Page tree
Skip to end of metadata
Go to start of metadata


On this page:

Access Control Lists


Access Control Lists (ACLs) are Documentum's method of restricting access to important documents. ACLs control Documentum's security layer.

  • You can assign seven different levels of access to your documents.
  • You can assign access to individual users or to groups of users.
  • Users can create their own private ACLs that only they can use.
  • System Admins can create System-Wide ACLs that can be used by everyone.
  • Extended permissions allow you to tweak what a user can do to an object.
  • Every sysobject in a docbase has an ACL assigned to it.

An ACL contains information about which users and groups have access to the document, and what level of access each has. When a user attempts to access an object, the Documentum Server looks in the ACL to determine which groups have access. It then looks in these groups to determine if the user is in any of the groups. It determines the user's access level by awarding the user the highest level of access taking into account all the groups that the user is a member of.

Note: Even if you explicitly assign NONE (no access) to a user, if they are also in a group that has READ access, the user will have READ access to the object.

Levels of Access

(1) NONE: A user with NONE (no access) will never know that the document exists. They won't see it in a folder, and if they query for it, it will not be returned in the result list.

(2) BROWSE: A user with BROWSE access will be able to see the attributes of a document, but can not view the content. The user will see the document within the folder in which it lives, and the user can query for it.

(3) READ: A user with READ access can view the attributes and content of a document, but can not annotate it, version it or edit it.

(4) RELATE: A user with RELATE access can view the attributes and content and can annotate the content.

(5) VERSION: A user with VERSION access can read, annotate, and create new versions of a document, but can not overwrite the current version of the document. If a user with VERSION access wants to modify the attributes of a document, he must check it out, modify the attributes, then check it in.

(6) WRITE: A user with WRITE access can read, annotate, version, and overwrite the current document, but can not delete it. A user with WRITE access can modify the attributes of a document without checking it out.

(7) DELETE: A user with DELETE permission can do all these things, plus delete the document. DELETE permission is the highest level of permission that a user can have on a document.

These permissions are cumulative. e.g. If you have READ permission, you can also browse. If you have WRITE permission, then you can also version, relate, read and browse.

ACL Rules

If the user isStatus
dm_owneraccess to the document no matter what
not in all the required_groupsno access
not in at least one of the required_group_setno access
on the deny listno access
on the dm_worldaccess
on the allow listaccess


Group Expansion for Our Connector

Unlike other connectors, ACL IDs are used as group names for Documentum's group expansion. The reason is because it provides numerous additional security features such as the following:

If the user isPermissions
dm_ownerPermits that apply over the file owner.
dm_worldPermits that apply over all other users but the owner.
Required GroupsAccessor must be a member of specified groups to access an object, for example: Only people with “Top Secret” clearance AND “US Citizens” can access documents marked as “Top Secret”.
Required Group SetsAccessor must be a member of at least one of the listed groups to access an item, for example: Only people “in US” OR “in Japan” can access documents marked as “US-Japan Confidential”.
Access RestrictionsAccessor is explicitly denied access despite being a member of a group that has been given access, for example: A person can only have “Read” access for a given document even if he belongs to a group that is granted higher access to the same document.


We are not able to validate these permissions during the crawl without doing group expansion, which is why we've indexed each file's ACL ID as a group name. During group expansion, all ACLs are downloaded and all groups to which the user belongs are fetched. Each ACL is checked to make sure the user has permission to see the file.

The component performs group expansion in the following way: BROWSE is the minimum permission the user must possess to have access to a file.


  • No labels