Permissions and access management
Files and folders can be shared within a Library. The library itself cannot be shared, but we can set access on the Library in the edit mode of the Library widget. The Library owner can decide the permissions to be given to members of a community. Initially, files and folders inherit access settings from their parent.
Global content administrator access for Libraries is configured in FileNet. We can add individual users as administrators, however, IBM recommends using a group for administrators. By using a group, administrators can be added and removed through directory configuration without changing FileNet, Library, or Connections configurations.
The following user types can use files and folders:
User types Permissions Readers
- View and download files
- View folders and metadata
- Perform social actions (like, follow, comment)
Contributors
- Upload new files
- Create subfolders
- Copy files to folders to which the Contributor has access
Editors
- Edit file content by uploading a new version
- Change item properties (Name, Description, or Document Type)
- Add or remove Tags
Owners
- Share files
- Delete and move files to Trash
- Restore files from Trash
- Move files
Restrictions
- Contributors
The permissions granted to Contributors apply only to folders, so we cannot set Contributors on a file. A user who is a contributor on a folder can read files on that folder by default.
- Owners
Owners have the highest role permissions, and cannot be normally set or modified.
- Created items
The following are added to an item when it is created:
- The item creator
- In a community library, the special group "Community Owners"
- Share files and folders
We can share with the following users and groups:
- Individual users
- Normal groups that exist in the directory for Connections
- Special groups Special groups are handled by Connections, and have more dynamic membership than normal groups
- Owner and member status
Community owners are all users in a Community with Owner status. Community members are all users in a Community with Member status.
- Public
Everyone (public) is all users that have accounts for Connections, and all anonymous users if they are enabled.
- Special groups
Special groups are inclusive of each other and the users in the groups. If a special group is on a higher role that a member contained in that group, the special group's role takes precedence.
- Breaking inheritance
When you break inheritance on an item, the Library adds all entries, besides the already present Owners, to the item's access list in FileNet. Connection Libraries do not set access directly in the Access Control list on a document in FileNet. Instead, Connection Libraries use a Role object that is added to the document. By using Roles instead of FileNet access lists, access is applied to all versions of a document at the same time. The user does not see the use of the Roles object instead FileNet. Instead, the user interacts with the document access through the sharing tab. Resetting an item's inheritance erases the Role objects used for access within FileNet and resets all versions to reinherit from their parent.
- Inheritance in Libraries and Linked Libraries
Libraries created in Connections by adding a Library widget to a Community, inherit access from that Community. Libraries created by manually creating Teamspaces in FileNet or other FileNet applications, do not inherit access from a community. We can reference these Libraries created outside of Connections using the Linked Library widget.
Libraries and Linked Libraries have different sharing behaviors.
- Library widget
Controls membership for community libraries. Has the special groups with “Community” in the name, including...
- Community Members
- Community Owners
We can also only share with individual users and groups that are explicitly added as Members to the current community.
- Linked Library widget
- Connecting to another community's library disables sharing in the Linked Library, but we can view an item's settings. A link is provided to return to the original Library to set access.
- Connecting to the same community's library enables, and acts like, a Library widget.
- Connecting to a library created outside of Connections enables sharing.
- Sharing
- Users must have access not only on specific items, but on the Library (Teamspace object in FileNet) to view content.
- We can share with anybody in Connections, and they can access content provided they are on the access list for the Teamspace. Because this scenario enables integrating with other applications, consult with Library creator to ensure you have correct access on the Library.
- We can remove public access, or the special group Everyone (public), as they are not required.
- Share is only supported on FileNet.
Parent topic:
Administer Libraries
Related:
Set an LDAP group to be domain administrator in addition to, or instead of, a specific user
Configure Library widget options and defaults