Insufficient access rights to create a folder

Question

In my current project using Filenet P8 Content Platform Engine 5.2.1 with WebSphere 8.5.5.3, Eclipse Mars 4.5.2 and Apache Maven 3.3.1

I need to create folders on the fly, and I'm following this sequence:

I create a new instance of the folder, using the p8admin user:

Folder newFolder = Factory.Folder.createInstance(objectStore, subFolderClass);

I add some properties with the method:

newFolder.getProperties().putValue(EcmFilenetConsts.PROPERTY_ID_LOTTO, ((CNEPropertyBean) sgacPropsBean).getIdLotto());

I set the parent and folderName properties:

Folder parentFolder = Factory.Folder.getInstance(objectStore, null, parentFolderPath);
newFolder.set_Parent(parentFolder);
newFolder.set_FolderName(subFolderName);

Then I set some permissions on the folder before performing newFolder.save(RefreshMode.REFRESH):

AccessPermission permission = Factory.AccessPermission.createInstance();
permission.set_GranteeName(granteeName);
permission.set_AccessType(AccessType.ALLOW);
permission.set_InheritableDepth(-1);
permission.set_AccessMask(EcmFilenetConsts.ACCESS_READ_FOLDER);
AccessPermissionList permissions = Factory.AccessPermission.createList();
permissions.add(permission);
folder.set_Permissions(permissions);

where EcmFilenetConsts.ACCESS_READ_FOLDER = AccessRight.READ.getValue() | AccessRight.READ_ACL.getValue();

If I save the folder and after that I add permissions I have no problems, but I would like to add all the stuffs before saving like the way it happens when using Content Navigator.

Since I need to add only a direct permission on this folder and all the others are inherited by the parent (or by the document class default instance security), I tried to create an empty AccessPermissionList using the factory, but the result is that all the Reader permissions are correctly set but not the Owner permissions.

So when trying to add a subfolder inside this one I get the following:

FNRCE0001E - The requester has insufficient access rights to perform the requested operation.

If you look at the newly created folder security

p8admin user, p8admins and p8operators groups are missing and they are part of the default instance security of the folder class.

Here is the access masks for each permission of the newly created 'on the fly' folder:

DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - Folder GranteeName: cn=AMM_000008_00001,cn=groups,ou=spcdev,o=priv
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - AccessMask: 131073
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - AccessType: ALLOW
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - PermissionSource: SOURCE_DIRECT
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - InheritableDepth: -1
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - Folder GranteeName: cn=AMM_000001_00001,cn=groups,ou=spcdev,o=priv
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - AccessMask: 131073
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - AccessType: ALLOW
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - PermissionSource: SOURCE_PARENT
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - InheritableDepth: -1
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - Folder GranteeName: cn=AMM_000002_00001,cn=groups,ou=spcdev,o=priv
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - AccessMask: 131073
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - AccessType: ALLOW
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - PermissionSource: SOURCE_PARENT
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - InheritableDepth: -1
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - Folder GranteeName: cn=FOR_RTI_L01,cn=groups,ou=spcdev,o=priv
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - AccessMask: 131073
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - AccessType: ALLOW
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - PermissionSource: SOURCE_PARENT
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - InheritableDepth: -1

and here is the security information expected result (obtained by saving the folder and adding security afterwards)

DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - Folder GranteeName: cn=AMM_000008_00001,cn=groups,ou=spcdev,o=priv
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - AccessMask: 131073
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - AccessType: ALLOW
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - PermissionSource: SOURCE_DIRECT
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - InheritableDepth: -1
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - Folder GranteeName: cn=p8admin,cn=users,ou=spcdev,o=priv
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - AccessMask: 999415
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - AccessType: ALLOW
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - PermissionSource: SOURCE_DIRECT
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - InheritableDepth: 0
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - Folder GranteeName: cn=AMM_000001_00001,cn=groups,ou=spcdev,o=priv
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - AccessMask: 131073
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - AccessType: ALLOW
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - PermissionSource: SOURCE_DEFAULT
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - InheritableDepth: -1
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - Folder GranteeName: cn=AMM_000002_00001,cn=groups,ou=spcdev,o=priv
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - AccessMask: 131073
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - AccessType: ALLOW
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - PermissionSource: SOURCE_DEFAULT
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - InheritableDepth: -1
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - Folder GranteeName: cn=p8admins,cn=groups,ou=spcdev,o=priv
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - AccessMask: 999415
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - AccessType: ALLOW
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - PermissionSource: SOURCE_DEFAULT
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - InheritableDepth: 0
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - Folder GranteeName: cn=p8operators,cn=groups,ou=spcdev,o=priv
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - AccessMask: 999415
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - AccessType: ALLOW
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - PermissionSource: SOURCE_DEFAULT
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - InheritableDepth: 0
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - Folder GranteeName: cn=AMM_000001_00001,cn=groups,ou=spcdev,o=priv
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - AccessMask: 131073
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - AccessType: ALLOW
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - PermissionSource: SOURCE_PARENT
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - InheritableDepth: -1
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - Folder GranteeName: cn=AMM_000002_00001,cn=groups,ou=spcdev,o=priv
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - AccessMask: 131073
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - AccessType: ALLOW
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - PermissionSource: SOURCE_PARENT
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - InheritableDepth: -1
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - Folder GranteeName: cn=FOR_RTI_L01,cn=groups,ou=spcdev,o=priv
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - AccessMask: 131073
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - AccessType: ALLOW
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - PermissionSource: SOURCE_PARENT
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImpl  - InheritableDepth: -1
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImplTest  - Folder ACCESS FULL CONTROL:999415
DEBUG com.leonardo.spcic.ecm.filenet.security.SecurityManagerImplTest  - Folder ACCESS READ:131073

My doubts are about the fact I'm not sure I'm following the correct sequence or some steps are missing. Which is the correct procedure to create a folder on the fly adding properties and security? Do I have to set security manually?

Okay, I think I need 2 things. 1) Can you tell me the value of `EcmFilenetConsts.ACCESS_READ_FOLDER` 2) Can you create a folder, save it and then loop through each `folder.get_Permissions()` and provide the values of `permission.get_AccessMask` — Michael, May 05 '17 at 10:45
Would you please cut down your question to a reasonable size with significant details only? You were already told you need to create a new permission list instead of getting a non-existent one — and this part is still in the question. I can look into your issue but I won't be spending time on digesting tons of irrelevant info. — ﾤﾡ, May 05 '17 at 18:54
@fnt First of all thanks for your time. I added more details as requested but I'll try to reduce the question size. The main question is: which is the correct sequence of operations to be performed in order to create a folder on the fly with properties and permission set as desired? — abarisone, May 05 '17 at 19:09
@abarisone The sequence does not matter once you start with folder creation and end with `save()`. Assuming the parent folder already exists. — ﾤﾡ, May 05 '17 at 20:04
@abarisone you say the folder doesn't save, then you list permissions for the newly created folder. this is confusing. Can you please edit the question to be more clear? — Christopher Powell, May 10 '17 at 18:20
The fact is that I can create the parent folder, but Default instance security coming from the Document Class is not applied. Consequently I can't add subfolders because p8admin has not Owner rights. However I'll try to edit the question to make it more clear — abarisone, May 10 '17 at 18:51

score 0 · Answer 1 · answered May 05 '17 at 10:02

Disclaimer: I'm not familiar with this technology. I've just Googled it.

It seems that Folder.createInstance does not create an instance on the API-side until you explicitly tell it to.

The created object does not yet exist in an object store. To persist the created object to the object store, you must explicitly call the save method, or commit the object via a batch operation.

Emphasis mine.

get_Permissions(), and indeed any of the get_X() methods seem to query the API-side for the value, but your folder doesn't exist over there yet, so it fails.

There were lots of people having a similar problem where they'd used getInstance rather than fetchInstance which ultimately results in the same problem and same error code.

The main point is: you need to have "fetched" an instance of your object from the server to be able to query its properties.

This is why the following is true:

If I save the folder and after that I add permissions I have no problems

One solution would be to not query the permissions property, but instead to create your permissions from scratch:

AccessPermissionList permissions = Factory.AccessPermission.createList();
permissions.add(permission);
folder.set_Permissions(permissions);
// Perhaps you will also need additional permissions now?

As I wrote in my post I also tried to create an empty list and then add the permissions I need but when saving the folder it says I don't have permission to do that. But I'm using p8admin to perform such operations. — abarisone, May 05 '17 at 10:08
Sorry, I missed that part. Please edit the code and error you're receiving when you try to do it that way into your question and I'll take a look — Michael, May 05 '17 at 10:12

Insufficient access rights to create a folder

1 Answers1