Access Control Lists (ACLs) are Documentum’s method of restricting access to important documents. ACLs control Documentum’s security layer, one of the most flexible and powerful security schemes around.

In Documentum, an ACL can be shared by many documents. Instead of changing the permissions on a file, you change the ACL; all of the files that are using that ACL will be instantly updated. This is a very flexible approach.

Regular ACL and Internal ACL
A Regular ACL is an ACL that was created by an administrator or a user in the docbase. The attribute owner_name of this ACL will show a user name. For example, owner_name: dctmadmin
Internal ACLs are automatically generated by the docbase, and they have a computer generated name, such as dm_. For example dm_4507a12180000197

How are Internal ACLs created?
Every dm_sysobject object in the docbase has an ACL assigned to it. Depending on the ACL inheritance of the serverconfig object, you can set how new objects get their ACL.

There are four different ways to set an ACL to a particular object:
1. user
If your serverconfig is set to use “user”, then every time the user creates a new object, this object will get the same ACL values as the user’s default ACL.

2. folder
In a “folder” mode, the object gets its ACL from the folder where it is created.

3. type
Using “type” mode, default ACL of the type is being used to set the values of the newly created object’s ACL.

4. permission set templates
You can use permission set template to set the ACL of an object. The requirement for permission set template is that the Server needs to be able to resolve any alias sets that might be related to the Permission Set Template.
See Documentum eContent Server Object Reference Manual (Alias Scope)

How do I find out the number of ACLs in my docbase?
1. Total ACLs:
DQL> select count(*) as ACLs_Count from dm_acl

2. For Named ACLs created by users or the system administrator, you can run:
DQL> select count(*) as Count_Named_ACLs from dm_acl where r_is_internal=0 and acl_class = 0

3. For Template ACLs, you can run:
DQL> select count(*) as Count_of_Template_ACLs from dm_acl where r_is_internal=0 and acl_class 0

4. For Internal ACLs, you can run:
DQL> select count(*) as Count_of_Internal_ACLs from dm_acl where r_is_internal=1 and acl_class = 0

5. For Internal ACLs created from Template ACLs, you can run:
DQL> select count(*) as Count_of_Internal_ACLs_From_Template from dm_acl where r_is_internal=1 and acl_class 0

You should have:
#1 = #2 + #3 + #4 + #5

Implication of Many ACLs in Docbase
There is a good chance that the number of Internal ACLs (query #4 above) is high and represents more than 95% of the total number of ACLs in the docbase (query #1). Those are the ACLs that we can get rid of. Also, once your docbase is properly set up, no new Internal ACLs should be created any more.

Find out which Default ACL Mode the Docbase is currently using, then identify the folders / type / users which are using an Internal ACl and change it to a Named ACL so that the docbase stops generating Internal ACLs.

Step A
A.1. First, run the following query to find out what Default ACL the docbase is using:
DQL> select default_acl as Default_ACL_Mode from dm_server_config where object_name=”

A.2. The result should be 1, 2 or 3 but regardless of the result, we suggest that you go through all the steps A.2.1, A.2.2 and A.2.3. The reason is that you want to remove all references to Internal ACls that folders or types or users may have.

A.2.1 If Default ACL mode is 1 (Folder):
Retrieve all the folder names which have an Internal ACL:
DQL> select r_object_id, acl_name, acl_domain, object_name from dm_folder where acl_name like ‘dm_45%’

Update the ACLs of all folders that have Internal ACLs to your Named ACL.
DQL> update dm_folder objects set acl_name = ”, set acl_domain = ” where acl_name like ‘dm_45%’

Note: ‘your docbase name’ is the name of the docbase and ‘your system ACL’ is the name of a system ACL that you want to use as the default ACL. A system ACL is a Named ACL owned by the system administrator which can be shared across users.

Note: You need to update the acl_domain also if you want to update the acl of an object.

Note: We strongly recommend that you use a Named ACL that is owned by System. The reason is because you want to easily share this Named ACL with other users.

A.2.2 If Default ACL mode is 2 (Type):
Retrieve the default ACL and the owner name of the ACL for object types if the types have an Internal ACL associated with them:
DQL> select r_type_name, acl_name, acl_domain from dmi_type_info where acl_name like ‘dm_45%’ or acl_name = ‘ ‘

Update the ACLs of all types that using an Internal ACL or are don’t have an ACL assigned and are subtypes of dm_sysobject by using Documentum Administrator interface. No DQL query is available for this task since dmi_type_info is an internal type.

A.2.3 – If Default ACL mode is 3 (User):
Retrieve all users (and groups) that are using an Internal ACL:
DQL> select r_object_id, user_name, acl_name from dm_user where acl_name like ‘dm_45%’

Assign a named ACL to those users (and groups):
DQL> update dm_user objects set acl_name = ”, set acl_domain = ” where acl_name like ‘dm_45%’

Note: ‘your docbase name’ is the name of the docbase and ‘your system ACL’ is the name of a system ACL that you want to use as the default ACL. A system ACL is a Named ACL owned by the system administrator which can be shared across users.

