Access Control List(ACL) and Access Control Entry(ACE) (FileNet Content Engine)

Access Control List(ACL) and Access Control Entry(ACE)

Access control from Workplace XT

The ACL is a list of ACEs. Each ACE defines the permissions for one security principal (grantee).

Diagram(Access control from Workplace XT)
The diagram shows a security page for an object in Workplace XT. Each row represents an Access Control Entry (ACE). Each ACE corresponds to a particular security principal, and shows which access levels are allowed or denied for that security principal on that object.

The Access Control List (ACL) is the collection of all of the ACEs for the object.



Access control from Enterprise Manager

Different terminology in Enterprise Manager and Workplace XT
The Properties pages for objects in Enterprise Manager use different terminology for access levels compared to what is used in Workplace XT.For example, the Owner Control access level in Workplace XT is the equivalent of the Full Control access level in Enterprise Manager.

Sources of security - Enterprise Manager security pages include a column that displays the source of the ACE. If an object is added using Enterprise Manager, the security source is Direct for the #CREATOR-OWNER and Default for the other security principals. If the security is modified after creation, the source becomes Direct. Other sources include security policies and inherited security, which are discussed in later lessons in this unit. The security source on objects added through Workplace XT depends on a combination of factors including how it was added and the value of certain Site Preference settings when it was added. When using the Add Document wizard through Workplace XT, the default instance security on the class becomes Direct security on the new object.


Diagram(Access control from Enterprise Manager) - The diagram shows a security page for an object in Enterprise Manager. Each row represents an Access Control Entry (ACE). Each ACE corresponds to a particular security principal, and shows which access levels are allowed or denied for that security principal on that object, what the source of the security is for that ACE, and what child objects, if any, can inherit the ACE.




ACE features

A Deny access type is indicated by the red dot on the user or group icon. When a Deny ACE is selected, Deny is selected in the Type panel.

In the Properties pages within Enterprise Manager, default and direct Deny access types are displayed above default and direct Allow access types, which corresponds to the priority of Deny access types over Allow access types.

Inheritable depth is used with security inheritance features, which is discussed in more detail in a later lesson.


Diagram(ACE features) - The diagram shows the details of a specific ACE for an object in Enterprise Manager. The top row shows an ACE that denies access to a security principal. The selected ACE shows the Full Control access level is allowed on the object. The Rights pane shows the individual access rights associated with the selected access level. The Apply To field shows that the ACE is not inheritable by any other objects.

Access rights versus access levels

Important terminology - It is important to distinguish between access rights, which are a more detailed level of permissions on an object, and access levels, which are common groupings of access rights. This unit specifically uses these terms where appropriate.

Workplace XT - Access levels can be seen and edited by users with sufficient access. Access rights are not directly visible in Workplace XT.

Enterprise Manager - Access rights can be seen and edited using Enterprise Manager. When individual access rights are modified, the access level changes to Custom (unless the combined set of individual access rights exactly matches the set of rights in a predefined access level).


Diagram : The diagram shows the access level and corresponding access rights of an ACE on the Security page of an object in Enterprise Manager.

Example access levels and rights