Checked out document will cause ACL updates to fail

If the default_acl attribute in the dm_server_config object is set to “1 – folder”, new objects (e.g., subfolders, documents, etc) will inherit the parent’s permission set. For copied objects, they will also inherit the same permission set, since effectively new objects are created in the folder. However, for moved objects, their original permission set are carried over to their new destination folder.

This effectively posed a security loophole. To avoid this, a job could be scheduled to apply the permission set to a folder and its contents routinely.

There’s however another challenge imposed here. Checked out documents. Documents that are checked out cannot be applied with the “new” permission set. They had to be checked in or cancelled checked out inorder for the application to be successful.

One possible approach would be to write the DQL such that, it will only update an object’s ACL if it its not the same as the new ACL and only if its r_lock_owner is null or empty.

Folders are not affected, since folders cannot be checked out.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: