FILENET :

Filenet : FileNet is an Enterprise Content Management (ECM) solution product suite from IBM. Enterprises uses FileNet to manage their content and business processes. Example: An insurance company receives address change requests from it policy holders though a signed form mailed to one central location. The requirement is to digitalize the request came though paper form, process it quickly, send the response to customer and keep the digital images (for say 7 years) for regulatory reasons. FileNet technology provides a platform and out of box products which help automating this kind of processes quickly. After manual prepping of mails received in mailroom, 'FileNet Capture' allows scanning paper documents. Once scanned, digital images (documents) can be stored in 'FileNet Content Engine (CE)' and a workflow is launched in 'FileNet Process Engine (PE)'. The work of address change is now assigned to an employee located in different part of the world. The employee gets the work request in 'FileNet Business Process Framework (BPF)' web application's user in-basket. The employee checks the request assign to him and performs the address change activity on the customer policy. After performing the address change work, communication is sent back to customer and digital documents are moved to 'FileNet Record Manager' for archival.

Which protocol is used by FileNet P8 Process Engine (PE) to connect to Content Engine (CE) or Application Engine (AE) : IIOP is used by PE to communicate with CE and AE. IIOP means 'Internet Inter-ORB Protocol' ORB means 'Object Request Broker' As CE is installed on AE, it uses direct API calls to communicate with AE.

Process Engine :
Connection Point : Connection Point is used to connect to the specific Isolated Region in PE Database. In FEM, while creating Connection Point we have to specify PE Region id, to associate with the particular region. In Workplace general Site preferences, you specify the name of the connection point which sets the isolated region for all Workplace applications, such as Process Designer and Process Administrator. Connection points are stored in Global Configuration Data (GCD) on the Content Engine. Note : 1. One Connection Point can refer to one Isolated region. 2. Multiple Connection Point also can refer to one isolated Region. 3. Multiple isolated region cannot refer to single Connection Point.

PE Server DNS, Communication Port, Isolated Region Number.

Isolated Region : An isolated region is a logical subdivision of the workflow database that contains the queues for the work items, event logs, rosters, and other configuration information. 1. In FEM, while creating we have to Specify a 1. Site 2. PE Server DNS Name 3. Communication Port 4. Region Number and 5. Region id Password 2. We have to initialize the Isolated Region in PCC. 3. And have to give the same informations in PTM also like CEURI, Communication Port, Region id Password (that has given in FEM). 4. A workflow database can contain up to 1000 isolated regions, although a FileNet P8 system can access only one at a time. Within a workflow database, each isolated region is identified by a unique number ranging from 0 to 999. Isolated region 0 contains system data and is reserved for system software use. Users can define regions 1 999. You can create only 5 isolated regions. Enterprise Manager is configured with a URL, such as.

Different units in an organization who do not want to share workflow data can create different isolated region. Example : The research department and the finance department in an organization have two all together logically different processes. It is recommended to have two different isolated regions for these two departments. Multiple isolated regions also make it easy to maintain the systems. Changes made into one region dont affect the users of another region.

In how many databases does FileNet Process Engine (PE) stores data : FileNet Process Engine (PE) stores data in to one database named VWDB.

Event log : A database table that contains information about certain system-level events related to work item processing.

Roster : Roster is a database table that contains information on all the work items currently being processed in the Isolated Region. We can create the Roster using PCC. When you initialize an Isolated Region in PCC, a DefaultRoster and Default Eventlog will automatically created for that Isolated Region.

Queue : A Queue is a database table that stores and route WIs in the workflow. There are four types of queues: User Queues, Work Queues, Component Queues, and System Queues. 1. User Queues : 1. Inbox - Inbox is the queue that holds WIs waiting to be process by an individual user. We cannot create an additional inboxes. 2. Tracker - Tracker is the queue for tracking items assigned to a specific user. The Inbox and Tracker Queues are created automatically during initialization of the Isolated Region. 2. Work Queues : A Work Queue holds WIs that can be completed by one of number of users rather than by a specific participant or the WIs can be completed by an automated process. In the Workflow, we can assign the step to a specific Work Queue. 3. System Queues : 1. 2. Delay Queue - WIs which are at delay step can be found here. As soon as the Delay period elapses,
WIs will move from this queue to the next step as defined in the workflow map.

