When running the Object Store wizard, you specify the users and groups that should be object store administrators and those who should have non-administrative access rights. You can view and modify these security assignments any time while running Administration Console for Content Platform Engine.
With one exception, administrative users and groups get Full Control on the object store ACL and likewise on all security ACLs of all securable objects. Note that this does not include the permission to create object stores, file storage areas, content cache areas, and related actions like deleting and moving. These permissions belong only to the user and groups who were specified as GCD administrators (gcd_admin) when the IBM® FileNet® P8 domain was created. A user or group can, of course, belong to both the object store administrators group object_store_admin_group and the GCD administrators (gcd_admin) group.
The exception mentioned above is the permission Modify certain system properties which determines which users can set certain system properties (Creator, DateCreated, LastModifier, DateLastModified) that are normally system only. Users and groups who will be running system level tools (like import and migration tools) might need this permission.
Non-administrative users and groups get the following security levels:
See the Reference section for more information about these security levels.
Several permissions that appear on the Security tab of each object store's property sheet have a hierarchical relationship to other permissions on classes and objects contained in that object store:
To log in, a user must have at least View Properties access rights to the object store that contains the user and site preference files.
Users see all object stores configured through Administration Console for Content Platform Engine but must have View Properties access rights to the root folder in order to open an object store.