XCP2 vs ACLs

Yesterday another my skypemate asked me whether I know something about following XCP error:

An error occurred while performing the requested operation. Please try again.

  Details 
    Error in operation Object create failure type=jorm1_nomupis

Error code: E_ECM_OPERATION_ERROR
[DM_SYSOBJECT_E_INVALID_ACL_DOMAIN]error: 
    "The <object_type> '<object_name>' is given an invalid ACL domain 'dmadmin'."

EMC published ridiculous solution for this error, fortunately I did know the root cause of this error. Three cases:

user’s ACL:

API> retrieve,c,dm_acl where owner_name=USER
...
4501fd088003ad00
API> get,c,l,object_name
...
dm_4501fd088003ad00
API> create,c,dm_document
...
0901fd0880792c3e
API> set,c,l,acl_name
SET> dm_4501fd088003ad00
...
OK
API> set,c,l,acl_domain
SET> test01
...
OK
API> save,c,l
...
OK

repository owner’s ACL:

API> retrieve,c,dm_acl where owner_name='ssc_dev'
...
4501fd088002ec25
API> get,c,l,object_name
...
sample_acl
API> create,c,dm_document
...
0901fd0880792c3d
API> set,c,l,acl_name
SET> sample_acl
...
OK
API> set,c,l,acl_domain
SET> dm_dbo
...
OK
API> save,c,l
...
OK

foreign ACL:

API> retrieve,c,dm_acl where owner_name='dmadmin'
...
4501fd088000020a
API> get,c,l,object_name
...
dm_4501fd088000020a
API> create,c,dm_document
...
0901fd0880792c3c
API> set,c,l,acl_name
SET> dm_4501fd088000020a
...
OK
API> set,c,l,acl_domain
SET> dmadmin
...
OK
API> save,c,l
...
[DM_SYSOBJECT_E_INVALID_ACL_DOMAIN]error:  
   "The dm_document '' is given an invalid ACL domain 'dmadmin'."

Documentation (fundamentals guide, bit confusing but previous listing makes it clear):

  • Public ACLs are available for use by any user in the repository. Public ACLs created by the repository owner are called system ACLs. System ACLs can only be managed by the repository owner. Other public ACLs can be managed by their owners or a user with Sysadmin or Superuser
    privileges.
  • Private ACLs are created and owned by a user other than the repository owner. However, unlike public ACLs, private ACLs are available for use only by their owners, and only their owners or a superuser can manage them.

The problem was: by default XCP objects inherit ACLs from target folder:

and somebody decided to grant additional permissions on folder – strange that XCP does not have any foolproof.

3 thoughts on “XCP2 vs ACLs

  1. Hi,

    How do i resolve this issue, I have created the concordant insurance application in XCP2.2 & it gives me same error if i create the policy object using any other users besides installation owner.

    Like

  2. I have very….hm, how to call this stupidity of ACL security model logic….I have repository with permissions inheriting from folder. Folder is created by regular user and ACL assigned to folder is owned by this user, with class set to REGULAR. When another regular user needs to add document to this folder, it is not possible, with DM_SYSOBJECT_E_INVALID_ACL_DOMAIN exception, since folder ACL is regular and thereby not alowed to be used/set by another regular user, only superuser or folder ACL owner. So, ACL from folder may not be inherited to document and document can not be created.

    Why, when ACL with its entries should specify exactly who can do smth and with which permissions?
    And, why default ACLs created by regular users are not PUBLIC?
    And, why cant I set by some docbase configuration that all ACLs created by regular users are PUBLIC?

    Real Documentum in a Nuts[hell]!

    Like

  3. Pingback: Q & A. XV | Documentum in a (nuts)HELL

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s