Does Documentum Enforce Least Privilege?

I was asked this question recently and was pretty sure the answer was ‘Yes’, but I set out to prove it anyway.

So, what is ‘least privilege’ you ask?  Least privilege is the practice of giving users only the minimal permissions and capabilities they need to complete a task.

The situation presented to me was that a user was a member of a group which was assigned ‘Version’ capability on an object, as well as being directly listed in the ACL with ‘Read’ capability.  How does the Documentum security model reconcile such conflicts?  What capabilities would the user actually have on the object?  Could they check out/check in the object or not?  Could they change properties on the object?  How would these capabilities change if the user was the owner of the object?

I set up a quick test.  Here are my results:

  • With the user as a member of a group with ‘Version’ capability as well as being assigned ‘Read’ capability directly in the ACL, the user had ‘Read’ capability only (i.e., they could not check out the object or modify the properties).  This would confirm Least Privilege.
  • If I made the user the owner of the object (with ‘Delete’ capability), then the user had full access to the object (i.e., checkout, checkin, overwrite, delete, etc.) regardless of their group’s capability or their direct assignment in the ACL.  This is a unique feature of being the owner of an object and does not conform to Least Privilege.   This is briefly discussed in the EMC Documentum Content Server Version 7.2 Fundamentals Guide on p. 91.
  • However, when I changed dm_owner’s capability to ‘Read’ in the ACL, the user/owner then had ‘Read’ capability only.  This would seem to indicate that object owners only have ‘Delete’ capability on the objects they own because of the default construction of the ACL (i.e., dm_owner=delete by default).

Least Privilege holds true in the Documentum security model with the exception of the object owner’s privilege, which trumps the ACL privileges, even when it might enforce a downgrade in capability.  Now you know.

UPDATE:  For a really thorough response to this post, see here.


About Scott
I have been implementing Documentum solutions since 1997. In 2005, I published a book about developing Documentum solutions for the Documentum Desktop Client (ISBN 0595339689). In 2010, I began this blog as a record of interesting and (hopefully) helpful bits of information related to Documentum, and as a creative outlet.

One Response to Does Documentum Enforce Least Privilege?

  1. Pingback: ACL computations | Documentum in a (nuts)HELL

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: