Scribd
Upload
10 views21 pages

06 Groups Roles

Module 6 covers the concepts of groups and roles within Documentum, including definitions, creation processes, and the use of DQL queries. It explains the characteristics and properties of groups, such as dynamic and private groups, and outlines the role functionality, including role hierarchies and domain groups. The module also details the requirements for creating groups and roles, emphasizing the importance of client applications in managing dynamic group memberships.

Uploaded by

local bouzareah
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
10 views21 pages

06 Groups Roles

Module 6 covers the concepts of groups and roles within Documentum, including definitions, creation processes, and the use of DQL queries. It explains the characteristics and properties of groups, such as dynamic and private groups, and outlines the role functionality, including role hierarchies and domain groups. The module also details the requirements for creating groups and roles, emphasizing the importance of client applications in managing dynamic group memberships.

Uploaded by

local bouzareah
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Module 6

Groups and Roles

© 2008 EMC Corporation. All rights reserved.

Technical Fundamentals of Documentum


© 2008 EMC Corporation. All rights reserved. 6-1
Module Objectives

• Define a group
• Create a group
• Explain the purpose of roles
• Create a role
• Perform basic DQL queries related groups and roles

Groups and Roles 6-2


© 2008 EMC Corporation. All rights reserved.

Technical Fundamentals of Documentum


© 2008 EMC Corporation. All rights reserved. 6-2
Groups
Groups Groups
• • Creating
CreatingGroups
Groups
• • Roles
Roles
• • Creating
CreatingRoles
Roles
• A group is: • • Dynamic
DynamicGroups
Groups
• • Useful
UsefulDQL
DQLQueries
Queries
- A collection of users and/or other groups
- A convenient way to reference a common set of users
- An instance of the dm_group object type

Marketing
Marketing

dm_group

Review Team
Review Team

dm_group

Groups and Roles 6-3


© 2008 EMC Corporation. All rights reserved.

Technical Fundamentals of Documentum


© 2008 EMC Corporation. All rights reserved. 6-3
Groups
Requirements for Creating a Group Groups
Creating
CreatingGroups
Groups
• • Roles
Roles
• • Creating
CreatingRoles
Roles
• To create a group you must have: • • Dynamic
DynamicGroups
• • Useful
Groups
UsefulDQL
DQLQueries
Queries
- Create Group privilege
- System Administrator client capability
when using Webtop
• A group is an object in the Content Server
repository
dm_group
• Can be created in several ways:
- Documentum Administrator or Webtop
• Manually, or
• Using an LDIF import file
- Programmatically

Groups and Roles 6-4


© 2008 EMC Corporation. All rights reserved.

LDAP Group Creation


The appropriate groups can be created automatically when importing users who belong to groups
defined on an LDAP server.

Technical Fundamentals of Documentum


© 2008 EMC Corporation. All rights reserved. 6-4
Creating a Group

• To create a group in Documentum Administrator or Webtop:


1. Navigate to the Administration > User Management >
Groups node
2. Select File > New > Group from the menu

Groups and Roles 6-5


© 2008 EMC Corporation. All rights reserved.

Technical Fundamentals of Documentum


© 2008 EMC Corporation. All rights reserved. 6-5
Creating a Group (continued)

• The group Info dialog appears


• Enter values for the
group properties
- Click OK to create
the group

Groups and Roles 6-6


© 2008 EMC Corporation. All rights reserved.

Technical Fundamentals of Documentum


© 2008 EMC Corporation. All rights reserved. 6-6
Group Properties

• Group properties described:


Name:The
Name: The group’s
group’s name
name –– must
must be
be
unique
unique among
among all all user
user and
and group
group
names
names in
in the
the repository
repository

E-Mail Address:E-mail
E-MailAddress: E-mail address
address
associated
associated with
with the
the group
group

Owner:The
Owner: The user
user with
with Create
Create Group
Group
privilege
privilege who
who owns
owns this
this group.
group. AA
SUPERUSER
SUPERUSER can assign a different
can assign a different
user
user asas the
the group's
group's owner.
owner.

Administrator:AA user
Administrator: user other
other than
than
the
the owner or SUPERUSER who
owner or SUPERUSER who can
can
modify
modify this
this group
group

Groups and Roles 6-7


© 2008 EMC Corporation. All rights reserved.

Roles and Domains


See the next section of this module for more information about roles and domains.

Technical Fundamentals of Documentum


© 2008 EMC Corporation. All rights reserved. 6-7
Group Properties (continued)

Alias Set:Default
AliasSet: Default alias
alias set
set for
for this
this
group.
group. Used
Used to
to resolve
resolve alias
alias
references.
references.

Description:Additional
Description: Additional descriptive
descriptive
information
information about
about the
the group
group

Private:By
Private: By default,
default, groups
groups created
created
by
by users
users with
with SYSADMIN
SYSADMIN or or
SUPERUSER
SUPERUSER privileges
privileges are
are public
public and
and
can
can be
be referenced
referenced by by all
all users.
users.
Groups
Groups created
created byby users
users with
with the
the
Create
Create Group privilege are private
Group privilege are private
and
and only
only bebe modified
modified to to the
the owner.
owner.
This
This behavior is enforced by
behavior is enforced by client
client
applications,
applications, not
not the
the Content
Content Server.
Server.
Use
Use this
this check
check box
box to
to change
change thethe
status
status of
of the
the group.
group.

Groups and Roles 6-8


© 2008 EMC Corporation. All rights reserved.

Private Groups
The Content Server makes no use of the Private Group setting. It is the responsibility of the client
application to hide or display private groups. Documentum Webtop displays private groups only to
the group owner and group administrator.

Technical Fundamentals of Documentum


© 2008 EMC Corporation. All rights reserved. 6-8
Group Properties (continued)

Dynamic:Defines
Dynamic: Defines the
the group
group as
as aa
dynamic
dynamic group.
group. TheThe Content
Content Server
Server
does
does not
not consider
consider aa user
user in
in the
the group
group
as
as a member of the group during aa
a member of the group during
session,
session, unless
unless the
the client
client application
application
adds
adds the user to the group
the user to the group for
for that
that
session.
session.

Protected: Also
Protected: Also called
called aa "privileged"
"privileged"
group.
group. Group
Group members
members areare
automatically
automatically granted
granted aa particular
particular
permission
permission or
or privilege,
privilege, even
even though
though
they
they may not individually possess
may not individually possess
the
the appropriate
appropriate privilege.
privilege.

Groups and Roles 6-9


© 2008 EMC Corporation. All rights reserved.

Dynamic Groups
Refer to the Content Server Administrator's Guide for more information on configuring and
implementing dynamic groups.

Technical Fundamentals of Documentum


© 2008 EMC Corporation. All rights reserved. 6-9
Groups
Roles Groups
Creating
CreatingGroups
Groups
Roles
Roles
• • Creating
CreatingRoles
Roles
• A role: • • Dynamic
DynamicGroups
Groups
• • Useful
UsefulDQL
DQLQueries
Queries
- Is a special instance of the dm_group
object type
- Behaves like a normal group
- Can be used by client applications to restrict
or enable client functionality

Group Admins
Group Admins

dm_group

Approvers
Approvers
dm_group

Groups and Roles 6-10


© 2008 EMC Corporation. All rights reserved.

Technical Fundamentals of Documentum


© 2008 EMC Corporation. All rights reserved. 6-10
Roles

• Roles are dm_group objects with the group_class


attribute set to role
- Can be used like other groups
• Client applications can be configured to use roles
to limit or enable functionality
- A user's membership in a role is used by the client
to determine which features are available
- The Content Server does not enforce role behavior

Groups and Roles 6-11


© 2008 EMC Corporation. All rights reserved.

Roles and Application Behavior


Newly created roles behave just like groups. The client functionality restrictions provided by roles
must be configured or programmed for the client application. Configuring Webtop to recognize
custom roles is accomplished by modifying XML files in the Webtop application directories.

Refer to the Documentum Web Development Kit and Client Applications Development Guide for
details.

Technical Fundamentals of Documentum


© 2008 EMC Corporation. All rights reserved. 6-11
Roles Example

• Webtop can be configured to restrict or enable certain application


components based on the a user's role membership
• For example:
- Members of the Group Admins role can access the
Administration node
- Members of the Reviewers role do not see the
Administration node

Reviewers
Group Admins
Role
Role

Groups and Roles 6-12


© 2008 EMC Corporation. All rights reserved.

Technical Fundamentals of Documentum


© 2008 EMC Corporation. All rights reserved. 6-12
Roles Can Form a Hierarchy

• Create a role hierarchy by adding roles to roles


• The hierarchy below is created by adding the
mycontributor role to the myconsumer role
- mycontributor inherits from myconsumer
(myconsumer is the parent role)
- myconsumer is a super role to mycontributor
- myconsumer is the base role, mycontributor is a derived role
- Any user in the mycontributor role is also a myconsumer

Role Member Roles


myconsumer myconsumer mycontributor
inherits from
(is also a)

mycontributor

Groups and Roles 6-13


© 2008 EMC Corporation. All rights reserved.

Technical Fundamentals of Documentum


© 2008 EMC Corporation. All rights reserved. 6-13
Roles and Domain Groups

• For each client application using roles in the


repository, the Administrator can configure
a role as a domain group
- Group Class property set to domain
• All roles used by the application must be added
as members of the domain group
- When resolving client functionality for a user, the client
application only considers roles that are members of the
domain group
• Useful when:
- Roles outside the domain have been inserted into the role
hierarchy
- A user belongs to roles both in and out of the domain
Groups and Roles 6-14
© 2008 EMC Corporation. All rights reserved.

Technical Fundamentals of Documentum


© 2008 EMC Corporation. All rights reserved. 6-14
Groups
Creating a Role Groups
Creating
CreatingGroups
Groups
Roles
Roles
Creating
CreatingRoles
Roles
• The requirements for creating a role are • • Dynamic
DynamicGroups
Groups
• • Useful
UsefulDQL
DQLQueries
identical to those for creating a group Queries

- A role is an instance of the


dm_group object
• The steps for creating a role are identical to
the steps for creating a group, with the
dm_group
exception of the following property setting:
- Create Role as Domain: Select this
check box if the role will be used as
a domain group

Groups and Roles 6-15


© 2008 EMC Corporation. All rights reserved.

Technical Fundamentals of Documentum


© 2008 EMC Corporation. All rights reserved. 6-15
Groups
Dynamic Groups Groups
Creating
CreatingGroups
Groups
Roles
Roles
Creating
CreatingRoles
Roles
• A group can be configured as a dynamic Dynamic
DynamicGroups
Groups
• • Useful
UsefulDQL
DQLQueries
group Queries

- Provides a layer of security by allowing a


client application to dynamically add or
remove group members based on specific
conditions
- If the conditions are not met at run time, then
a user would not be added to the dynamic group
and would therefore not be granted the rights
associated with that group

Groups and Roles 6-16


© 2008 EMC Corporation. All rights reserved.

Client Applications and Dynamic Groups


The adding and removing of users to and from dynamic groups is not standard out-of-the-box
functionality. Custom code must be written for a client application to leverage this functionality.

Technical Fundamentals of Documentum


© 2008 EMC Corporation. All rights reserved. 6-16
Dynamic Group Membership

• Like a regular group, a dynamic group contains


a list of users who are members
- However, these users are only potential members
in the group
- The client application determines actual membership
at run time
• A dynamic group can be configured so that the Content Server:
- Considers all members to be group members by default,
unless the client application removes them
- Considers all members to be non-members by default,
unless the client application adds them

Groups and Roles 6-17


© 2008 EMC Corporation. All rights reserved.

