Security to Objects

Normally, an object's security is controlled or determined in four ways. (Markings, if they are used, would be a fifth way)

1. Security parent and inheritance: Permissions can also be inherited from a parent object. Inheritance can take place between a class and its subclass, and between a folder and its containable objects (documents, custom objects, and other folders).
    
2. Direct Security: Users who have sufficient permission can edit an object's security by directly adding or removing security principals, or by changing the existing permissions already granted.
    
3. Default Instance Security : As an integral part of the class and instance design, objects such as documents, folders, and events are instances of their class. The class includes, among other things, a property containing the default security permissions that will be applied to all instances of the class. This is the simplest method of applying security: the security design sets up the default security that all instances of a class should have, and then all objects based on that class will have the same default security.
    
4. Security Policy and security templates : Security policies contain security templates which let you automatically apply security to documents, folders, and custom objects. In the case of documents, security templates can be associated with one of the several versioning states that documents pass through (Released, Superseded, In Process, or Reservation). This powerful feature provides efficient application of fine-tuned security across many objects.
    
5. Marking Sets : FileNet Content Engine (CE) Markings or Marking Sets provides a way to define a level of security on objects (i.e. documents) in addition to the normal FileNet P8 object security model. By using markings, access to objects can be controlled based on specific property value. Marking set's are collection of CE objects known as marking objects. Marking sets allows setting up security on an object with means of property template. When a marking is applied to an object, the resulting access permissions for the object are a combination of the settings of its original access permissions (through ACL) and the settings of the markings 'Constraint Mask' for each marking that is applied to it. The result of this combination is the effective security mask.

Domain and GCD (FileNet CE)

Domain and GCD(Global Configuration Database)

The business content and processes associated with an IBM FileNet Content Manager implementation are organized into a logical grouping called a P8 domain. The definition of the P8 domain is stored in a database known as the global configuration database (GCD).

The GCD stores information about the following items:

1. Object stores and any workflow systems that have been defined for the P8 domain
2. A P8 domain can have one or more content stores, known as object stores, and one or more workflow systems. The role of an object store is to store business-related content. A workflow system is a repository for storing and managing process-related information.
3. Configuration information that is common to all object stores and workflow systems, such as the LDAP configuration used with the environment
4. Components that are available for reuse within the environment, such as fixed content storage devices and marking sets Fixed content storage devices are a specific class of storage device, for example, IBM Tivoli® Storage Manager that is defined once within a P8 domain, but that can be used by any or all of the object stores to store content.
5. A marking set is a special construct used to enhance the security model that can be applied to an object store.
6. Logical grouping of components to support distributed configurations

Versioning

Versioning

You can create different versions of content to maintain a history of changes and to control which users can change the content at a given time. The set of versions for a single document is called a version series. Content Engine supports a two-level versioning scheme, in which a document version is either a major or minor version. Minor versions typically denote an “in-progress” document, whereas a major version typically denotes a completed document. In addition to version numbers, the system maintains a state property indicating the current state of each version of the document, as follows:
 
In Process – A work in progress version. Only one version of a version series can be in this state.
 
Reservation – A document currently checked out for modification. Only the latest version of a version series can be in this state.
 
Released – A document released as a major version. Only one major version of a version series can be in this state.
 
Superseded – A version superseded by another version. Many versions in the version series can be superseded.

Additional capabilities in the versioning model include the following:

1. The system can be configured to apply security policies that in turn automatically apply different access rights for major and minor versions, making it easy to enforce a different viewing audience for inprogress documents.
2. A document can be promoted from a minor to a major version without requiring the content to be versioned.
3. A document can be demoted from a major version to a minor version, which is useful if the document has incorrectly been promoted to a major version.
4. A document can be saved to the object store prior to being checked in. By doing so, users can avoid keeping content on their local systems, and multiple users can work on a checked-out document.
5. Versioning can be enabled and disabled on a document class level for cases when multiple versions are not required.
6. A version can be frozen so that the custom properties associated with it cannot be changed.
7. Users or administrators can view all versions in their respective user interfaces.
8. Versions can be deleted.

Events and subscriptions

Events and subscriptions

Events provide a mechanism for initiating actions that are invoked when objects are created and modified in, and deleted from, an object store. For example, creating a document in an object store triggers a create event, which launches a workflow that approves the new document and posts the approved content to a Web site.

A subscription is the association of a particular event trigger with an event action. In the previous example, create is the event trigger and the event action is the workflow launch. Many different subscriptions might be associated with a particular event trigger. The following diagram illustrates how several events might be triggered when a new loan application document is created in an object store.

FileNet P8 comes with predefined event actions, including launching a workflow. In addition, events can be developed as a Java class. Subscriptions can be associated with a class so that they apply to the class itself or to all instances or all objects of the class type. Or, subscriptions can be associated with individual objects. Event subscriptions can be run synchronously or asynchronously. When set to run synchronously, the object operation (for example, create or update) and the operations of the event actions are completed as a single transaction; failure in either results in rollback of both operations. For example, a synchronous event might be applied to a Claim folder class that returns an error if a document that doesn’t belong to the Claim Document class is filed in the folder. When set to run asynchronously, the object operation and the event action operation run as separate transactions; in this case, the object operation can succeed independently of the event action operation

 

Annotation

Annotation

An annotation object, illustrated at right, represents incidental information that can be attached to an object for the purpose of annotating or footnoting that object. You can associate annotations with custom objects, documents, and folders. Annotations:

• Are independently securable. Default security is provided by the class and by the annotated object. An annotation can optionally have a security policy assigned to it.
• Can have subclasses.
• Can have zero or more associated content elements, and the content need not have the same format as its annotated object.
• Are uniquely associated with a single document version, and thus are not versioned when a document version is updated.
• Can be modified and deleted independently of the annotated object.
• Can be searched for and retrieved with an ad hoc query.
• Can subscribe to server-side events that fire when an action (such as creating an annotation) occurs.
• Can participate in a link relationship.
• Can be audited.

CustomObject Class

CustomObject Class:

A custom object is used to store and manage data that does not have content (and thus doesn’t support versioning) or a lifecycle. For example, a customer might be represented in the object store as a custom object because there is no requirement for content. Custom objects:

• Have system properties that the system manages automatically, such as Date Created.
• Can have custom properties for storing business-related metadata.
• Are secured.
• Can participate in business processes as workflow attachments.
• Can generate server events when they are created, modified, or deleted. These events are then used to customize behavior.

Folder Class

Folder Class

A folder is a container that is used to group other objects. Folders are the primary mechanism through which users access documents. Users typically think of folders as a place where documents are stored;, however, filing documents in multiple folders does not create extra copies of those documents, but rather creates a logical association between the folder and the document. Folders:

• Have system properties that the system manages automatically, such as Date Created.
• Can have custom properties for storing business-related metadata.
• Are secured.
• Are hierarchical, in the sense that a folder can have subfolders.
• Can contain documents and custom objects.
• Can generate server events when they are created, modified, or deleted. These events are then used to customize behavior.
• Can be annotated.

Document Class

Document Class

Most users think of a document as a file they create with an application such as Word. The user stores the document in the document management system so that a history of changes to the document is maintained and the document can be easily found and edited. Users who design enterprise content management applications and those who manage them will need to understand how documents can be leveraged to support a variety of application needs. A document might be used to maintain a traditional electronic file as well as other types of data, such as an XML document or content that is managed in an external repository. Documents:

• Have system properties that the system manages automatically, such as Date Created.
• Can have custom properties for storing business-related metadata about the document.
• Are secured.
• Can have content that can be indexed for searching.
• Can point to content that is outside of the object store (external content).
• Can have no content (metadata only).
• Can be versioned to maintain a history of the content over time.
• Can be filed in folders.
• Can have a lifecycle.
• Can participate in business processes as workflow attachments.
• Can generate server events when they are created, modified, or deleted. These events are then used to customize behavior.
• Can be rendered to different formats, such as PDF and HTML.
• Can be published to a Web site.
• Can be annotated.
• Can be audited.

Roster vs Queue in PE

Roster vs Queue:

Queue: by using queue we can search the work items which are presented in that specific Queue only
 
Roster: by using roster we can search the work item across all the queues. it means if we select the roster in our search criteria, the system will search for the work item in all the queues.

A roster is a database structure that holds all the active workflow elements (workflows and all work items, whatever their location), whereas a queue is a structure that only contains work items maintained there while they await processing.

The Roster is a file containing a reference to all work items in a workflow. A Queue is a file containing a reference to a subset of the work items in a workflow. Queues are typically used to assign security to control access. 

Milestones and Deadlines

Milestones : Milestones are defined as key notification points in a business process. These are points at which participants need to receive a message describing an important task or tasks that are pending or completed

Deadlines : Deadlines are time-based constraints that can be applied to steps in a business process. A step with a deadline implies that the participant must complete the step within a specified amount of time. The specified time (the deadline) is relative to the time that the step starts (when the participant receives the work packet).

Isolated regions,Queues, Roster and Event logs

Isolated region : An isolated region is a logical subdivision of the Process Engine database. An isolated region consists of queues, rosters, and event logs

Roster: A roster is a database structure that stores the current location and other information about a work item. Process rosters provide the Process Engine software with an efficient way to locate a specific work item

Event Logs : An event log is a database structure that contains information about system-level events related to work item processing.

Queues: A queue is a database structure that holds work items

4 different types of queues are available in PE

A user queue is a queue that holds work items waiting to be processed by a specific user.

A work queue is a queue holding work items that can be completed by one of a number of users, rather than by a specific participant, or work items that can be completed by an automated process.

System queues are queues holding work items that are undergoing or waiting for processing by the Process Engine server

Component queue holds work items to be processed by component step in workflow. The components steps are to process a work item using an external component.

Component Integrator

Component Integrator : The Component Integrator is used to integrate Java or Java Message Service (JMS) components for use in processes. Components are registered in the Process Configuration Console to make them available in Process Designer.

Maps, Routes and Steps in Work Flow

Maps, Routes and Steps in Work Flow

Maps:  A map represents the sequences of steps and routes required to complete a process.

Routes: Routes define the order of execution for a series of steps based on specific rules (using workflow data fields) and user responses (Approve and Deny as examples). You can specify to always take a route or to only take the route when a condition is met.

-- Single (linear) routing
-- Conditional routing
-- Parallel routing

Steps: Steps represent specific business or system activities. Activities can be performed by an individual user (the participant), by a group of users, or by an automated application

There are several types of steps:
       
Launch step: The first step in a process. Every process has this step.
       
General step: Represents a general activity to be processed by a participant (or a group of users), or an automated process. It can be categorized as follows:
       
Participant step: A step that has an associated participant or a group of users, all of whom must process the work item to complete the step. The identity of these users can be defined at runtime through the use of groups.
       
Work queue step: A step that is assigned to a work queue (see definition below) instead of a specific participant.
     
Unassigned step: A step that has no effect in the process and can be used for routing or documentation purposes.

System step: Represents one or more functions to be performed by the system. For example, a system step might include assigning data field values, creating a new process instance, or suspending a process for a specified period of time.

Submap step: Calls another map in the current process definition.
      
Component step: Performs operations in an external application or system.It is accomplished by IBM FileNet Business Process Manager’s Component Integrator.
      
Web services step: Invokes or implements Web services. IBM FileNet Business Process Manager uses Web services to integrate to external applications and services.

Process design and Process definition

Process design: Process design starts by identifying the activities and the order in which those activities must be performed to accomplish the business process.