Note: Make sure you update the acl_domain together with the acl_name. If the acl that you are assigning is not part of the current acl_domain, the server will return an error.

Note: Use a Named ACL that is owned by System (acl_domain=your docbase name rather than acl_domain= user). The reason is because you want to easily share this Named ACL with other users and this is only possible if the ACL is owned by System.

Step B
At this point, you docbase should not generate new Internal ACLs. However, existing objects may be using an Internal ACL. This step helps you indentify those objects and change the Internal ACL to a Named ACL. This step is required before attempting to remove Internal ACLs.

B.1 – Retrieve all objects (content and folders) across the docbase that are using an Internal ACL:
DQL> select count(*) from dm_sysobject (all) where acl_name like ‘dm_45%’ and acl_name not like ‘dm_45%\_8%’ ESCAPE ‘\’

If you need to review those objects one by one:
DQL> select r_object_id, object_name, acl_name, acl_domain from dm_sysobject (all) where acl_name like ‘dm_45%’ and acl_name not like ‘dm_45%\_8%’ ESCAPE ‘\’

B.2 – Assign your Named ACL to all objects (content and folders) across the docbase that have Internal ACL:
DQL> update dm_sysobject (all) objects set acl_name=”, set acl_domain=” where acl_name like ‘dm_45%’ and acl_name not like ‘dm_45%\_8%’ ESCAPE ‘\’ and r_lock_owner is NULLSTRING

Note: ‘your docbase name’ is the name of the docbase and ‘your system ACL’ is the name of a system ACL that you want to use as the default ACL. A system ACL is a Named ACL owned by the system administrator which can be shared across users.

Note: Only the contents that are not checked out will be updated. You may want to run this query periodically until no contents get returned from the queries in B.1

Note: You can refine the query so that only a subset of those objects get a Named ACL – per folder or creation date for instance.

Note: Update the acl_domain together with the acl_name. If the acl that you are assigning is not part of the current acl_domain, the server will return an error.

Note: Use a Named ACL that is owned by System (acl_domain=your docbase name rather than acl_domain=user). The reason is because you want to easily share this Named ACL with other users and this is only possible if the ACL is owned by System.

Note: This query may take quite some time to run. In fact, the update statement may update so many objects at the same time that your database may run out of TEMP tablespace causing the query to fail. You may want to modify the query to modify a limited number of objects at the same time – by restricting per folder or creation date.

Note: You may not be able to update non-CURRENT objects if they are immutable. If this is your case, the query will return error DM_SYSOBJECT_E_CANT_SAVE_IMMUTABLE. In order to resolve this issue, you can take the ‘(all)’ keyword out of the update statement so that only CURRENT objects will be updated. This may leave quite a significant number of Internal ACLs left in the docbase that are used by non-CURRENT objects.

Step C
Now that no new Internal ACL is created and most of the objects in the docbase are assigned a Named ACL – the remaining Internal Acls are those created from Template ACLs. Your docbase is now hosting many orphan ACLs. It is time to clean them up!

Job dm_clean can delete orphan ACLs from the docbase. While running job dm_clean (from Documentum Administrator or you can schedule the job to run periodically), make sure that argument ‘-clean_acl’ is set to TRUE.

Before running the job, you can find out how many ACL the job will clean after going through step A and B:
DQL> select count(*) as Number_of_Internal_ACLs from dm_acl where r_is_internal=1 and acl_class = 0

To get more details about those ACLs:
DQL> select * from dm_acl where r_is_internal=1 and acl_class = 0

If you agree with the result, run dm_clean and go to Step D.

For more information, Refer to Documentum eContent Server Administrator’s Guide Chapter 10 “Removing Unreferenced Internal ACLs”.

Step D
Restart the docbase. Active sessions may still be running with no default ACLs and will keep generating internal ACLs.

After running dm_clean and restarting the docbase, you can verify if all Internal ACLs are gone by re-running the same queries as in Step C:
DQL> select count(*) as Number_of_Internal_ACLs from dm_acl where r_is_internal=1 and acl_class = 0

To get more details about those ACLs:
DQL> select * from dm_acl where r_is_internal=1 and acl_class = 0

You can identify the remaining documents that are still using a Internal ACL:
DQL> select r_object_id, object_name, title, acl_name, owner_name, r_version_label from dm_sysobject (all) where acl_name in (select object_name from dm_acl where object_name like ‘dm_45%’ and object_name not like ‘dm_45%\_8%’ ESCAPE ‘\’) order by 1

To know more about ACLS Click on below Link

  • EMC Powerlink Support Notes.
    What are Access Control Lists?
  • Advertisements