself, with scripts running after deployement which will apply the roles instances to the default instance security of the different classes.

    Thanks again.

    ------------------------------
    David CORMERAIS
    ------------------------------