FileNet P8 Security: The Fundamentals

To implement best practices, a sound understanding of FileNet P8 security is needed since everything we touch has a security component to it. I am talking about security that is needed for today, but also satisfies requirements as the system grows or becomes more complex. We won't be able to solve every security problem with one design, however we can implement a security model sufficient for most situations and, if not, be able to modify it to meet our needs without requiring extensive reverse engineering.

Concept 1) The FileNet class default instance security tab lists the default access control entries (ACL list) when a document is created, if the code creating the document does not specify a new list. Easy enough right? Remember the document will be stamped with this security, it is not dynamic. A few considerations and tips: Use the default security roles when possible and create one group for each possible default security role. The security roles map easily to API enumerations without having to try to inspect the access permissions mask value so use the roles when you can. By leveraging the OOTB roles up front you can easily move users in and out of those groups versus some day later on performing a mass security update. Next, name your LDAP group with a standard prefix + class name + access level and create this group in an OU corresponding to your object store name. Always create new groups when you create a new class, never use the same group across classes. Using the same groups across classes will prevent you from granting permissions to class A without also simultaneously granting access to class B. It's much easier to add the user to two groups instead of trying to sort this out later on since you would have to update security on each document.

Concept 2) Class Security: This refers to the class itself, who can select it, who can modify it's properties and create instances of. In Image Services (IS-IM) if you did not have permissions to a class you simply did not see it as a drop down in IDM. However with P8 the user can select a class for which they have no security to. Do the user a favor, remove all groups listed except for your administrative group then add your default security roles from instance security. For each group apply the appropriate role or access mask desired. By removing your base object store group or domain everyone, the user will not be able to select the class from the UI. If you are an IT organization that farms out some FileNet IT tasks grant the secondary IT shop administrative access over the class which will allow them to modify the class only, not other classes.

Concept 3) Base object store security: A basic step that most administrators mess up on at least once, including architects. Never, never use domain authenticated users or everyone at the object store level. Never, did I say that already? Instead, create a base object store security group then put EVERYONE or whatever groups/users inside of that group. Now you have fine grained control over who gets to see the object store in the first place. There should only be two groups listed on the object store, the administrative group and the USE OBJECT store group and I'll call that the base. Make sure when you create the object store you have those two groups listed, if you didn't do this remember you have to run the security script after manually entering the new group.

Concept 4) Always include an administrative group on the document class default instance and class security tabs. A common mistake, the business says FileNet administrators should not have access to PAYROLL documents so we leave the FileNet admin user or group off of the document instance security permissions. A year later someone says we need to relocate the storage device or otherwise update the metadata on the document. Well P8 Admin's won't be able to do it. Instead define the full control group and move P8Admin / CEAdmn in and out of the class groups when needed to administer the content.

Concept 5) FileNet P8 is a powerful document management system with many layers of security, here we only talked about instance security however there are other features such as proxy security, marking sets, security policies and the use of DENY to satisfy more complicated requirements. I addressed the most basic security as a starting point to understanding the FileNet security model. Above all else, keep it simple and use the fewest tools and technologies to satisfy the requirements when possible.