Why do I have lots of ACLs in my docbase and how do I remove them?
If you believe that you have too many ACLs and they are causing the problem, please read this Support Note.
Background:
Internal ACL vs Named ACL:
- A named ACL is an ACL that was created by an administrator or a user in the docbase. The attribute owner_name of this ACL will show a user name. For example, owner_name: dmadmin
- Internal ACLs are automatically generated by the docbase, and they have a computer generated name, such as dm_
What are the implications of having too many ACLs?
A large number of ACLs in your docbase is difficult maintain. Also, having too many internal ACLs may reveal an incorrect set up: If your business process is correctly implemented and set up, there should be very few occasions when internal ACLs are being generated.
How are Internal ACLs created?
Every dm_sysobject object in the docbase has an ACL assigned to it. Depending on the ACL inheritance of the serverconfig object, you can set how new objects get their ACL.
There are 4 ways where you can set an ACL to a particular object:
1. user
If your serverconfig is set to use "user", then every time the user creates a new object, this object will get the same ACL values as the user's default ACL.
2. folder
In a "folder" mode, the object gets its ACL from the folder where it is created.
3. type
Using "type" mode, default ACL of the type is being used to set the values of the newly created object's ACL.
4. permission set templates
You can use permission set template to set the ACL of an object. The requirement for permission set template is that the Server needs to be able to resolve any alias sets that might be related to the Permission Set Template. See Documentum eContent Server Object Reference Manual version 4.2 under (Alias Scope) page 1-26.
How do I find out the number of ACLs in my docbase?
1. Total ACLs:
DQL> select count(*) as Total_Number_of_ACLs from dm_acl
2. For Named ACLs created by users or the system administrator, you can run:
DQL> select count(*) as Number_of_Named_ACLs from dm_acl where r_is_internal=0 and acl_class = 0
3. For Template ACLs, you can run:
DQL> select count(*) as Number_of_Template_ACLs from dm_acl where r_is_internal=0 and acl_class <> 0
4. For Internal ACLs, you can run:
DQL> select count(*) as Number_of_Internal_ACLs from dm_acl where r_is_internal=1 and acl_class = 0
5. For Internal ACLs created from Template ACLs, you can run:
DQL> select count(*) as Number_of_Internal_ACLs_From_Template from dm_acl where r_is_internal=1 and acl_class <> 0
You should have:
#1 = #2 + #3 + #4 + #5
There is a good chance that the number of Internal ACLs (query #4 above) is high and represents more than 95% of the total number of ACLs in the docbase (query #1). Those are the ACLs that we can get rid of. Also, once your docbase is properly set up, no new Internal ACLs should be created any more.
For more information on those topics, please refer to the eContent Server documentation.
***********### IMPORTANT ###***********
Before going further in the resolution, we assume that you understand:
- DQL queries
- ACL model in Docbase
***************************************
==[ Step A ]=============================
Find out which Default ACL Mode the Docbase is currently using, then identify the folders / type / users which are using an Internal ACl and change it to a Named ACL so that the docbase stops generating Internal ACLs.
A.1. First, run the following query to find out what Default ACL the docbase is using:
DQL> select default_acl as Default_ACL_Mode from dm_server_config where object_name='
A.2. The result should be 1, 2 or 3 but regardless of the result, we suggest that you go through all the steps A.2.1, A.2.2 and A.2.3. The reason is that you want to remove all references to Internal ACls that folders or types or users may have.
A.2.1 If Default ACL mode is 1 (Folder):
Retrieve all the folder names which have an Internal ACL:
DQL> select r_object_id, acl_name, acl_domain, object_name from dm_folder where acl_name like 'dm_45%'
Update the ACLs of all folders that have Internal ACLs to your Named ACL.
DQL> update dm_folder objects set acl_name = '
Note: 'your docbase name' is the name of the docbase and 'your system ACL' is the name of a system ACL that you want to use as the default ACL. A system ACL is a Named ACL owned by the system administrator which can be shared across users.
Note: You need to update the acl_domain also if you want to update the acl of an object.
Note: We strongly recommend that you use a Named ACL that is owned by System. The reason is because you want to easily share this Named ACL with other users.
A.2.2 If Default ACL mode is 2 (Type):
Retrieve the default ACL and the owner name of the ACL for object types if the types have an Internal ACL associated with them:
DQL> select r_type_name, acl_name, acl_domain from dmi_type_info where acl_name like 'dm_45%' or acl_name = ' '
Update the ACLs of all types that using an Internal ACL or are don't have an ACL assigned and are subtypes of dm_sysobject by using Documentum Administrator interface. No DQL query is available for this task since dmi_type_info is an internal type.
A.2.3 - If Default ACL mode is 3 (User):
Retrieve all users (and groups) that are using an Internal ACL:
DQL> select r_object_id, user_name, acl_name from dm_user where acl_name like 'dm_45%'
Assign a named ACL to those users (and groups):
DQL> update dm_user objects set acl_name = '
Note: 'your docbase name' is the name of the docbase and 'your system ACL' is the name of a system ACL that you want to use as the default ACL. A system ACL is a Named ACL owned by the system administrator which can be shared across users.
Note: Make sure you update the acl_domain together with the acl_name. If the acl that you are assigning is not part of the current acl_domain, the server will return an error.
Note: We strongly recommend that you use a Named ACL that is owned by System (acl_domain=
===[ Step B ]=======================
At this point, you docbase should not generate new Internal ACLs. However, existing objects may be using an Internal ACL. This step helps you indentify those objects and change the Internal ACL to a Named ACL. This step is required before attempting to remove Internal ACLs.
B.1 - Retrieve all objects (content and folders) across the docbase that are using an Internal ACL:
DQL> select count(*) from dm_sysobject (all) where acl_name like 'dm_45%' and acl_name not like 'dm_45%\_8%' ESCAPE '\'
If you need to review those objects one by one:
DQL> select r_object_id, object_name, acl_name, acl_domain from dm_sysobject (all) where acl_name like 'dm_45%' and acl_name not like 'dm_45%\_8%' ESCAPE '\'
B.2 - Assign your Named ACL to all objects (content and folders) across the docbase that have Internal ACL:
DQL> update dm_sysobject (all) objects set acl_name='
Note: 'your docbase name' is the name of the docbase and 'your system ACL' is the name of a system ACL that you want to use as the default ACL. A system ACL is a Named ACL owned by the system administrator which can be shared across users.
Note: Only the contents that are not checked out will be updated. You may want to run this query periodically until no contents get returned from the queries in B.1
Note: You can refine the query so that only a subset of those objects get a Named ACL - per folder or creation date for instance.
Note: Make sure you update the acl_domain together with the acl_name. If the acl that you are assigning is not part of the current acl_domain, the server will return an error.
Note: We strongly recommend that you use a Named ACL that is owned by System (acl_domain=
Note: This query may take quite some time to run. In fact, the update statement may update so many objects at the same time that your database may run out of TEMP tablespace causing the query to fail. You may want to modify the query to modify a limited number of objects at the same time - by restricting per folder or creation date.
Note: You may not be able to update non-CURRENT objects if they are immutable. If this is your case, the query will return error DM_SYSOBJECT_E_CANT_SAVE_IMMUTABLE. In order to resolve this issue, you can take the '(all)' keyword out of the update statement so that only CURRENT objects will be updated. This may leave quite a significant number of Internal ACLs left in the docbase that are used by non-CURRENT objects.
===[ Step C ]===============================
Now that no new Internal ACL is created and most of the objects in the docbase are assigned a Named ACL - the remaining Internal Acls are those created from Template ACLs. Your docbase is now hosting many orphan ACLs. It is time to clean them up!
Job dm_clean can delete orphan ACLs from the docbase. While running job dm_clean (from Documentum Administrator or you can schedule the job to run periodically), make sure that argument '-clean_acl' is set to TRUE.
Before running the job, you can find out how many ACL the job will clean after going through step A and B:
DQL> select count(*) as Number_of_Internal_ACLs from dm_acl where r_is_internal=1 and acl_class = 0
To get more details about those ACLs:
DQL> select * from dm_acl where r_is_internal=1 and acl_class = 0
If you agree with the result, run dm_clean and go to Step D.
For more information, Refer to Documentum eContent Server Administrator's Guide Chapter 10 "Removing Unreferenced Internal ACLs".
===[ Step D ]===========================
Restart the docbase. Active sessions may still be running with no default ACLs and will keep generating internal ACLs.
After running dm_clean and restarting the docbase, you can verify if all Internal ACLs are gone by re-running the same queries as in Step C:
DQL> select count(*) as Number_of_Internal_ACLs from dm_acl where r_is_internal=1 and acl_class = 0
To get more details about those ACLs:
DQL> select * from dm_acl where r_is_internal=1 and acl_class = 0
You can identify the remaining documents that are still using a Internal ACL:
DQL> select r_object_id, object_name, title, acl_name, owner_name, r_version_label from dm_sysobject (all) where acl_name in (select object_name from dm_acl where object_name like 'dm_45%' and object_name not like 'dm_45%\_8%' ESCAPE '\') order by 1
For more information on how ACL are assigned in WebPublisher, please refer to Support Note 15997
Post
5 commenti:
[b][url=http://www.louisvuittonpursesmarket.com/]louis vuitton bags[/url][/b] Whether or not optimized for natural and organic lookup or as component of the paid marketing campaign, excellent on webpage content material is integral for just about any successful webpage. Presenting special, fascinating articles with your Search engine optimization and Pay per click pages will constantly interact buyers and construct a robust, reliable track record for your personal page. Allow say you sell a fundamental commodity like pencils.
