Big Error in Documentum Content Server 6.5 Fundamentals

EMC Documentum Content Server Version 6.5 Fundamentals has a big error about ACLs on page 134.

Incorrect statement about ACLs
Erroneous statement about ACLs on page 134 of CS 6.5 Fundamentals

As highlighted in the figure above, it claims that ACLs assigned to folders are not used to define access to the folder. This is an incorrect statement. All you need to do to test this statement is to create a folder, alter permissions on it so that you have an effective permission of less than DELETE and then try to delete the folder. You will see that the deletion fails. Similarly, BROWSE permission is needed to look at a folder’s attributes and to retrieve it in query results.

Apparently, the intent is to explain the special usage of ACLs assigned to folders as mentioned in the last statement in the screenshot. However, that is in addition to and not instead of the regular effects of ACLs. In addition to controlling access to the folder object, the ACL assigned to it is used for enforcing folder security (if enabled), which restricts operations on objects linked to the folder. Further, when the default ACL mode for a Content Server instance is Folder, new objects created by that instance in the folder are assigned the same ACL as the one on the folder, by default. This is also loosely referred to as inheriting ACL from folder.

Advertisements

5 thoughts on “Big Error in Documentum Content Server 6.5 Fundamentals

  1. Thanks for pointing this out. It looks like the same error is in the 6.0 version of the document. I’ve updated the document source to say:

    Each SysObject has an ACL. The ACL assigned to a SysObject is used to control access to that object. If folder security is enabled, the ACL assigned to the folder sets the folder security permissions. If the default ACL for the Content Server is configured as Folder, then newly created objects in the folder are assigned the folder’s ACL.

    You should see the new text in the 6.6 version of the doc.

    Regards,
    HB

  2. Thanks for such a prompt action, I am quite impressed! If I were to write it, I would do it slightly differently:

    Each SysObject has an ACL. The ACL assigned to a SysObject is used to control access to that object. For folders, the assigned ACL serves additional functions. If folder security is enabled, the ACL assigned to the folder also affects operations on objects linked to the folder. If the default ACL for the Content Server is configured as Folder, then newly created objects in the folder are assigned the folder’s ACL by default.

    In any case, thanks for taking action in this regard.

  3. EMC’s documentation for most of their Documentum software products is absolutely horrible and has been for years. It’s almost like they outsourced writing it to people who speak English as a second language (and not well) and with some kind of mental block disallowing them from explaining anything in coherent detail. The worst of the lot is the Records Management stuff but Content Server and other documentation make me ill reading it. For years, it’s been hard to comprehend how a company like EMC could not at least attempt better documentation and depend so completely on the development community to wade thru tons of posts on the powerlink forum, which itself is a disaster, to find answers.

    1. I get your point even though I have a different opinion on some of the assertions in your comment.

      At the same time, this state of affairs creates opportunities for people like me, who interpret from English to English. For full disclosure, English is my second language 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s