2

We have a build system on which we need to fetch documents for other user's builds. We don't have their password but only their login and we will use a service account. Is there a way to get the access rights for another principal with the FileNet API so we won't allow them to fetch something they don't have access to?

For performance sake, I would rather ask the CE to do the check instead of getting all permissions and checking them all one by one. Plus nested groups and security priority (direct/template/proxy) might slow things done a lot and make the code complex. Something like getAccessAllowed but given a principal or a User? If there is not, what would be the best way to do that?

I saw that get_MemberOfGroups deals with nested group but we still have to check against all the permissions, taking care of the source priority and deny/allow priority, which means re-implement the CE security strategy.

Limon Monte
  • 52,539
  • 45
  • 182
  • 213
Guillaume Delory
  • 176
  • 1
  • 7
  • Hi did you got your requirement completed? , I have a similar requirement to assert Id of other user in action of service user through stand alone application – Friendy Oct 21 '15 at 07:54
  • @Guillaume The short answer is no, you have to loop through the ACL to check if a certain user has access or not. and do not try to resort to the database as the ACL is stored as BLOB object that gets unmarshalled by the FileNet to an ACL object and then injected in the document – WiredCoder Jul 14 '16 at 16:59

2 Answers2

1

You can create custom LoginModule to authenticate user without password, then you can work with CE as original user without service account.

But you need to add this users in FN objects ACL's with correct permissions.

swepss
  • 481
  • 3
  • 9
  • Thank you very much swepss. Some people also oriented me to that direction. I've never worked with LoginModule, is it a LoginModule I have to add locally (in the client using the Java API), on the server (within the WebSphere console), both? Do you have an example or some documentaiton you could point me to? Thank you – Guillaume Delory Sep 02 '15 at 09:54
  • Lol That's a bit mean :) and of course I did that, I was more talking about the architecture and what stands where but fair enough. I'll investigate more and come back if I've got question. To be honest I haven't got much time to look into that lately, and someone else also told me about TAI interceptor, which could be another approach. – Guillaume Delory Sep 03 '15 at 12:13
  • 1
    @guillaume-delory TAI it is not really the same that JAAS. Just check this [link](http://www.theserverside.com/news/1364395/The-Power-of-JAAS-Security-System-Alternatives) to understand difference between TAI and JAAS. For your case, from my point of view JAAS will better than TAI. TAI oriented to protect connections and not really authenticate user, only authorize connections. You should use TAI when you need to protect the system from some "bad agent" between system and authentication service. – swepss Sep 03 '15 at 12:43
1

If I got what you are saying right, I think the best way to do this is other way around. You don’t look what access right own by user and match with the document, you need to see what that user asking and he have right access levels. Best way is to use an Active directory with user groups and set permission for them document type vie. But let’s say same how you have set access permission on document’s side. When user call the document, get an Instance of it 

Document  doc  =  Factory.Document.fetchInstance(os,ID,null);

And get the permission list

 AccessPermissionList parmissin = doc.Permissions;

And with loop get what permission is set for that document

 foreach (IAccessPermission owner in parmissin)
{
if (owner.GranteeName == "your loginuserpermission" )
{
 // you can cont your work
}
}

and keep a local Set of permission where you validate your user (db/txt) and if they match, use your service account user and show image and information.

Archangle
  • 312
  • 1
  • 4
  • 23