Instruction Sheet Interpreter - It's used by the system and you don't touch it. When work moves from system to system or when the process engine detects a race condition the work item is put into the instruction sheet interpreter queue so the PE can forget about it for a while (race condition) and come back to it. Conductor Queue Holds WIs, when exception occurs.

3. 4.

Component Queues : To process a workflow step using an external entity. Refer below.

Component Queue : A queue holding work items that can be completed by an external entity that interacts with the workflow. Using the Component queue (External Java Code) we can process the workflow step. Using PCC, we can configure the Component Queue using Java Adaptor. 1. 2. 3. Write the Java code and make it as jar file. In PCC, Create the New Component Queue In PCC, Configure the Component Queue by give the JAR file. It will show the classes and methods available inside the JAR file. Select the appropriate class from the drop down. 4. 5. 6. 7. Place the jar file in Filenet/AE/Router/lib folder. In PTM, Add the jar files in the Required libraries tab. And ReStart the PTM. In Workflow, Operation tab, The list of components will get displayed. Select the component queue. Once Component Queue selected, Operations parameter tab will get displayed, there where we have to give the parameters as Name, Type and expressions.

How to delete a queue in Process Engine : FileNet doesn't provide any mechanism to delete a queue; whether it is a work queue or a component queue.

The only workaround is to initialize the isolated region in following way: 1. Export isolated region configuration data to XML - Use Process Configuration Console (PCC) to export all components of selected isolated region. 2. 3. Initialize a isolated region. Take a backup of XML file from the export in step 1 and carefully edit the XML file to remove the nodes of unwanted queue. 4. 5. Import the XML file in recently initialized isolated region with the option 'overwrite'. Validate the configuration.

Note: When an isolated region is initialized, it makes changes to the workflow database structure and the data in workflow database is deleted. FileNet developer should design and configure the queues very carefully to avoid a situation where they will have to delete a queue.

What happens to the work items when a work queue is deleted from PE : 1. Process Engine work queue holds the work items. FileNet P8 doesn't provide any easier way to delete a queue. 2. Queues can be deleted by initializing the isolated region. When a queue is deleted all the work items in it are also deleted.

Where to find information about the workflows or work items which are terminated : The FileNet Process Administrator allows administrator to search for events in event logs. The information about the terminated work items can be found though Process Administrator by search for events. Please note that PE queues only hold the information about active work items / workflows.

Palettes : BPM Palette : Component, General, System, Submap CheckPoint Palette : Begin Check point, End Check Point, Rollback Check point General System Palette : Assign, Create, Delay, Return, Wait for Condition, Terminate Branch, Terminate Process, Log. Timer Palette : Begin Timer, End Timer, Suspend Timer, Resume Timer, End All Timer. WebServices Palette : Invoke, Receive, Reply.

Deadline : An optional, time-based scheduling constraint that requires a step or workflow to be completed within a certain amount of time. For a step, the deadline is relative to the time the step was routed to the participant. For a workflow, the deadline is relative to the time the workflow was launched. A value of 0 indicates the absence of a deadline.

Milestone : A designated point in a workflow, used to track the progress of the workflow. Each milestone is defined to occur before or after a specified step. When the running workflow reaches a milestone, the message defined for that milestone is written to a log file. Milestone history can be viewed in the step processor or Process Tracker application.

Launch Step : The first step in a workflow. In Process Designer, the launch step is automatically placed on the main workflow map and cannot be deleted or copied.

Inbox : A folder that contains WIs assigned to a specific user.

Participant : A user or group assigned to process work at one or more steps in a workflow.

Stored Search : A file created in Search Designer that is run from the Workplace Browse page. Using the stored search displays a list of the documents that meet the search criteria.

SubMap : A workflow map that is called from another map in the same workflow definition.

VWLog : A Process Engine-based administration utility used to perform maintenance tasks related to the logging and statistics subsystem. We can use VWLog to delete log records within a specified interval, transfer log records from the database to a comma-separated (.CSV) file, or coalesce statistics records within a specified interval. Step Processor : When a participant opens a work item at run time, the step processor displays the necessary instructions, attachments, current field values, response options, or other resources.