Process definition: A process definition describes the activities and resources required to accomplish a business process. It consists of a directed graph, with a series of process activities or steps (nodes) connected together by a series of routes (arcs), which define the sequence in which the steps are executed. Steps and routes are organized into reusable maps

There can be multiple process definitions per business process to support multiple versions. Process definitions can also inherit from other process definitions. Inheritance allows organizations to specialize processes to create consistency across a set of related processes. The process definitions are stored in the IBM FileNet P8 Content Engine repository.

Workflow, Workflow Definitions and Work Item

Workflow: Workflow is a structured way of performing tasks by an individual or a team.
 
Examples of workflow include auto insurance claims that require the efforts of multiple people to process. The workflow process involves a policy holder filing a claim, a field agent processing the claim, an adjustor adjusting the claim amount, and finally the claimant either receiving the claim amount or the claim being rejected.

Workflow Definition : A workflow definition consists of workflow properties and workflow maps. A workflow map consists of two or more steps. To create a workflow map, you define the steps that are involved in a workflow process and the routes that specify the sequence of the steps.

Work Item : A work item is a single unit of work composed of a collection of fields. Work items transverse the process map, moving the data required by the process from step to step as indicted by the map.

Design Entry Template in FileNet (FileNet Content Engine)

Users can easily add documents, folders, and custom objects to an object store using entry templates. Entry templates also make it easy to define approval workflows for these objects. For example, a manufacturing company’s template designer can create a set of entry templates for the various types of engineering specifications that are managed in the object store. The entry templates in this example predefine the document class, all property values except the document title, the access rights, and an approval workflow. When using the entry template to add a document to the object store, a user interacts with a wizard, which decreases the chance of invalid data entry by limiting the number of steps required and providing a more controlled entry process. Entry templates are created in Workplace, typically by a relatively small set of users, and are used by a much larger number of users. Some of the key capabilities of entry templates and advantages to using them are as follows:
Documents, folders, form data, and custom objects can be created with entry templates.

• Users who are not administrators can create entry templates. For example, a project manager can create the entry templates used by her project team.
• Entry templates support FileNet P8 records management by providing a simplified and customizable method of declaring a document as a record.
• Entry templates can specify the folder in which the object will be filed, can either prevent or allow the user to change the folder, and can restrict the user to selecting a particular folder or its subfolders.
• Default property values can be specified in an entry template, and the template designer can elect to show or hide each property to users of the template.
• Entry templates can specify whether a document should be added as a major or minor version and can specify whether a user can change this setting.
• Entry templates can be set up to automatically classify the document based on its content.
• Entry templates can specify the access rights for the object, and the designer can elect to hide or show the access rights for the user to modify.
• Entry templates can serve as placeholders for documents that a user provides while processing a workflow step. When the user clicks on the entry template in the Workplace step processor, the entry template wizard prompts the user to add a document and the new document replaces the entry template attachment.
• Entry templates support specifying a workflow that will be launched when the user creates an object with the template, whether the workflow is a simple approval workflow that is defined in the entry template wizard or any other workflow created using Process Designer. For workflows created using the entry template wizard, the user can choose from a workflow with three steps—review, approve, and publish—or one with multiple, sequential approval steps. The template designer can specify the participants in advance, or let the user do so when using the template.  

Entry templates make it easy for users to add documents, folders and custom objects to an object store. Entry templates also make it easy to define approval workflows for these objects.

Below are the steps to create a Entry Template.

 

Steps :

1. Go to Workplace XT --> Advanced Tools --> Entry Templates --> Add

2. Select Document Entry Template or Folder Entry Template

3. Select Object Store and Folder (define the destination path where the new object is added )

4. (Optional)

Select the display option for the Select Folder step in the add wizard. 

• To permit users to change the location when adding an object, select Show Select Folder step. This option is selected by default.
• To prevent users from changing the location, select Hide Select Folder step.

5. Click on Next 

 

6. Select Class

 

 

 

7. Optional: Click Order Class properties to change the order in which the properties are displayed in the entry template.

