Content Management and Capture

 View Only
  • 1.  FileNet security - Folder is Read-only

    Posted Thu February 10, 2022 11:41 AM
    Hi,

    my issue is that an application uses the API to disable the "inherit parent permissions" flag for a container,
    on a folder where no security permission is defined (Security tab of the folder is empty, i.e. no direct/default permission).

    Is there a way to permit the administrator user to update the security ?

    Thanks for help


    ------------------------------
    Yannick Martin
    ------------------------------


  • 2.  RE: FileNet security - Folder is Read-only

    IBM Champion
    Posted Fri February 11, 2022 08:04 AM
    Honestly, I have only a faint idea what you are asking.

    Is your problem with ACCE or the API. If API can you achieve what you want with ACCE?

    If it is ACCE a few screenshots would be in order...

    BR,

    /Gerold

    ------------------------------
    Gerold Krommer
    ------------------------------



  • 3.  RE: FileNet security - Folder is Read-only

    Posted Mon February 14, 2022 08:50 AM

    It sounds like someone has created a folder that no one has access to, including administrators.  And therefore even an admin cannot browse to the folder?

    Object store Admins are able to find any object via a search.  So an admin could go into ACCE and find the folder with a query like the following, even if they do not have access to it:   SELECT [This], [Id], [PathName] FROM [Folder] WHERE [FolderName] LIKE 'SubFolder%'

    Once the folder is found by a search, the admin won't have access to make any updates, but the admin is able to make themselves the owner.  So they would have to do that first.  After they have made themselves the owner, then they can update the permissions on the folder.

    Regards,

    Joe



    ------------------------------
    Joe Raby
    ------------------------------



  • 4.  RE: FileNet security - Folder is Read-only

    Posted Mon February 21, 2022 11:28 AM
    Hi,

    the folder is read-only for the administrator, modifying the "Owner" to admin gives the following error message :
    The requester has insufficient access rights to perform the requested operation. CmAcmLatestSeqNumForCustomProp is a read-only property and cannot be updated at this time.

    When cannot change the object security thru the DB2 because the security object of the folder is a computed value.

    Is there another way to make the folder's security updateable ?

    Thanks for help





    ------------------------------
    Yannick Martin
    ------------------------------



  • 5.  RE: FileNet security - Folder is Read-only

    Posted Mon February 21, 2022 04:24 PM
    Hmm...  That is a case manager error message.  That seems to imply that a case manager event handler is automatically updating a sequence number on the folder, and that the folder can only be modified through  case manager process.  So case manager logic is preventing the admin from taking ownership of the folder.  I think that you will need to open a collaboration with the case manager team to pursue this further.

    Regards,

    Joe

    ------------------------------
    Joe Raby
    ------------------------------



  • 6.  RE: FileNet security - Folder is Read-only

    IBM Champion
    Posted Mon February 21, 2022 04:40 PM
    Not sure what is going on...
    It is true that the security_id in docversions is a computed value, but luckily there is only a limited set of those. security_id is a hashed value of the canonical representation of the list of ACLs. The canonical list is stored then in the SecurityDesc Table, so every unique combination of ACEs has exactly one entry there.

    Find a folder that has security set the way you want it, get the id of the folder and find the value of security_id in table Container. Modify the value of security_id for the problematic folder to the same value as the 'good' one.

    Then look if the ACL looks the way you anticipated... I could not try it so keep us posted on the results.

    And yes, people at IBM will probably raise a few eyebrows.

    /Gerold

    ------------------------------
    Gerold Krommer
    ------------------------------



  • 7.  RE: FileNet security - Folder is Read-only

    Posted Tue March 15, 2022 10:54 AM
    Hi Gerold,

    thanks for the tip.

    Best regards

    ------------------------------
    Yannick Martin
    ------------------------------