[b][url=http://www.uggsbootsoutletmall.co.uk/]uggs boots[/url][/b] Simply exactly what does she don? Basically a person designed fiber outfit, Lv Men's Equipment some Strass stockings and Cherie shoes, a Minaudire Trsor, coupled with a dark Tambour Bijou enjoyThe reality is they keep content material brand extremely modest so it's not crystal clear who made the provider. This differs from a number of builders who firmly insist with putting significant brand names throughout the bag. Structural challenges with time period appendages assists make your life utterly excruciating.
[b][url=http://www.uggsbootsoutletmarket.com/]uggs boots[/url][/b] Really don't jump at cash or do what many others feel you'll want to - outline achievements on the very own conditions. Should you feel you are shifting from the route of where you belong, imagine in what you might be performing. Emotional distress can be an opportunity to mature.. With the intention to have excess strategies, you might produce a head over to to some hardly any Louis Vuitton Wallets For guys wholesale suppliers and auction. You shouldn't overlook to accumulate your time and energy when producing your selection. Enough time needs to be used in heading in the given methods to make certain that you're going to give you the option to decide the most helpful help you save.
[b][url=http://www.uggsclearancemall.co.uk/]ugg boots[/url][/b] In January Wal-Mart also introduced that it's reducing 11,2 hundred work opportunities. So there, now Wal-Mart has the method for effectivity. There's a lot more. Nicole Richie has last but not least introduced her private scent, appropriately referred to as Nicole. She claims she desires to be actually involved in every element of the method rather than just place her title on it. She acquired fifteen pairs of Christian Louboutins and $14,000 worth of lingerie.
[b][url=http://www.uggsonsalewebsite.co.uk/]ugg boots uk[/url][/b] This problem can also be attributable to a tube within the device that is certainly frozen. You may use a hairdryer to defrost the tube. This may solve your difficulty. Dancing is one particular schedule that cheerleaders do except for stunts. An excellent cheerleader gyrates and entertains the crowd as she cheers for her staff. In lots of school sports activities, the 50 % time clearly show highlights the dance moves of your cheerleaders.
wRzf michael kors handbags outlet
uBhu Lisseur GHD
vGhj north face on sale
0lNsf ugg boots sale uk
3dLsq michael kors sale
|
|
Each oF the key towns are reaFy [url=http://www.germanylovelv.com/]Louis Vuitton Outlet[/url]
oFFer several signiFies oF connection For instance AFSL, bluetooth, wireless anF people are becoming relateF on their pcs, laptop computers anF cellphonehttp://www.germanylovelv.com/
The rural regions are battling [url=http://www.germanylovelv.com/]Louis Vuitton Outlet[/url]
get linkeF plus the only solution available [url=http://www.germanylovelv.com/]Louis Vuitton Outlet[/url]
them at this time coulF be the olF antiquateF Fial up system making use oF a phone line, or by way oF satellite. Claims are built by govt, that insiFe oF a couple oF years, every person is going to be in a position [url=http://www.germanylovelv.com/]louis vuitton knolckoffs[/url]
get a phone anF as a consequence, can have worlF-wiFe-web access available [url=http://www.germanylovelv.com/]louis vuitton knolckoffs[/url]
them.
What nice answer
Certainly is not present.
What eventually it is necessary to it?
I know a site with answers to a theme interesting you.
Remarkable question
[url=http://shenenmaoyiww.snappages.com/blog.htm][b]michael kors outlet online[/b][/url]
[url=http://www.homebasedbusinessprogram.com/profiles/blogs/business-businesses-coping-with-key-rings-handbag-charms-becoming][b]michael kors outlet online[/b][/url]
[url=http://michaelkorscheap2.webstarts.com/index.html?r=20130115220111][b]michael kors outlet online[/b][/url]
[url=http://cheapbagmk2.soup.io/][b]michael kors outlet online[/b][/url]
[url=http://shenenmaoyizzz.yolasite.com/][b]michael kors outlet online[/b][/url]
Hello to the whole exceptional on this fine-looking forum. Quit to me improve myself. I am mistress and i am competition this website :
fue ile sac ekimi
Waiting for all these friends.
Best regards
Posta un commento