8. Select the Required check box next to the property name if the user must enter a value for a property.

9. In the Default Value field, type any preset value.

 

10. Select the Access Level for each property. The access level determines what the end user can do with a property when adding an object

Editable  Allows the user to edit the property value

Read Only  Displays the property and value, but the value cannot be changed.

Hide  Does not display the property

Hide/Editable  Does not display the property, but the value can be changed pro-grammatically

11. Specify whether to add the object a compound document.

 

12. Specify whether to add the object as a major version.

 

13. Specify whether to allow users to add documents with the same file name. The Allow duplicate names setting is only supported on Workplace XT

 

14. Specify whether users see the properties when adding a new object.  

 

To permit users to view or change the preset property values, select Show Set Properties step. This option is selected by default 

 

To hide all the property names and values, select Hide Set Properties step. Do not choose this option if you marked any properties as required and didn't set a default value

15. Click on Next.

16. Add Users and Groups(Who can access Entry Template).

17. Click on Next and Select Work flow, properties. 

18. Click on Next.

19. Select Folder (Where you store the Entry Template) and Click on NEXT

 

 

12. Add Entry Template Name

13. Add (Set Security)  Users and Groups (Who can Modify the Entry Template)

14. Click on Finish 

******Entry Template Created*********

Configure Work Queue in FileNet (FileNet Process Engine)

---Configure Work Queue in FileNet (FileNet Process Engine)

A work queue holds work items that can be processed by one of a number of users or by an automated process.

In Process Configuration Console, you create and configure work queues as appropriate for your applications. For each queue, you can specify security for the queue, which determines who can see and process items in the queue, and you can expose data fields and create indexes to facilitate searching for items in the queue.

--Steps to Configure

Steps

//Process Configuration Console

1. Goto Workplace XT --> Tools --> Administration --> Process Configuration Console

2. Select on Connection Point and Click on Connect

 

3. Right Click on Work Queue and click on New..

 4. Enter Queue Name and click on Create

 5. Click on Commit (Save Queue) and Work Queue created Successfully

 

 6. If you want to add users and groups in work Queue, Right click on work queue and go to Properties..

 

 

 

 7. Go to Security tab and add users and groups (add users and groups to Right Side Layout)

 

 8. Commit Changes

 

 

Configure Component Queue in FileNet (FileNet Process Engine)

---Configure Component Queue in FileNet (FileNet Process Engine)

Component queues make it possible to process a workflow step by using an external entity, such as a Java object or Java Message Service (JMS).

By using Process Configuration Console, you configure a component queue with an adapter, either Java or JMS. The Java adapter allows you to expose public methods from a Java class as operations on a queue. The JMS adapter enables you to publish workflow data to a JMS queue, also by using operations. By using Process Designer, the workflow author adds a component step to a map and selects operations for that step from the list of component queues. The workflow author also specifies the appropriate expression for each operation parameter.

--Steps to Configure

Required Tools  

1. Process Configuration Console (PCC) Configuartion

2. Application Engine Process Task Manager (AE PTM) Configuration

Steps

//Process Configuration Console

1. Goto Workplace XT --> Tools --> Administration --> Process Configuration Console

2. Select on Connection Point and Click on Connect  

3.Right Click on Component Queue. and Click on New

4.Enter Queue Name

5. Click on Next

6.  Click on Configure..

7. Select JAR File 
8. Select Main Class File and Click on OK

9. Fill the JAAS Credentials as shown below and Click on OK

10. Right Click on Component, you created and go to Operation

11. Select Required Methods (Functions) and Click on OK

12. Commit Changes 

//Application Engine Process Task Manager (AE PTM)


13. Go to Installed-Path/FileNet/WebClient/Router

Open routercmd (PTM)

 14. Disconnect (Stop) Connection Point (Same as you installed Component Queue)

 15. Go to Required Libraries  tab and add Component JAR and Support JAR and Support file paths.
(Note : It allows JAR files and Folder Path only. If you have *.properties files, add it's parent folder only).

  

16. Click on Apply and Start Connection point


**********Component Queue configured Successfully*****************