Site Preferences : Configuration settings that affect Workplace appearance, behavior, and connectivity. Administrators set site preferences using the Site Preferences application. Non-administrative users can set personal preferences, which override some site preferences.

Process Configuration Console : This is where we will create the Queues, Roster, Eventlog etc.

Content Engine :
Global Configuration Database (GCD): The Content Engine component that stores global data that defines the FileNet P8 domain. Data stored in a GCD includes information about: object stores, file storage areas, content cache areas, index areas, and other domain resources. The GCD also stores and manages the security descriptors for all accounts provided by the authentication provider.

Global Unique Identifier (GUID): Content Engine assigns a unique GUID to every object in the system. Typically, no other object in the world can have the same GUID.

Content Storage Areas : A physical storage area for content. 1. 2. 3. 4. File Storage Area Fixed Storage Area Data Base Storage Area Content Cache Area. File Storage Area: A file storage area is an area that contains document content in a directory tree on a local or shared network drive.A file storage area retains document content in a Distributed File System (DFS) or a Windows NTFS file system. We can manage a file storage area through Enterprise Manager. Fixed Storage Area : A fixed storage area stores the contents in Fixed content device. The Fixed content device that runs independently of the network file system to which the device is connected. Ex. of Fixed Content Device : IBM Content Manager, EMC Centera, IBM Tivoli Storage Manager, IBM FileNet Image Services. Database Storage Area: A database storage area is the database used for the object store. That is, Content Engine stores both the objects and the content for those objects in the same database. A database storage area converts document content in to Binary Large Objects (BLOBs) for storage in the database specified as Object Store Data Base. For each Object Store has only one Data Base Storage Area. Content Cache Area: Its a Storage area that holds temporary copies of files retrieved from remote file storage areas, as well as content retrieved from local or remote database storage areas.

Index Area :

A storage area that contains one or more indexes, which are used to perform full-text searches against documents in an object store.

In how many databases does FileNet Content Engine (CE) stores data : FileNet Content Engine (CE) has two or more databases: 1. Global Configuration Database (GCD) database (FNGCDDB) 2. Object Store databases (one or more) A FileNet P8 domain can contain one or many object stores. Each object store has its own database which could be existing database or can be created by object store creation wizard in FEM.

Site : Represents a geographical location where resources are well-connected by a fast, reliable LAN. Object stores, storage areas, content cache areas, index areas, and virtual servers are all associated with an individual site.

Realm : The collection of all user accounts and group memberships available to the FileNet P8 domain. Realms are created, maintained, and authenticated by the authentication provider and are thereafter read and used by a FileNet P8 domain. Domain : A logical grouping of physical resources (object store databases, full text index areas, file storage areas, and content cache areas) and Content Engine servers that provide access to those resources. Each resource, and each Content Engine server, belongs to only one domain. A Content Engine server can access any resource in its domain, but cannot access any resource that lies outside of its domain. Note: The CE Global Configuration Data (GCD) database stores information about the resources and services for the FileNet P8 Domain.

Object Store : Object store is a database repository for storing objects such as Documents, folders, Custom objects, metadatas.

Custom Object : 1. The custom object is a general puspose object that can be customized by subclassing and adding properties to perform a wide variety of tasks. 2. Custom Objects cannot be versioned. 3. Custom objects dont have any content. Document Class :

Before we are adding any documents to Content Engine, we must define custom document classes in the object store. There is a predefined document class in the FEM that we can use to create custom subclasses for our application. We can assign the custom properties to these subclasses. Every document belongs to a document class. The document class determines the document versioning, properties, storage location, security, and lifecycle. Folders : Folders are used to group other objects including documents and custom objects. Folder's helps in organizing the documents and other items. A document can be filed to multiple folders. FileNet does create copies of document in this case. It actually creates a logical association between then folder and the document. Few important facts about folders: 1. 2. 3. 4. Folders are not versionable; only documents are. Folders are based on CE folder class. Content of a folders can be copied to another folder exist in same object store. It is not mandatory that each document or objects should be filed under a folder. Documents which are not part of any folder remain Unfile. 5. A Root Folder is created along with a new Object Store. This folder is parent folder for all other folders in the Object Store. 6. 7. Each Folder has its own custom security. Folders can generate server events when they are created, modified, or deleted.

Choice list : 1. A choice list is a collection of predefined property values which can be used to present users with a list of values from which to choose. 2. A choice list is an object that contains a list of choices.

Event : In FileNet P8, an event is a change in the metadata that, when specified in an event subscription, initiates an event action. For example, an event could be the addition of a document to a folder. The event action might be to declare that document as a record.

Event action / Event Subscription: Suppose if I am implementing an any action using external Java Code or workflow is an Event Action. We can initiate the Event Action on which one or more events can be triggered using Subscribtion. Say For Example, we can code an event action that sends an email notification to the administrator when a Document of a certain class is deleted. 1. 2. Assign the event action to a subscription created for a document class. Select Check in / Checkout / Update / Delete Events as one of the trigger events in the subscription.

Workflow Subscription: A Workflow Subscription launches a workflow, as well as Event Action, in response to an event triggered on an instance of Document / Custom Object / Folder on Content Engine. We can create a Workflow Subscription through FEM or Workplace. When we create the workflow subscription, we must select a workflow definition that exists in the workflow database on PE.

Custom Property : A user-defined property. We can assign custom properties to a class.

Property Template : A template for creating one or more custom properties that can be assigned to one or more classes.

Root Class : 1. A root class is a class without a parent. FileNet object store has multiple root classes including Document Class, Annotation, Choice List, Event etc. The Parent Class property of these root classes is None (as shown in below screen shot). 2. The root classes are created automatically during object store creation. Once the root class is created, subclasses and properties can be added to the object store. For example, a document subclass can be added under root class (Document Class) by running the Create a Class wizard from Enterprise Manager. Except the Document Class, all other root classes are places under Other Classes in FEM.

Root Folder : The top-most node in a navigation tree. In FEM, an object store Root Folder holds content, which consists of folders, documents, and custom objects.

Search Template : A file created in Search Designer that is run from either the Workplace Search or Browse page. Using the search template typically prompts the Workplace user to enter or change values and then displays a list of the documents that meet the search criteria.

Security : The rules that allow and limit access to Documents, Custom Object, Folder.

Security Template : A set of security settings that can be applied to a Document, Folder, or Custom Object. Security templates are components of Security Policy.

Marking Sets: FileNet Content Engine (CE) Markings or Marking Sets provides a way to define a level of security on objects (i.e. documents) in addition to the normal FileNet P8 object security model. By using markings, access to objects can be controlled based on specific property value. Marking set's are collection of CE objects known as marking objects. Marking sets allows setting up security on an object with means of property template. When a marking is applied to an object, the resulting access permissions for the object are a combination of the settings of its original access permissions (through ACL) and the settings of the markings 'Constraint Mask' for each marking that is applied to it. The result of this combination is the effective security mask. Below are few key features of marking sets in FileNet P8: 1. Markings holds set of access permission that can be applied to any FileNet P8 objects through property template. 2. Marking sets can be assigned to property template only at creation time and not later. 3. A property template can either be pointed to a choice list or to a marking set and never to both. 4. Marking sets do not override the ACL (Access Control List). Content Engine resolves the object's ACL first and then it looks into marking set. 5. FileNet recommends a maximum of 100 markings per marking set. 6. Since marking sets are at domain level, they cannot be exported.

Security Policy : A set of security templates, which provide a way to apply default security settings as we add objects.

Storage Policy : Provides mapping to specific physical storage areas and is used to specify where content is stored for a given class or object with content (for example, a document).

Access Control List (ACL) : A list of access control entries (ACEs) applied to an object (class, document, folder, event, or any other securable object). ACLs are displayed on the Security tab of an objects property sheet.

Authentication : The process of verifying a user name and password at login time.

Authorization : The process of determining and enforcing the access rights for an authenticated user.

Classification: A process for automatically acquiring document properties from the document content (or another source).

Compound Document : A collection of files that are used together to create a group of linked documents.

Content Based Retrieval (CBR) : The process of searching for documents based on their content in addition to or instead of searching on properties.

Content Less Document : A document with properties but no content that is typically used to track a physical item such as a video tape.

Default Security : The security assigned to an object by predefined settings.

Directly Applied ACEs : The access rights acquired from a document class and subsequent edits made by a user or application. Directly applied access rights have precedence over indirectly applied access rights.

Document Classification Action: A root class that allows developers to create classifiers to examine and automatically map the contents of documents of a specific MIME type to a target document class.

Document Policy: A specification that indicates which form template and form data entry template are used for the policy, how mapping is configured between form template fields and document class properties, and any special property settings or security features. Document policies are available if FileNet P8 eForms integration has been configured.

Generic class: A class with no special behavior built in. The administrator can customize, save, and query a generic class.

Super Class: A class whose properties are inherited by its subclasses. For example, custom document classes inherit properties from their superclass (the supplied document class).

Unfiled Document: A document that is not contained in any folder. Users can search for unfiled documents and file them in folders.

Version: The properties and content associated with an instance of a document in an object. A version is created each time a document is checked out, edited, and checked in. A document version can be designated as a major version or a minor version.

Version Status: The state of a version. Minor versions have the status In Process, Reservation, or Superseded. Major versions have the status Released, Reservation, or Superseded.

Superseded version status: It is not the most recent.

Promote Version: An action that changes a minor version into a major version and sets its status to Released. Promotion sets the status of the previous major version to Superseded.

How to determine if FileNet Content Engine (CE) is running fine : Following are few things one can check to find out if FileNet CE is running fine: 1. 2. Check WebSphere console for 'FileNetEngine' web application status. It should be in running state. Try connecting to CE using FEM. If connection is fine CE is running. If CE is not running user will get message 'Unable to logon to P8 domain'. 3. Try logon to FileNet Workplace. If user is able to sign in, CE & directory services are running fine. If not user will get 'credential exception'. 4. Try following URL: http://machine_name:port_number/FileNet/Engine ie. http://hqdemo1:9080/FileNet/Engine If 'Startup Context' page is displayed, CE is running fine. If CE is not running, user will get message 'The page cannot be found'.

Why use custom objects when we have content-less document : 1. Unlike a Document object, a CustomObject object does not carry content, is not versionable, and does not support lifecycle functionality. 2. Custom objects are for creating composite objects. It can contain content-less document, i.e. only metadata as well as other document classes and/or custom objects as its properties.

Application Engine: One of the FileNet P8 components. Application Engine hosts the Web sites that interact with object stores and Process Engine.

bootstrap properties: Initialization values for the Application Engine software.

LDAP :

See Lightweight Directory Access Protocol.

Multipurpose Internet Mail Extension (MIME) : An industry standard format for content, especially Internet mail. Content Engine provides a document property called "MIME type." The value for MIME type identifies a document type (such as text, XML, or application).

Process Analyzer: It supports monitoring and analyzing the business processes.

Process Simulator: It simulates workflows by performing "what-if" scenarios, providing business analysts with important information that helps streamline business processes.

Fetch vs GetInstance :

When many people think about interacting with an object from the server, they first think about doing a round-trip to fetch the object. That is a necessity for many things, but there are several cases where you do not need that initial fetch. For example, if you are only going to use an object so you can set the value of an object-valued property on another object, you really only need a reference. If you somehow know that the object already exists, you can skip the round-trip to fetch it. (If it turns out that you were wrong and it did not already exist, the referential integrity mechanisms in Content Engine will throw an exception when you try to save the referencing object.) The APIs have a mechanism called fetchless instantiation. There are three flavors of Factory methods for creating programming language objects that reference Content Engine objects, and you can tell them apart by the word used as the beginning of the method name: create indicates that a new Content Engine object is to be created. No round-trip is done as the result of this Factory method call; although, a save call must eventually be done. fetch indicates that a round-trip will be immediately made to the Content Engine to verify that the object exists and to return an initial set of properties. Fine-tuning of the properties returned can be controlled via an optional PropertyFilter get indicates that no round-trip will be made. This is a fetchless instantiation. The API is taking your word for it that the object actually exists. There is no initial set of property values available, so you will need to request any property values that you need. If you know that you will always need some property values immediately, there is no advantage to fetchless instantiation.

VERSIONING :
Objectives : Review the concept ofVersioning, including: Versioning levels Frozen versions Reservation object Check In and Check Out Promoting and Demoting a Document VersionSeries object Versioning concepts :

3 levels of versioning : 1. No versioning enabled Can not checking the document into and out of an object store 2. Single-level versioning All documents are released (major) documents 3. Two-level versioning Supports both minor and major document versions If versioning is enabled for a class, then both one-and two-level versioning are also enabled Versioning concepts (cont.) Major version Released: generally made available to all users Only one version of a document in a given version series can be in the Released state at a time Minor version Draft: generally made available to a restricted set of authors and reviewers Versioning states Released:A major version In Process:A checked in minor version Reservation:A document whose content is currently being edited Superseded:A major or minor version that is no longer the most recent version Frozen Versions Versionable.freeze method prevents changes to the custom properties of a versionable object You can freeze any checked-in document version, but you cannot freeze a reservation object. System-maintained properties of a frozen document version are updated by the system as needed IsFrozenVersion property is set to true for the Versionable object Once a document version has been frozen, it cannot be unfrozen. A new version has to be created Freeze state does not prevent Checkout Further versioning of any new unfrozen versions Promote and demote a frozen version Reservation Object Created when a new document is created or an existing document is check out Deleted when a document is checked in or cancelled check out Is not a separate class, "is" the unchecked-in version of document Not more than one Reservation in a version series Reservations are always Minor versions If a document is a reservation object, the value of its VersionStatus property is Versionable. RESERVATION Checkin a Document Major Version Document.checkin (autoClassify, checkinType) Notes : checkinType= CheckinType.MAJOR_VERSION

Must have Access rights: (AccessLevel. MAJOR_VERSION_DOCUMENT) Minor Version Document.checkin(autoClassify, checkinType) Notes: checkinType= CheckinType.MINOR_VERSION Must have Access rights: (AccessLevel. MINOR_VERSION_DOCUMENT) Checkout a Document To check out successfully Document Class of the object must be version enabled (IsVersioningEnabled is true) User must have the appropriate access rights Check for the current version of the document and also it should not be already reserved if((objDoc.get_IsCurrentVersion() == true) && (objDoc.get_IsReserved() == false)) //Also can be done as //objDoc.get_VersionSeries().get_IsReserved() Creates a reservation object objDoc.checkout(); Promoting a Document To successfully promote a document User must have the appropriate access rights objDoc is the document to be promoted. Check to be sure that the document is the latest minor version and current version if((objDoc.get_IsCurrentVersion() == true) && if(objDoc.get_VersionStatus.getValue() == VersionStatus.IN_PROCESS_AS_INT)) { objDoc.promoteVersion(); } Demoting a Document objDoc is the document to be demoted. Check to be sure that the document is the current version, latest major version and does not currently have a reservation on it if((objDoc.get_IsCurrentVersion() == true) && if(objDoc.get_VersionStatus.getValue() == VersionStatus.RELEASED_AS_INT) && objDoc.get_IsReserved() == false) { objDoc.demoteVersion(); } Retrieving a Reservation Object Using get_Reservation on anyVersionable object document.get_Reservation() You can get the reservation type by using document.get_ReservationType() Possible values of ReservationType property COLLABORATIVE EXCLUSIVE OBJECT_STORE_DEFAULT

Retrieving a VersionSeries Object From the Document object Document aDoc = Factory.Docuement.fetchInstance(os,docId,null); VersionSeries objVersionSeries = aDoc.get_VersionSeries(); From the Factory.VersionSeries. fetchInstance method VersionSeries aVS = Factory.VersionSeries.fetchInstance(os,vsid,null); Retrieving All Objects in a Version Series VersionableSet allDocs = objVersionSeries.get_Versions(); Then, Iterate through theVersionableSet object to get all the documents in a version series. Retrieving an Object's Current or Released Version Retrieves the current version, then checks it out of the objectStore Document curDoc = (Document) objVersionSeries.get_CurrentVersion(); curDoc.checkout(); Retrieves the current released version, then demotes it to a minor version Document objDoc = (Document) objVersionSeries.get_ReleasedVersion(); objDoc.demoteVersion();

------END OF VERSIONING------SECUIRTY:
Objectives Review Security concepts, including: JAASAuthentication Security Policy SecurityTemplate Permissions/Access Rights Create security policy using enterprise manager Apply security policy to a folder Set security inheritance from a folder to a document Security Implementation Security model leverages third-party directory service products Currently Microsoft Active Directory, Sun ONE Directory Server, Novell eDirectory, IBM Directory Server, MS ADAM Configured directory service on Content Engine authenticates the user name and password against a proprietary database Single P8 LDAP configuration in Content Engine Authentication The Content Engine server accepts incoming requests over two transport protocols: EJB and Content Engine web service (CEWS) transports. CE uses JAAS as the basis for authentication

 Authentication occurs between a J2EE client application, a J2EE application server, and one or more JAAS LoginModules. FileNet code is not involved in the authentication process for EJB transport as it is handled through JAAS framework. Callers are authenticated by the J2EE application server before they can access the EJB layer. FileNet code is involved in the authentication process of a web service based client (for CEWS transport).When a web service request arrives in the FileNet P8 Content Engine server, the Content Engine web service listener extracts theWS-Security header and, based on its contents, performs a JAAS login. Login Modules Specified in a JAAS configuration file. The configuration file contains one JAAS configuration for various needs of the CE itself or clients using the CE Each JAAS configuration (stanza) in the configuration file is a list of LoginModules Each entry in the list specifies the fully qualified name of a Java LoginModule class, a flag ("required", "optional", "sufficient", or "requisite"), and options for that LoginModule. The FileNet-supplied stanzas are the following: 1. FileNetP8 -used by Java thick clients to perform authorizations before using the EJB transport. 2. FileNetP8Engine -used by the Content Engine server (theWSI Listener) when authenticatingWSI transport calls. Users can modify this stanza but only if usingWS-EAF. 3. FileNetP8Server -used by server-side applications (such as servlets, applets, EJBs, and FileNet P8Workplace) to perform authentication over the EJB transport. Clients that are running within an application server container should use this stanza for username/password logins. 4. FileNetP8WSI -used by a Java thick client to force the use of theWSI transport. 5. FileNetP8KerberosService -used internally and should not be modified by users. 6. CELOgin -Identifies and locates the program module or modules that are used for logins by the CE_Operations component. LoginContext Performing and using a JAAS login consists of three steps: Obtaining a LoginContext object Calling the LoginContext.login() method Impersonating the logged-in user to perform the actual work LoginContext lc = new LoginContext("mysystem", new UserPasswordHandler ("username@testdom.local", "password")); // LoginContext lc = new LoginContext("mysystem", new DialogCallbackHandler()); lc.login(); // Associate the JAAS Subject with the UserContext UserContext uc = UserContext.get(); uc.pushSubject(lc.getSubject());

Authorization Object Level Security User, Group Read/Write Permissions Object's Access Control List Security Grantee User/Group Permissions Class/Interfaces Permission - Represents the full set of access control entries (ACEs) associated with an object AccessRight - Provides a set of constants that identify individual permissions (access rights) that can be applied to an object. AccessLevel - Provides a set of commonly-used combinations of access rights for use when setting permissions AccessPermission /AccessPermissionList Defines access permissions through a bitmask of access rights. AccessType - Security access (allow or deny) that a user has for a given AccessPermission object PermissionSource - Specifies the source of a given access permission. Create Object Permissions : Create a new access permission object AccessPermission ap = Factory.AccessPermission.createInstance(); Create a new permissions list AccessPermissionList apl = Factory.AccessPermission.createList(); Set access permissions ap.set_GranteeName("test1"); ap.set_AccessType(AccessType.ALLOW); ap.set_AccessMask(new Integer (AccessLevel.FULL_CONTROL_DOCUMENT_AS_INT)); Add the permissions to the permissions list apl.add(ap); Set the Permissions list to the object myDocument.set_Permissions(apl); Update/Modify Object Permissions Get the object permissions AccessPermissionList apl = objCustom.get_Permissions(); Create a new access permission object AccessPermission ap = Factory.AccessPermission.createInstance(); Set access permissions ap.set_GranteeName("test1");

ap.set_AccessType(AccessType.ALLOW); ap.set_AccessMask(new Integer (AccessLevel.FULL_CONTROL_DOCUMENT_AS_INT)); Apply Permissions to the object apl.add(ap); objCustom.set_Permissions(apl); Access Rights: Rights READ WRITE MAJOR_VERSION LINK UNLINK MINOR_VERSION VIEW_CONTENT CREATE_INSTANCE CREATE_CHILD CHANGE_STATE PUBLISH DELETE READ_ACL WRITE_ACL WRITE_OWNER CONNECT STORE_OBJECTS MODIFY_OBJECTS REMOVE_OBJECTS WRITE_ANY_OWNER Value 1 2 4 16 32 64 128 256 512 1024 2048 65536 131072 262144 524288 1048576 2097152 4194304 8388608 1677721 Description User can read the properties of this object. User can modify the properties of this object. User can promote or demote this document User can link to this object User can unlink from this object User can create a new version of this document User can view the content of this document User can create a new instance of this object User can create a child object of this object. User can change the document state User can publish this document object. User can delete this object. User can read the security of this object. User can modify the security of this object. User can assume ownership of this object. User can connect to this object store. Use can create and store new objects in this Object Store User can modify objects in this object store User can remove objects in this object store User can change the ownership of this object

Retrieve Access Rights : Access Rights Read,Write,publish, version or Delete AccessType Allow or Deny the access right Current User Rights Access rights granted to the user requesting this object. getAccessAllowed ( ) on any IndependentlyPersistableObject object Specific User Rights Document doc = ...; int docMask = doc.getAccessAllowed (); if ((docMask & AccessRight.READ) == 0) { // User does not have the right to read ! }

Retrieve User Information Get Realm Factory.Realm.fetchCurrent() EntireNetwork.get_MyRealm() Get Group Realm.findGroups ( ) Get User Group.get_Users ( ) Realm.findUsers ( ) Get User Information from User object get_Name(), get_DisplayName(), get_Email(), get_MemberOfGroups(), get_DistinguishedName(), get_ShortName() User/Group Name Distinguished Name Consists of a group or user's short name and the name of its domain. For example, for a group with the short name "Domain Computers", the distinguished name might be "CN=Domain Computers, CN=Users,DC=westcoast,DC=local" Short Name Is the simple, non-unique portion of the distinguished name that does not indicate its location relative to a domain or directory. For example, the short name portion of the distinguished name "CN=Seattle, CN=Users,DC=westcoast,DC=local" is "Seattle" Security Inheritance An object can inherit permissions from the following sources: * An object designated as the security parent (SecurityParent property) For example, a Document object can inherit the permissions of the Folder in which it is filed. * A security policy . * A combination of security parent and security policy int type = ap.get_PermissionSource.getValue(); if(type == PermissionSource.SOURCE_TEMPLATE_AS_INT) { // inherited from security policy } Cannot modify an in-place inherited permission Security Parent Example: Folder is a security parent for a Document Security parent must be enabled to allow permissions inheritance Permission.set_InheritableDepth() InheritableDepth Property 0 -No inheritance 1 -Immediate children only. -1 -All children (infinite levels deep). To set the security parent of an object, use

set_SecurityParent() Security Policy Enables state-based object security Controls access to an object as it's state changes Example:All users can view document when its version state is 'released' Server-managed versioning state changes Applies to versionable objects InProcess, Released, Reservation, and Superseded Application-managed object state changes Applies to versionable and non-versionable objects Access rights based on application defined states Contains collection of permissions called security templates Object's SecurityPolicy property A policy can manage objects of different classes An object can have multiple policies The SecurityPolicy contains one or more SecurityTemplate objects that define the permissions to assign to a given object. Security Template Predefined set of object permissions that are applied to an object as the object's state changes One template for each object state Types * Application SecurityTemplate Application managed object security Never applied automatically * Versioning SecurityTemplate Applied automatically Security Template Containable.get_SecurityPolicy() SecurityPolicy.get_SecurityTemplates() SecurityTemplate.get_ApplyStateId() SecurityPolicy.set_SecurityTemplates()

---------------END OF Securities---------------------