Technical Fundamentals of Documentum


© 2008 EMC Corporation. All rights reserved. 6-17
Dynamic Groups Example

• Business requirement: Members of the Top Secret group can


access sensitive documents but only when they are connecting
to the Content Server within the company firewall
• Solution: Make the Top Secret group a dynamic group, and
enable internal clients to add members to the group in real time

When
When Dexter
Dexter uses
uses aa client
client inside
inside the
the When
When Dexter
Dexter usesuses aa client
client outside
outside the
the
firewall,
firewall, the
the client
client adds
adds him
him toto the
the firewall,
firewall, the
the client
client is
is unable
unable toto add
add him
him to
to
Top
Top Secret
Secret dynamic
dynamic group,
group, giving
giving the Top Secret dynamic group,
the Top Secret dynamic group, and he isand he is
him
him access
access to to sensitive
sensitive content
content unable
unable to
to access
access sensitive
sensitive content
content

Dexter
Dexter X Dexter

P
TO ET
CR
SE
Firewall Dexter Firewall
Top Secret Classified Top Secret
Dynamic Group Document Dynamic Group

Groups and Roles 6-18


© 2008 EMC Corporation. All rights reserved.

Adding Users to a Dynamic Group


• Custom programming is required to enable a client application to add members to, or remove
members from, a dynamic group.
• When adding or removing members, the client application can only manipulate users who have
been configured as members of the dynamic group.

Technical Fundamentals of Documentum


© 2008 EMC Corporation. All rights reserved. 6-18
Groups
Useful Queries: Groups and Roles Groups
Creating
CreatingGroups
Groups
Roles
Roles
Creating
CreatingRoles
Roles
• List all roles in the system: Dynamic
DynamicGroups
Groups
Useful
UsefulDQL
DQLQueries
Queries
select
select group_name
group_name from
from dm_group
dm_group
where
where group_class
group_class == 'role'
'role'

• List all users who are members of this group,


including those who are members of groups
contained in this group:
select
select i_all_users_names
i_all_users_names from
from dm_group
dm_group
where
where group_name
group_name == 'SalesDept'
'SalesDept'

• List all groups a particular user can modify:


select
select group_name
group_name from
from dm_group
dm_group
where
where group_admin
group_admin == 'Norman'
'Norman' or
or
owner_name = 'Norman'
owner_name = 'Norman'

Groups and Roles 6-19


© 2008 EMC Corporation. All rights reserved.

Object Types and Properties


Refer to the Content Server Object Reference Manual for a complete list of Documentum object types
and their properties.

Technical Fundamentals of Documentum


© 2008 EMC Corporation. All rights reserved. 6-19
Groups
Test Your Knowledge Groups
Creating
CreatingGroups
Groups
Roles
Roles
Creating
CreatingRoles
Roles
1. True/False: You must have SYSADMIN or Dynamic
DynamicGroups
Groups
Useful
UsefulDQL
DQLQueries
SUPERUSER privilege to create a group. Queries

2. True/False: If a group is marked private, the


Content Server only displays the group to the
group's creator.
3. Which attribute of the dm_group object indicates
whether or not the group is a role?
4. Roles are similar to which user setting:
A) Privileges
B) Client Capability
C) Permissions
D) ACL

Groups and Roles 6-20


© 2008 EMC Corporation. All rights reserved.

4. B. In some clients, the user's role overrides the user's client capability setting.
3. group_class.
does not enforce this setting.
2. False. It is up to the client application to enforce the private status of a group, the Content Server
Administrator client capability to access the Administration node in Webtop.
1. False. Any user with the Create Group privilege can create a group. They also need the System

Technical Fundamentals of Documentum


© 2008 EMC Corporation. All rights reserved. 6-20
Exercise Estimated time: 20 min

• During the exercise, you will:


- Create a new group
- Create a new role
- Add users to your group and role project_reviewers
- Issue DQL queries reviewer
cchan
sdalton

managers_role
projectmanager
sdalton

Groups and Roles 6-21


© 2008 EMC Corporation. All rights reserved.

Technical Fundamentals of Documentum


© 2008 EMC Corporation. All rights reserved. 6-21

You might also like