1

I'm trying to remove/add the groups from security of a document in FileNet using CPE API. I am able to remove wihtout any issues. However, when I try to add the groups that are missing, by inheriting from document class, groups get added without full permissions. For example, I remove "author" group and when I try to add the same group back, it does not have all the permissions.

Remove groups:

AccessPermissionList apl = doc.get_Permissions();
Iterator iter = apl.iterator();
while (iter.hasNext())
    {
        AccessPermission ap =  (AccessPermission)iter.next();
        if(ap.get_GranteeName().contains("group name")){
            iter.remove();
        }
    }
doc.set_Permissions(apl);
doc.save(RefreshMode.NO_REFRESH);

Add groups:

DocumentClassDefinition docClassDef = Factory.DocumentClassDefinition.fetchInstance(os, classID, null);
AccessPermissionList docClassApl = docClassDef.get_Permissions();
Iterator docClassApliter = docClassApl.iterator();
for(Object obj : docClassApl)
            {
                AccessPermission ap =  (AccessPermission)obj;
                if(!apl.contains(ap)){
                    apl.add(ap);
                }
            }
doc.set_Permissions(apl);
doc.save(RefreshMode.NO_REFRESH);

RESOLVED: Had to use DefaultInstanceSecurity rather than regular security as the permissions in both instances were different. So just updated the following line of code:

AccessPermissionList docClassApl = docClassDef.get_DefaultInstancePermissions();

properties

ᄂ ᄀ
  • 5,669
  • 6
  • 43
  • 57
Le_Master
  • 147
  • 1
  • 2
  • 20
  • is the group visible when added second time for the document? – bajji Apr 09 '20 at 19:00
  • group is visible. not all permissions are available. – Le_Master Apr 09 '20 at 20:05
  • I had done this couple of years back but remember vaguely. I think when you remove security, it gives you a new object (can't remember the name) and you have to apply new group on that new object. I will try to find the code. – bajji Apr 09 '20 at 22:34
  • I think the new object is called reserved object (again I 'm not 100% sure need to check) – bajji Apr 09 '20 at 22:35
  • Is it correct to try and inherit the missing groups from doc class as I am trying to do? – Le_Master Apr 09 '20 at 23:54
  • It's one of the way... other way is to using security policy – bajji Apr 10 '20 at 17:19

1 Answers1

2

You need to set AccessMask too. Like below:

AccessPermission ap;
ap.set_AccessMark ( new Integer (AccessLevel.FULL_CONTROL_DOCUMENT_AS_INT));
//AccessLevel.WRITE_DOCUMENT_AS_INT
//AccessLevel.MAJOR_VERSION_DOCUMENT_AS_INT

Version 5.2.0 onwards, AccessLevel is deprecated but you can give it a try. AccessRight is the replacement now. Refer this.

Update

public static void setPermissions(Document doc) throws IOException {

    //In cpetarget.properties file
    //cpetarget.security=Administrator:FULL_CONTROL,p8admin:MODIFY_PROPERTIES

    InputStream input = new FileInputStream("cpetarget.properties");
    java.util.Properties prop = new java.util.Properties();
    prop.load(input);
    List<String> strList = new ArrayList<String>(Arrays.asList(prop.getProperty("cpetarget.security").split(",")));

    AccessPermissionList apl = doc.get_Permissions();
    Iterator<AccessPermission> itr = apl.iterator();
    List<AccessPermissionList> oldPermissionsList = new ArrayList<AccessPermissionList>();
    oldPermissionsList.addAll(apl);
    // Remove all your old permissions here
    apl.removeAll(oldPermissionsList);
    // Add all your new permissions here
    try {
        for (String str : strList) {
            String[] strArray = str.split(":");
            AccessPermission permission = Factory.AccessPermission.createInstance();
            permission.set_GranteeName(strArray[0]);
            permission.set_AccessType(AccessType.ALLOW);
            permission.set_InheritableDepth(new Integer(0));
            //permission.set_InheritableDepth(new Integer(0)); // this object only
            //permission.set_InheritableDepth(new Integer(-1));this object and all children
            //permission.set_InheritableDepth(new Integer(1)); this object and immediate children

            if (strArray[1].equalsIgnoreCase("FULL_CONTROL")) {
                permission.set_AccessMask(new Integer(AccessLevel.FULL_CONTROL_DOCUMENT_AS_INT));
                //permission.set_AccessMask(AccessRight.MAJOR_VERSION_AS_INT);
            }
            if (strArray[1].equalsIgnoreCase("READ_ONLY")) {
                permission.set_AccessMask(new Integer(AccessLevel.VIEW_AS_INT));
            }
            if (strArray[1].equalsIgnoreCase("MODIFY_PROPERTIES")) {
                permission.set_AccessMask(new Integer(AccessLevel.WRITE_DOCUMENT_AS_INT));
            }
            if (strArray[1].equalsIgnoreCase("MAJOR_VERSIONING")) {
                permission.set_AccessMask(new Integer(AccessLevel.MAJOR_VERSION_DOCUMENT_AS_INT));
            }

            AccessPermissionList permissions = doc.get_Permissions();
            permissions.add(permission);
            doc.set_Permissions(permissions);
            doc.save(RefreshMode.REFRESH);
            System.out.println("Done");
        }
    } catch (Exception e) {
        e.printStackTrace();
    }
}
Ajay Kumar
  • 2,906
  • 3
  • 23
  • 46
  • I am trying to just inherit the groups. Why would the inherited group have different permissions? I also tried to set the AccessMask as `ap.get_AccessMask() | AccessRight.MAJOR_VERSION_AS_INT` When I check the properties of the document, the group still doesnt have "edit major version" and "edit minor version" – Le_Master Apr 09 '20 at 21:11
  • Added a screenshot of how the group permissions look like after adding the group – Le_Master Apr 09 '20 at 22:01
  • Inherited permissions will be inherited from parent. – Ajay Kumar Apr 10 '20 at 01:16
  • Understood. the actual permissions on the parent object are correct. But it changes when I try to add the missing group to the document. – Le_Master Apr 10 '20 at 01:34
  • If I understood correctly first you removing the security and then setting it back. I did the same for my project. Refer the Update section - Please match it with your implementation and see what piece you are missing. Good Luck.! – Ajay Kumar Apr 10 '20 at 17:08
  • 1
    After looking at ACCE, realized that the group has different permissions in "security" vs "Default Instance security". What ICN was taking by default was the "Default Instance security". So all I had to change was this: `AccessPermissionList docClassApl = docClassDef.get_Permissions();` to `AccessPermissionList docClassApl = docClassDef.get_DefaultInstancePermissions();` – Le_Master Apr 17 '20 at 12:47