Dynamic groups. Basics

It seems that “dynamic groups” is yet another white spot in documentation: Fundamentals guides states that dynamic groups can’t belong to non-dynamic, Administration and Configuration guide, in opposite, gives an example of such possibility: dm_browse_all/dm_browse_all_dynamic, dm_superusers/dm_superusers_dynamic (I have no idea why dm_read_all/dm_read_all_dynamic pair is missed in Administration guide). The only true thing about dynamic groups you can read in documentation is: dynamic groups are intended to be enabled/disabled in runtime, which allows user to gain/loose some extra privileges.

How is user/application able to enable dynamic group membership? I know two options:

  • Per session: by calling SET_DYNAMIC_GROUPS RPC command:
    API> ?,c,select count(*) from dm_sysobject
    count(*)
    ----------------------
                    533274
    (1 row affected)
    
    API> apply,c,,SET_DYNAMIC_GROUPS,DYNAMIC_GROUP_ADD,S,dm_superusers_dynamic
    ...
    q0
    API> next,c,q0
    ...
    OK
    API> get,c,q0,result
    ...
    T
    API> close,c,q0
    ...
    OK
    API> apply,c,,GET_DYNAMIC_GROUPS
    ...
    q0
    API> next,c,q0
    ...
    OK
    API> dump,c,q0
    ...
    USER ATTRIBUTES
    
      group_name                   [0]: dm_superusers
                                   [1]: dm_superusers_dynamic
    
    SYSTEM ATTRIBUTES
    
    
    APPLICATION ATTRIBUTES
    
    
    INTERNAL ATTRIBUTES
    
    
    API> close,c,q0
    ...
    OK
    API> ?,c,select count(*) from dm_sysobject
    count(*)
    ----------------------
                    612027
    (1 row affected)
    
  • Per RPC: by adding extra arguments to RPC command:
    API> ?,c,select count(*) from dm_sysobject
    count(*)
    ----------------------
                    533289
    (1 row affected)
    
    API> apply,c,,EXEC,QUERY,S,select count(*) from dm_sysobject,
         __REQUESTED_PROTECTED_ROLES,S,dm_superusers_dynamic
    ...
    q0
    API> next,c,q0
    ...
    OK
    API> dump,c,q0
    ...
    USER ATTRIBUTES
    
      count(*)                        : 612040
    
    SYSTEM ATTRIBUTES
    
    
    APPLICATION ATTRIBUTES
    
    
    INTERNAL ATTRIBUTES
    
    
    API> close,c,q0
    ...
    OK
    

How are dynamic groups protected in Documentum?

As you can see it’s simple enough to elevate privileges if you are a potential member of dynamic group and able to execute API commands. If my memory serves me right, dynamic groups were introduced in Documentum 5.3, in this release there was no option to protect enabling of dynamic group privileges if user was a potential member of dynamic group and able to execute API commands. In Documentum 6 EMC introduced a special flag “is_protected” in dm_group type: Previously I already wrote about privileged clients – DA option “Approve Privilege” enables usage of all dynamic groups in repository for specific DFC-client:

If you want to set dynamic groups individually for each DFC-client you should take advantage of allowed_roles attribute in dm_client_rights object:

How can we add all users to dynamic group?

There is a wrong myth, that content server determines groups, which user belongs to, using query like:

select group_name from dm_group where any i_all_users_names='user_name'

Actually, content server uses a couple of queries:

  • non-dynamic groups user belongs to:
    SELECT *
      FROM (SELECT gr1.i_nondyn_supergroups_names
              FROM dm_group_r gr1, dm_group_r gr2
             WHERE     gr1.r_object_id = gr2.r_object_id
                   AND gr2.users_names = '<user_name>'
                   AND gr1.i_nondyn_supergroups_names IS NOT NULL
            UNION ALL
            SELECT gr1.i_nondyn_supergroups_names
              FROM dm_group_r gr1, dm_group_r gr2
             WHERE     gr1.r_object_id = gr2.r_object_id
                   AND gr2.groups_names = 'dm_world'
                   AND gr1.i_nondyn_supergroups_names IS NOT NULL)
     WHERE ROWNUM <= 375;
    
  • dynamic groups, enabled by default:
    SELECT gs.group_name,
           gs.is_dynamic,
           gs.is_dynamic_default,
           gs.is_protected,
           gs.is_module_only
      FROM dm_group_s gs, dm_group_r gr
     WHERE     gs.r_object_id = gr.r_object_id
           AND gs.is_dynamic = 1
           AND gs.is_dynamic_default = 1
           AND (   gr.users_names = '<user_name>'
                OR gr.groups_names = 'dm_world'
                OR gr.groups_names IN
                      (SELECT gr1.i_nondyn_supergroups_names
                         FROM dm_group_r gr1, dm_group_r gr2
                        WHERE     gr1.r_object_id = gr2.r_object_id
                              AND (   gr2.users_names = '<user_name>'
                                   OR gr2.groups_names = 'dm_world')
                              AND gr1.i_nondyn_supergroups_names IS NOT NULL));
  • non-dynamic groups dynamic group belongs to:
    SELECT DISTINCT gr1.i_nondyn_supergroups_names
      FROM dm_group_r gr1
     WHERE gr1.r_object_id IN
              (SELECT gs.r_objec t_id
                 FROM dm_group_s gs, dm_group_r gr
                WHERE     gr.groups_names = '<group_name>'
                      AND gs.r_object_id = gr.r_object_id
                      AND gr.groups_names IS NOT NULL)

Does something look strange? Yes, groups_names = ‘dm_world’ condition, so, instead of adding every user to specific group individually we can just add ‘dm_world’ to group, after that all repository users will be treated as members of specific group:

API> apply,c,,SET_DYNAMIC_GROUPS,DYNAMIC_GROUP_ADD,S,dm_read_all_dynamic
...
q0
API> next,c,q0
...
OK
API> get,c,q0,result
...
F
API> close,c,q0
...
OK
API> retrieve,c,dm_group where group_name='dm_read_all_dynamic'
...
1201fd0880000106
API> append,c,l,groups_names
SET> dm_world
...
OK
API> save,c,l
...
OK
API> apply,c,,SET_DYNAMIC_GROUPS,DYNAMIC_GROUP_ADD,S,dm_read_all_dynamic
...
q0
API> next,c,q0
...
OK
API> get,c,q0,result
...
T
API> close,c,q0
...
OK

Module roles

Documentation:

Does it look clear? No. The only difference between “module roles” and “regular” dynamic groups is module role could not be enabled through SET_DYNAMIC_GROUPS RPC:

API> retrieve,c,dm_group where group_name='dm_superusers_dynamic'
...
1201fd0880000102
API> set,c,l,is_module_only
SET> T
...
OK
API> save,c,l
...
OK
API> connect,ssc_dev,test01,test01
...
s1
API> apply,c,,SET_DYNAMIC_GROUPS,DYNAMIC_GROUP_ADD,S,dm_superusers_dynamic
...
q0
API> next,c,q0
...
OK
API> get,c,q0,result
...
F
API> getmessage,c,
...
[DM_GROUP_E_MODULE_ROLE_STATEFUL_REQUEST]error:  
   "Module Role cannot be added through AddDynamicGroup interface.  
    A call was made to add a role (dm_superusers_dynamic) to the session in a stateful
    mode. This is not allowed when the is_module_only attribute is set."

API> close,c,q0
...
OK
API> ?,c,select count(*) from dm_sysobject
count(*)
----------------------
                533421
(1 row affected)

API> apply,c,,EXEC,QUERY,S,select count(*) from dm_sysobject,
     __REQUESTED_PROTECTED_ROLES,S,dm_superusers_dynamic
...
q0
API> next,c,q0
...
OK
API> dump,c,q0
...
USER ATTRIBUTES

  count(*)                        : 612172

SYSTEM ATTRIBUTES


APPLICATION ATTRIBUTES


INTERNAL ATTRIBUTES


API> close,c,q0
...
OK

6 thoughts on “Dynamic groups. Basics

  1. Pingback: CVE-2014-2515 (D2GetAdminTicketMethod). Was it really fixed? | Documentum in a (nuts)HELL
  2. Pingback: Dynamic groups. Advances. Part I | Documentum in a (nuts)HELL
  3. Pingback: Dynamic groups. Advances. Part III | Documentum in a (nuts)HELL
  4. Pingback: Is it possible to compromise Documentum by deleting object? Typical mistakes | Documentum in a (nuts)HELL
  5. Pingback: ACL computations | Documentum in a (nuts)HELL
  6. Pingback: Number of sessions vs performance | Documentum in a (nuts)HELL

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s