If the default_acl attribute in the dm_server_config object is set to “1 – folder”, new objects (e.g., subfolders, documents, etc) will inherit the parent’s permission set. For copied objects, they will also inherit the same permission set, since effectively new objects are created in the folder. However, for moved objects, their original permission set are carried over to their new destination folder.
This effectively posed a security loophole. To avoid this, a job could be scheduled to apply the permission set to a folder and its contents routinely.
There’s however another challenge imposed here. Checked out documents. Documents that are checked out cannot be applied with the “new” permission set. They had to be checked in or cancelled checked out inorder for the application to be successful.
One possible approach would be to write the DQL such that, it will only update an object’s ACL if it its not the same as the new ACL and only if its r_lock_owner is null or empty.
Folders are not affected, since folders cannot be checked out.