I have a question on how to revoke access to all objects (documents, emails etc) from all users leaving READ access only, in Documentum. Having being searched around the internet, no answers were found. Thanks for your help.
As part of the test, I was trying to do this on one user ONLY. My attempts involved changing Security Permissions in DA (Documentum Administration) and change owner_name in DQL. But none of these attempts seems to work.
Any suggestions? Much appreciated
The short of it is that you need to remove or change access on the objects themselves (folders, documents, etc.).
You can create a new permission set (ACL) that contains the permissions you want (in this case, READ permission) under the Security section in Documentum Administrator. You can either create a group and assign them the READ permission, or just use the dm_world group and assign it READ. Remove the other access permissions you don't want.
If you use a group other than dm_world you will need to assign all the users to this group under User Management.
Then, use DQL to apply your new permission set to all of your folders and documents.
create,c,dm_acl set,c,l,object_name sample_acl_name set,c,l,owner_name dm_dbo set,c,l,description Sample ACL
grant,c,l,your_group_name_1,3,execute_proc revoke,c,l,your_group_name_1,ExtendedPermit,,change_location
grant,c,l,your_group_name_2,3,execute_proc revoke,c,l,your_group_name_2,ExtendedPermit,,change_location
. . .
grant,c,l,your_last_group_name,3,execute_proc revoke,c,l,your_last_group_name,ExtendedPermit,,change_location
save,c,l
or
retrieve,c,dm_acl where object_name = 'existing_acl_name'
grant,c,l,your_group_name_1,3,execute_proc revoke,c,l,your_group_name_1,ExtendedPermit,,change_location
grant,c,l,your_group_name_2,3,execute_proc revoke,c,l,your_group_name_2,ExtendedPermit,,change_location
. . .
grant,c,l,your_last_group_name,3,execute_proc revoke,c,l,your_last_group_name,ExtendedPermit,,change_location
save,c,l
I have faced a similar situation and I found to ways to approach it . One way which is an easy way would be to create a new acl with all the permissions and group you wish to have access which can be done as follow :
String aclName = "your_acl_name";
String aclDescription = "your_acl_description";
//create your acl object :
IDfACL acl = (IDfACL)_session.newObject("dm_acl"); acl.setObjectName(newAcl.toString());
acl.setDescription(newAcl.toString());
acl.save();
IDfPermit permit = new DfPermit();
permit.setAccessorName(your_groups);
permit.setPermitType(IDfPermit.DF_ACCESS_PERMIT);
//you may need to change the value of the next line based on your objectve
permit.setPermitValue(IDfACL.DF_XPERMIT_CHANGE_FOLDER_LINKS_STR);
//Finally grant the permit you've created above :
acl.grantPermit(permit);
acl.save();
then update the acl name of your previous object to the one you've just created as follow (DQL) :
Update dm_folder set acl_name = 'your_acl_name' where object_name = 'your_object_name'
or use the more straight forward way which is by using DFCsas below :
//First you must fetch the acl you're going to edit ==>
IDfACL acl = session.getObjectByQualification("dm_acl where object_name='" + "your_acl_name" + "'");
//This will produce a dql for fetching your acl based on it's name from dm_acl object table
acl.revoke("The_group_you_want_to_limitate_to_only_view","execute_proc");
acl.save();
I hope that this would help you as it worked for me :)
