How to change user permissions at runtime in Documentum

November 7th, 2009

We used dynamic group to change user permissions at runtime. Purpose of using dynamic groups for the implementation was to attach the document lifecycle at runtime. We wanted to attach the lifecycle to a documentum object when activity performer or workflow supervisor doesn’t have these permissions. We wrote a Java  method and this method was used in process activity. We followed following steps to accomplish this task:

  • Acquire the workitem.
  • Get documentum session.
  • Add the user to the SuperUser dynamic group so that user has SuperUser level permission.
  • Check if any lifecycle is already associated with document.
  • If no lifecycle is associated then find the lifecycle for the document using the docType attribute.
  • If lifecycle names are stored in an object named œlc_doctype, Run DQL query œselect * from dm_dbo.lc_doctype  where doctype=? to get the lifecycleName.
  • Retrieve the lifecycle object based on the lifecycleName.
  • Attach the above lifecycle object with the document.
  • Save the document.
  • Remove the user from the dynamic group.
  • Complete the workitem.
  • Release the session.

Dynamic group gives us a flexibility to add Documentum users into supervisory role and remove at runtime. Dynamic groups allow you to determine whether users in the group’s membership list are considered members of the group or not by default when the users connect to the repository. This behavior is controlled by the setting in the is_dynamic_default attribute of the group object.

When a dynamic group is created, the attribute is set to F by default. That setting means that users are not considered members of the group automatically. When the user connects to the repository, the application he or she is using must issue an IDfSession.addDynamicGroup call. If you reset the attribute to T, the server considers the users to be group members by default. To remove the user from the group, the application must issue an IDfSession.removeDynamicGroup method at session startup.

Check whether user belongs to a particular group

Use following query to check whether a user belongs to a particular group:

“select count(*) from dm_group where group_name = ‘<GROUP_NAME>’ and any i_all_users_names = ‘<USER_NAME>’”;

If user will be available into the group, above query returns a positive value.

Posted in Documentum | 1 Comment »

Posted by: Nitin Goyal