What Does Folder Security Really Do?

There are two folder/security concepts in Documentum that often get confused, blended, or otherwise mangled: Folder Security and “inherit ACL from folder”.  Folder Security is an additional security mechanism implemented in the repository and requires users to have WRITE permissions on folders in which they are creating, moving, un/linking, or deleting objects.  Folder security enforces security on folders similar to what you find on a file system. It does not prevent users for checking in/out files already in a folder.  It has nothing to do with which ACL an object uses or will receive when it is created.  The folder security setting is controlled by dm_docbase_config.folder_security attribute.  The default for this feature is ON.

If a user who does not have WRITE permission on a folder (by default, folders are usually created with dm_world = READ access), they will not be able to save a new document to that folder; nor will they be able to move, copy, link, unlink or delete documents in that folder. However, giving a user WRITE permission to a folder will also allow them to overwrite the attributes of the folder.  This is probably not what you intended either.  My experience has been that objects are usually created or moved around a repository via a process (running as a privileged user) and not by users directly.  The exceptions are objects in users’ personal folders.

“Inherit ACL from folder” is a setting on the dm_server_config.default_acl attribute.  This attribute tells the server how to protect every object that is created in the repository.  There are four settings:  folder (1), type (2), user (3), and none (4).  The default value is 3, use the user’s default ACL. You can read more about these setting in the EMC Documentum System Object Reference Manual.

Setting this attribute to 1 (folder) will automatically apply a folder’s ACL to anything put in that folder; documents, folders or other. This is likely not what you want either. You probably don’t want the object to have the same ACL as the folder (What if the folder has WRITE privilege as discussed above, but the document should only be writable by a select few?).  Most likely, you want folders to inherit the parent folder’s ACL and documents to have their own ACL based upon some other criteria (e.g., owner, type, life cycle).  This kind of security will involve developing a TBO for your type that can dynamically apply ACLs based upon some criteria of your business process.

Of course, every situation is different, so your mileage may vary.

This is not a new topic.  See what others have said here:


About Scott
I have been implementing Documentum solutions since 1997. In 2005, I published a book about developing Documentum solutions for the Documentum Desktop Client (ISBN 0595339689). In 2010, I began this blog as a record of interesting and (hopefully) helpful bits of information related to Documentum, and as a creative outlet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: