Understanding security inheritance
Security inheritance is one of the powerful features of the FileNet® P8 security design.
Security inheritance refers to the passing of permissions from a parent object to a child object. For example, a folder could be the parent of a subfolder or a document; a document could be the parent of an annotation. The child object can inherit the security permissions from its parent object. Because of inheritance, the security administrator can apply security updates to many objects in one operation by setting the permissions at the parent level. These settings can then be inherited by the children at various, configurable levels.
- Inherited permissions have a source type of Inherited. For more information about the different source types, see About access rights.
- You cannot modify inherited permissions on a child object. You must modify the permissions on the parent object. Inherited permissions are displayed as disabled in security interfaces such as the Administration Console for Content Platform Engine security editor. Modifications made on the parent object will be automatically applied to the inherited permissions on the child objects after the next metadata refresh.
- When you delete a parent, the permissions of the parent that were previously inherited by the child objects will also be deleted from the child objects.
- When you change the inheritable permissions on a parent object, the change applies to all versions of a security child that is inheriting those permissions.
- Inherited permissions are a lower precedence than other sources, such as default, direct, or template, and so can be overridden by them. This issue occurs only when using deny permissions, because using only allow permissions causes them all to be combined, no matter what their source.
- Security children can have multiple parents, and parents can themselves have parents. The effect of more than one parent is to combine all their permissions into a set of inherited denies and a set of inherited allows. In this situation, the inherited denies take precedence.
- Normally, inherited access rights also apply to the parent object itself, for example, when you use This object and all children. However, to apply inherited access rights only to children and not to the parent, use All children, but not this object or Immediate children, but not this object. This setting is particularly useful for access rights such as Delete, where you want to allow the children to be deleted, but not the parent.
- To enable inheritance on folders, set Inherit parent permissions to True on the folder's General tab.
- Inheritable depth (Apply to)
Each ACE has an inheritable depth setting that is invoked if the ACE is configured to be inherited by a child object. The following settings are available:
- This object only
- This ACE would not be inherited even if it were configured for inheritance.
- This object and immediate children
- This ACE applies to the object and would be inherited by the parent object's children, but not by the child object's children. After inheritance takes place, the child ACE will have an inheritable depth of This object only.
- This object and all children
- This ACE applies to the object and would be inherited by every generation of the parent object's child objects. After inheritance takes place, the child object's ACE will have an inheritable depth of This object and all children.
- All children, but not this object
- This ACE would be inherited by every generation of the parent object's child objects, but does not affect the parent object itself.
- Immediate children, but not this object
- This ACE would be inherited only by the parent object's immediate children, but not by further generations, and does not affect the parent object itself.
The Administration Console for Content Platform Engine security editor lets you set inheritable depth. For more information, see Configure inheritable depth.
Inheritance relationships
- An inheritance relationship between a child object and a parent object is created by giving a
value to a specific object-valued property of the child. This value references the parent. The
object-valued property of the child object must include a SecurityProxyType value of Inherited in
its property definition metadata. Several object-valued properties are built-in properties for the
predefined classes and others can be added as custom properties.
Tip: To view the object-valued properties, from the Administration Console for Content Platform Engine, select the object and then click the Properties tab and scroll down the list of properties.
- SecurityFolder
- The SecurityFolder property is a built-in property of the Document and CustomObject classes. The
security folder specifies a folder from which an object inherits security. There is no requirement
that its security children be filed in the folder.
- AnnotatedObject
- The AnnotatedObject property is a built-in property of the Annotation class. The annotated
object specifies an IndependentObject object of type Document, Folder, or CustomObject to which this
annotation has been applied.
- SuperclassDefinition
- The SuperclassDefinition property is a built-in property of the ClassDefinition class. The
superclass definition specifies the ClassDefinition object that defines the immediate superclass of
the class that is defined by this class definition.Restriction: This property controls inheritance of permissions only, not the default instance permissions.
- Coordinator
- The Coordinator property is a built-in property of the Task class. The coordinator is a
reference to the containable object that is acting as the coordinator for this and other related
tasks.
- Custom properties
- Content Platform Engine provides extensible security parent relationships
with the SecurityProxyType property placed on the metadata of custom object-valued properties. This
type of property is known as a proxy-defining property. This property is added to the class
definition of the intended security child, and then a value is set for that property on an instance
of the class to establish the security parent of that child. You can add proxy-defining properties
to any class of objects as required by your security design, including, but not limited to, folders.
An object can have many such proxy-defining properties, that is, many security parents from which
ACEs are inherited. The inherited ACEs from each are merged together and contribute with equal
priority to the access check that produces the final security mask. Tip: To view this property, from the Administration Console for Content Platform Engine, select the object, then click the Properties tab and scroll down the list of properties.Important: If a security proxy object is marked for deletion (which places it in the Recovery Bin), the server continues to allow for the security proxy's permissions to be inherited by the child object. For example, if DocA is a security proxy for DocB and DocA is marked for deletion, then DocB continues to inherit its security from DocA, even though DocA cannot be queried or retrieved by users with typical access rights. Only users with the VIEW_RECOVERABLE_OBJECTS permission on the object store can access DocA. Although objects marked for deletion are not viewable by most users, the objects exist in the object store database, and they are potentially recoverable. Therefore, the server maintains the inherited security from security proxy objects that are recoverable. This behavior can result in an inheriting object granting more permissions than would be expected from inspection by someone without VIEW_RECOVERABLE_OBJECTS permission, potentially causing confusion, or, in unusual circumstances, being counter to the intention of marking the proxy object for deletion. To avoid these potential issues, it is recommended that objects whose primary purpose is to act as a security proxy not be marked for deletion. If the intent is to terminate the proxy relationship, a delete should be used instead.
- Configuring inheritance
For configuring inheritance on documents and custom objects, see Configure a document's security parent and Configure a folder to be a security parent.
Folders have an Inherit parent permissions property on the General tab of their property sheets in Administration Console for Content Platform Engine. This check box governs inheritance between folders. When you select it, the folder will inherit permissions from its parent folder if the parent folder has inheritable permissions. Changing the property from True to False removes any ACEs that were formerly inherited from the parent folder.
- Subclassed permissions are copied, not inherited
- When you make a new subclass from a class definition, some permissions are passed from the
parent class definition to the new child class definition in a manner that is not inheritance. When
you make a new subclass, those permissions of the originating class definition that have a Source
type of Default or Direct and are of inheritable depth This object only are exactly
copied to the new subclass with a source of Default and no change in inheritable depth.
During subclassing, the child class receives the ACEs of its parent as described in the following table. Notice that Default permissions with inheritable depth of This object only are not inherited by the child. Instead, they are copied without change and are therefore modifiable on the child object.
| If the ACE on the parent class is marked... | ...then the same ACE on the subclass will be marked... | Inheritance or copy? |
|---|---|---|
Source = Default Inheritable depth = This object only |
Source = Default Inheritable depth = This object only |
Copy |
Source = Direct Inheritable depth = This object and immediate children |
Source = Inherited Inheritable depth = This object only |
Inheritance |
Source = Direct or Inherited Inheritable depth = This object and all children |
Source = Inherited Inheritable depth = This object and all children |
Inheritance |
Source = Inherited Inheritable depth = This object only |
Does not appear. Inheritance is stopped by the inheritable depth. | Not applicable |
Source = Direct or Inherited Inheritable depth = All children but not this object |
Source = Inherited Inheritable depth = This object and all children |
Inherited |
Source = Direct Inheritable depth = Immediate children only, but not this object |
Source = Inherited Inheritable depth = This object only |
Inherited |
- Summary of security sources
- The following table summarizes how objects receive initial security. Security inheritance takes place only if the source class or object has inheritable permissions:
| Object | Initial security comes from... | Inherits additional security from... | Its security can be inherited by... |
|---|---|---|---|
| Folder | The DefaultInstancePermissions of its class, or directly set
when creating. Security policy, if configured. |
Its parent folder (the folder immediately above), if the Inherit parent permissions check box is selected on the child folder. Custom object-valued properties with Security Proxy Type set. |
Child folders, if Inherit parent permissions is
enabled on those child folders, and if there are inheritable ACEs. Documents or custom objects that consider the folder its security folder, if the folder has inheritable ACEs. By other objects (document, custom object, folder) through a Security Proxy Type property and acting as security parent. |
| Document | The DefaultInstancePermissions of its class, or directly set
when creating. Security policy, if configured. |
Security folder, if configured using Security Parent or Security
Folder properties. Custom object-valued properties with Security Proxy Type set to Inheritance. See Configure security inheritance. |
Any annotations assigned to the document version, if the document has inheritable ACEs. By other objects (document, custom object, folder) through Security Proxy and acting as security parent. |
| Custom object | The DefaultInstancePermissions of its class, or directly set
when creating. Security policy, if configured. |
Same as Document. | By other objects (document, custom object, folder) through Security Proxy and acting as security parent. |
| Annotation | The DefaultInstancePermissions of its class, or directly set when creating. | Document, Folder, Custom Object. | None. |
| Other Classes | Its parent class. | Any additional parent classes up to the top of the class hierarchy. | Child classes, if there are inheritable ACEs. |