FILENET :

Filenet :
FileNet is an Enterprise Content Management (ECM) solution product suite from IBM.
Enterprises uses FileNet to manage their content and business processes.
Example:
An insurance company receives address change requests from it policy holders though a signed form
mailed to one central location. The requirement is to digitalize the request came though paper form, process it
quickly, send the response to customer and keep the digital images (for say 7 years) for regulatory reasons.
FileNet technology provides a platform and out of box products which help automating this kind of processes
quickly. After manual prepping of mails received in mailroom, 'FileNet Capture' allows scanning paper
documents. Once scanned, digital images (documents) can be stored in 'FileNet Content Engine (CE)' and a
workflow is launched in 'FileNet Process Engine (PE)'. The work of address change is now assigned to an
employee located in different part of the world. The employee gets the work request in 'FileNet Business
Process Framework (BPF)' web application's user in-basket. The employee checks the request assign to him
and performs the address change activity on the customer policy. After performing the address change work,
communication is sent back to customer and digital documents are moved to 'FileNet Record Manager' for
archival.
Which protocol is used by FileNet P8 Process Engine (PE) to connect to Content Engine (CE) or
Application Engine (AE) :
IIOP is used by PE to communicate with CE and AE.
IIOP means 'Internet Inter-ORB Protocol'
ORB means 'Object Request Broker'
As CE is installed on AE, it uses direct API calls to communicate with AE.

Process Engine :
Connection Point :
Connection Point is used to connect to the specific Isolated Region in PE Database.
In FEM, while creating Connection Point we have to specify PE Region id, to associate with the particular
region.
In Workplace general Site preferences, you specify the name of the connection point which sets the isolated
region for all Workplace applications, such as Process Designer and Process Administrator.
Connection points are stored in Global Configuration Data (GCD) on the Content Engine.
Note : 1. One Connection Point can refer to one Isolated region.
2. Multiple Connection Point also can refer to one isolated Region.
3. Multiple isolated region cannot refer to single Connection Point.
PE Server DNS, Communication Port, Isolated Region Number.

Isolated Region :
An isolated region is a logical subdivision of the workflow database that contains the queues for the work items,
event logs, rosters, and other configuration information.
1. In FEM, while creating we have to Specify a
1. Site
2. PE Server DNS Name
3. Communication Port
4. Region Number and
5. Region id Password
2. We have to initialize the Isolated Region in PCC.
3. And have to give the same informations in PTM also like CEURI, Communication Port, Region id Password
(that has given in FEM).
4. A workflow database can contain up to 1000 isolated regions, although a FileNet P8 system can access
only one at a time. Within a workflow database, each isolated region is identified by a unique number
ranging from 0 to 999. Isolated region 0 contains system data and is reserved for system software use.
Users can define regions 1 999. You can create only 5 isolated regions. Enterprise Manager is
configured with a URL, such as.
Different units in an organization who do not want to share workflow data can create different isolated region.
Example : The research department and the finance department in an organization have two all together
logically different processes. It is recommended to have two different isolated regions for these two
departments.
Multiple isolated regions also make it easy to maintain the systems. Changes made into one region dont affect
the users of another region.
In how many databases does FileNet Process Engine (PE) stores data :
FileNet Process Engine (PE) stores data in to one database named VWDB.
Event log :
A database table that contains information about certain system-level events related to work item processing.
Roster :
Roster is a database table that contains information on all the work items currently being processed in the
Isolated Region.
We can create the Roster using PCC.
When you initialize an Isolated Region in PCC, a DefaultRoster and Default Eventlog will automatically created
for that Isolated Region.

Queue :
A Queue is a database table that stores and route WIs in the workflow.
There are four types of queues: User Queues, Work Queues, Component Queues, and System Queues.
1. User Queues :
1. Inbox - Inbox is the queue that holds WIs waiting to be process by an individual user. We cannot
create an additional inboxes.
2. Tracker - Tracker is the queue for tracking items assigned to a specific user.
The Inbox and Tracker Queues are created automatically during initialization of the Isolated Region.
2.

Work Queues :

A Work Queue holds WIs that can be completed by one of number of users rather than by a specific
participant or the WIs can be completed by an automated process.
In the Workflow, we can assign the step to a specific Work Queue.
3.

System Queues :
1. Delay Queue - WIs which are at delay step can be found here. As soon as the Delay period elapses,
WIs will move from this queue to the next step as defined in the workflow map.

2.

Instruction Sheet Interpreter - It's used by the system and you don't touch it. When work moves
from system to system or when the process engine detects a race condition the work item is put
into the instruction sheet interpreter queue so the PE can forget about it for a while (race

4.

condition) and come back to it.

3. Conductor Queue Holds WIs, when exception occurs.
Component Queues :
To process a workflow step using an external entity. Refer below.

Component Queue :
A queue holding work items that can be completed by an external entity that interacts with the workflow.
Using the Component queue (External Java Code) we can process the workflow step.
Using PCC, we can configure the Component Queue using Java Adaptor.
1.
2.
3.

Write the Java code and make it as jar file.

In PCC, Create the New Component Queue
In PCC, Configure the Component Queue by give the JAR file. It will show the classes and methods

4.
5.
6.
7.

available inside the JAR file. Select the appropriate class from the drop down.
Place the jar file in Filenet/AE/Router/lib folder.
In PTM, Add the jar files in the Required libraries tab. And ReStart the PTM.
In Workflow, Operation tab, The list of components will get displayed. Select the component queue.
Once Component Queue selected, Operations parameter tab will get displayed, there where we have
to give the parameters as Name, Type and expressions.

How to delete a queue in Process Engine :

FileNet doesn't provide any mechanism to delete a queue; whether it is a work queue or a component queue.
The only workaround is to initialize the isolated region in following way:
1.

Export isolated region configuration data to XML - Use Process Configuration Console (PCC) to export

2.

all components of selected isolated region.

Initialize a isolated region.

3.

Take a backup of XML file from the export in step 1 and carefully edit the XML file to remove the nodes

4.
5.

of unwanted queue.
Import the XML file in recently initialized isolated region with the option 'overwrite'.
Validate the configuration.

Note: When an isolated region is initialized, it makes changes to the workflow database structure and the data
in workflow database is deleted.
FileNet developer should design and configure the queues very carefully to avoid a situation where they will
have to delete a queue.
What happens to the work items when a work queue is deleted from PE :
1.

Process Engine work queue holds the work items. FileNet P8 doesn't provide any easier way to delete

2.

a queue.
Queues can be deleted by initializing the isolated region. When a queue is deleted all the work items in
it are also deleted.

Where to find information about the workflows or work items which are terminated :
The FileNet Process Administrator allows administrator to search for events in event logs.
The information about the terminated work items can be found though Process Administrator by search for
events.
Please note that PE queues only hold the information about active work items / workflows.
Palettes :
BPM Palette : Component, General, System, Submap
CheckPoint Palette : Begin Check point, End Check Point, Rollback Check point
General System Palette : Assign, Create, Delay, Return, Wait for Condition, Terminate Branch,
Terminate Process, Log.
Timer Palette : Begin Timer, End Timer, Suspend Timer, Resume Timer, End All Timer.
WebServices Palette : Invoke, Receive, Reply.
Deadline :
An optional, time-based scheduling constraint that requires a step or workflow to be completed within a certain
amount of time. For a step, the deadline is relative to the time the step was routed to the participant. For a
workflow, the deadline is relative to the time the workflow was launched. A value of 0 indicates the absence of a
deadline.
Milestone :
A designated point in a workflow, used to track the progress of the workflow. Each milestone is defined to occur
before or after a specified step. When the running workflow reaches a milestone, the message defined for that
milestone is written to a log file. Milestone history can be viewed in the step processor or Process Tracker
application.

Launch Step :
The first step in a workflow. In Process Designer, the launch step is automatically placed on the main workflow
map and cannot be deleted or copied.
Inbox :
A folder that contains WIs assigned to a specific user.
Participant :
A user or group assigned to process work at one or more steps in a workflow.
Stored Search :
A file created in Search Designer that is run from the Workplace Browse page. Using the stored search
displays a list of the documents that meet the search criteria.
SubMap :
A workflow map that is called from another map in the same workflow definition.
VWLog :
A Process Engine-based administration utility used to perform maintenance tasks related to the logging and
statistics subsystem. We can use VWLog to delete log records within a specified interval, transfer log records
from the database to a comma-separated (.CSV) file, or coalesce statistics records within a specified interval.
Step Processor :
When a participant opens a work item at run time, the step processor displays the necessary instructions,
attachments, current field values, response options, or other resources.
Site Preferences :
Configuration settings that affect Workplace appearance, behavior, and connectivity. Administrators set site
preferences using the Site Preferences application. Non-administrative users can set personal preferences,
which override some site preferences.
Process Configuration Console :
This is where we will create the Queues, Roster, Eventlog etc.

Content Engine :
Global Configuration Database (GCD):
The Content Engine component that stores global data that defines the FileNet P8 domain. Data stored in a
GCD includes information about: object stores, file storage areas, content cache areas, index areas, and other

domain resources. The GCD also stores and manages the security descriptors for all accounts provided by the
authentication provider.
Global Unique Identifier (GUID):
Content Engine assigns a unique GUID to every object in the system. Typically, no other object in the world can
have the same GUID.
Content Storage Areas :
A physical storage area for content.
1.
2.
3.
4.

File Storage Area

Fixed Storage Area
Data Base Storage Area
Content Cache Area.
File Storage Area:
A file storage area is an area that contains document content in a directory tree on a local or shared
network drive.A file storage area retains document content in a Distributed File System (DFS) or a
Windows NTFS file system. We can manage a file storage area through Enterprise Manager.
Fixed Storage Area :
A fixed storage area stores the contents in Fixed content device. The Fixed content device that runs
independently of the network file system to which the device is connected.
Ex. of Fixed Content Device : IBM Content Manager, EMC Centera, IBM Tivoli Storage Manager, IBM
FileNet Image Services.
Database Storage Area:
A database storage area is the database used for the object store. That is, Content Engine stores both
the objects and the content for those objects in the same database.
A database storage area converts document content in to Binary Large Objects (BLOBs) for storage in
the database specified as Object Store Data Base.
For each Object Store has only one Data Base Storage Area.
Content Cache Area:
Its a Storage area that holds temporary copies of files retrieved from remote file storage areas, as well
as content retrieved from local or remote database storage areas.

Index Area :
A storage area that contains one or more indexes, which are used to perform full-text searches against
documents in an object store.
In how many databases does FileNet Content Engine (CE) stores data :
FileNet Content Engine (CE) has two or more databases:
1. Global Configuration Database (GCD) database (FNGCDDB)
2. Object Store databases (one or more)

A FileNet P8 domain can contain one or many object stores. Each object store has its own database which
could be existing database or can be created by object store creation wizard in FEM.
Site :
Represents a geographical location where resources are well-connected by a fast, reliable LAN. Object stores,
storage areas, content cache areas, index areas, and virtual servers are all associated with an individual site.
Realm :
The collection of all user accounts and group memberships available to the FileNet P8 domain. Realms are
created, maintained, and authenticated by the authentication provider and are thereafter read and used by a
FileNet P8 domain.
Domain :
A logical grouping of physical resources (object store databases, full text index areas, file storage areas, and
content cache areas) and Content Engine servers that provide access to those resources. Each resource, and
each Content Engine server, belongs to only one domain. A Content Engine server can access any resource in
its domain, but cannot access any resource that lies outside of its domain.
Note: The CE Global Configuration Data (GCD) database stores information about the resources and services
for the FileNet P8 Domain.
Object Store :
Object store is a database repository for storing objects such as Documents, folders, Custom objects,
metadatas.
Custom Object :
1. The custom object is a general puspose object that can be customized by subclassing and adding properties
to perform a wide variety of tasks.
2. Custom Objects cannot be versioned.
3. Custom objects dont have any content.
Document Class :
Before we are adding any documents to Content Engine, we must define custom document classes in the
object store. There is a predefined document class in the FEM that we can use to create custom subclasses for
our application. We can assign the custom properties to these subclasses.
Every document belongs to a document class. The document class determines the document versioning,
properties, storage location, security, and lifecycle.
Folders :
Folders are used to group other objects including documents and custom objects. Folder's helps in organizing
the documents and other items.

A document can be filed to multiple folders. FileNet does create copies of document in this case. It actually
creates a logical association between then folder and the document.
Few important facts about folders:
1.
2.
3.
4.

Folders are not versionable; only documents are.

Folders are based on CE folder class.
Content of a folders can be copied to another folder exist in same object store.
It is not mandatory that each document or objects should be filed under a folder. Documents which are

5.

not part of any folder remain Unfile.

A Root Folder is created along with a new Object Store. This folder is parent folder for all other folders

6.
7.

in the Object Store.

Each Folder has its own custom security.
Folders can generate server events when they are created, modified, or deleted.

Choice list :
1. A choice list is a collection of predefined property values which can be used to present users with a list of
values from which to choose.
2. A choice list is an object that contains a list of choices.
Event :
In FileNet P8, an event is a change in the metadata that, when specified in an event subscription, initiates an
event action. For example, an event could be the addition of a document to a folder. The event action might be
to declare that document as a record.
Event action / Event Subscription:
Suppose if I am implementing an any action using external Java Code or workflow is an Event Action.
We can initiate the Event Action on which one or more events can be triggered using Subscribtion.
Say For Example, we can code an event action that sends an email notification to the administrator when a
Document of a certain class is deleted.
1.

Assign the event action to a subscription created for a document class.

2.

Select Check in / Checkout / Update / Delete Events as one of the trigger events in the subscription.

Workflow Subscription:
A Workflow Subscription launches a workflow, as well as Event Action, in response to an event triggered on an
instance of Document / Custom Object / Folder on Content Engine.
We can create a Workflow Subscription through FEM or Workplace. When we create the workflow subscription,
we must select a workflow definition that exists in the workflow database on PE.
Custom Property :
A user-defined property. We can assign custom properties to a class.
Property Template :
A template for creating one or more custom properties that can be assigned to one or more classes.

Root Class :
1.

A root class is a class without a parent. FileNet object store has multiple root classes including
Document Class, Annotation, Choice List, Event etc. The Parent Class property of these root classes

2.

is None (as shown in below screen shot).

The root classes are created automatically during object store creation. Once the root class is created,
subclasses and properties can be added to the object store.

For example, a document subclass can be added under root class (Document Class) by running the
Create a Class wizard from Enterprise Manager.
Except the Document Class, all other root classes are places under Other Classes in FEM.
Root Folder :
The top-most node in a navigation tree. In FEM, an object store Root Folder holds content, which consists of
folders, documents, and custom objects.
Search Template :
A file created in Search Designer that is run from either the Workplace Search or Browse page. Using the
search template typically prompts the Workplace user to enter or change values and then displays a list of the
documents that meet the search criteria.
Security :
The rules that allow and limit access to Documents, Custom Object, Folder.
Security Template :
A set of security settings that can be applied to a Document, Folder, or Custom Object. Security templates are
components of Security Policy.

Marking Sets:
FileNet Content Engine (CE) Markings or Marking Sets provides a way to define a level of security on objects
(i.e. documents) in addition to the normal FileNet P8 object security model. By using markings, access to
objects can be controlled based on specific property value.
Marking set's are collection of CE objects known as marking objects. Marking sets allows setting up security on
an object with means of property template.
When a marking is applied to an object, the resulting access permissions for the object are a combination of
the settings of its original access permissions (through ACL) and the settings of the markings 'Constraint Mask'
for each marking that is applied to it. The result of this combination is the effective security mask.
Below are few key features of marking sets in FileNet P8:
1. Markings holds set of access permission that can be applied to any FileNet P8 objects through
property template.
2. Marking sets can be assigned to property template only at creation time and not later.

3.
4.
5.
6.

A property template can either be pointed to a choice list or to a marking set and never to both.
Marking sets do not override the ACL (Access Control List). Content Engine resolves the object's ACL
first and then it looks into marking set.
FileNet recommends a maximum of 100 markings per marking set.
Since marking sets are at domain level, they cannot be exported.

Security Policy :
A set of security templates, which provide a way to apply default security settings as we add objects.
Storage Policy :
Provides mapping to specific physical storage areas and is used to specify where content is stored for a given
class or object with content (for example, a document).
Access Control List (ACL) :
A list of access control entries (ACEs) applied to an object (class, document, folder, event, or any other
securable object). ACLs are displayed on the Security tab of an objects property sheet.
Authentication :
The process of verifying a user name and password at login time.
Authorization :
The process of determining and enforcing the access rights for an authenticated user.
Classification:
A process for automatically acquiring document properties from the document content (or another source).
Compound Document :
A collection of files that are used together to create a group of linked documents.
Content Based Retrieval (CBR) :
The process of searching for documents based on their content in addition to or instead of searching on
properties.
Content Less Document :
A document with properties but no content that is typically used to track a physical item such as a video tape.
Default Security :
The security assigned to an object by predefined settings.
Directly Applied ACEs :

The access rights acquired from a document class and subsequent edits made by a user or application.
Directly applied access rights have precedence over indirectly applied access rights.
Document Classification Action:
A root class that allows developers to create classifiers to examine and automatically map the contents of
documents of a specific MIME type to a target document class.
Document Policy:
A specification that indicates which form template and form data entry template are used for the policy, how
mapping is configured between form template fields and document class properties, and any special property
settings or security features. Document policies are available if FileNet P8 eForms integration has been
configured.
Generic class:
A class with no special behavior built in. The administrator can customize, save, and query a generic class.
Super Class:
A class whose properties are inherited by its subclasses. For example, custom document classes inherit
properties from their superclass (the supplied document class).
Unfiled Document:
A document that is not contained in any folder. Users can search for unfiled documents and file them in folders.
Version:
The properties and content associated with an instance of a document in an object. A version is created each
time a document is checked out, edited, and checked in. A document version can be designated as a major
version or a minor version.
Version Status:
The state of a version. Minor versions have the status In Process, Reservation, or Superseded. Major versions
have the status Released, Reservation, or Superseded.
Superseded version status:
It is not the most recent.
Promote Version:
An action that changes a minor version into a major version and sets its status to Released. Promotion sets the
status of the previous major version to Superseded.

How to determine if FileNet Content Engine (CE) is running fine :

Following are few things one can check to find out if FileNet CE is running fine:
1.
2.

Check WebSphere console for 'FileNetEngine' web application status. It should be in running state.
Try connecting to CE using FEM. If connection is fine CE is running. If CE is not running user will get

3.

message 'Unable to logon to P8 domain'.

Try logon to FileNet Workplace. If user is able to sign in, CE & directory services are running fine. If not

4.

user will get 'credential exception'.

Try following URL:
http://machine_name:port_number/FileNet/Engine
ie. http://hqdemo1:9080/FileNet/Engine

If 'Startup Context' page is displayed, CE is running fine. If CE is not running, user will get message 'The page
cannot be found'.
Why use custom objects when we have content-less document :
1.

Unlike a Document object, a CustomObject object does not carry content, is not versionable, and does

2.

not support lifecycle functionality.

Custom objects are for creating composite objects. It can contain content-less document, i.e. only
metadata as well as other document classes and/or custom objects as its properties.

Application Engine:
One of the FileNet P8 components. Application Engine hosts the Web sites that interact with object stores and
Process Engine.
bootstrap properties:
Initialization values for the Application Engine software.
LDAP :
See Lightweight Directory Access Protocol.
Multipurpose Internet Mail Extension (MIME) :
An industry standard format for content, especially Internet mail. Content Engine provides a document property
called "MIME type." The value for MIME type identifies a document type (such as text, XML, or application).
Process Analyzer:
It supports monitoring and analyzing the business processes.
Process Simulator:
It simulates workflows by performing "what-if" scenarios, providing business analysts with important information
that helps streamline business processes.
Fetch vs GetInstance :

When many people think about interacting with an object from the server, they first think about doing a
round-trip to fetch the object. That is a necessity for many things, but there are several cases where you
do not need that initial fetch. For example, if you are only going to use an object so you can set the value
of an object-valued property on another object, you really only need a reference. If you somehow know
that the object already exists, you can skip the round-trip to fetch it. (If it turns out that you were wrong
and it did not already exist, the referential integrity mechanisms in Content Engine will throw an exception
when you try to save the referencing object.) The APIs have a mechanism called fetchless
instantiation. There are three flavors of Factory methods for creating programming language objects
that reference Content Engine objects, and you
can tell them apart by the word used as the beginning of the method name:
create indicates that a new Content Engine object is to be created. No round-trip is done as the
result of this Factory method call; although, a save call must eventually be done.
fetch indicates that a round-trip will be immediately made to the Content Engine to verify that the
object exists and to return an initial set of properties. Fine-tuning of the properties returned can be
controlled via an optional PropertyFilter
get indicates that no round-trip will be made. This is a fetchless instantiation. The API is taking
your word for it that the object actually exists. There is no initial set of property values available,
so you will need to request any property values that you need. If you know that you will always
need some property values immediately, there is no advantage to fetchless instantiation.

VERSIONING :
Objectives :
Review the concept ofVersioning, including:
Versioning levels
Frozen versions
Reservation object
Check In and Check Out
Promoting and Demoting a Document
VersionSeries object
Versioning concepts :
3 levels of versioning :
1. No versioning enabled
Can not checking the document into and out of an object store
2. Single-level versioning
All documents are released (major) documents
3. Two-level versioning
Supports both minor and major document versions
If versioning is enabled for a class, then both one-and two-level
versioning are also enabled
Versioning concepts (cont.)
Major version
Released: generally made available to all users
Only one version of a document in a given version series can be in the
Released state at a time

 Minor version
Draft: generally made available to a restricted set of authors and
reviewers
Versioning states
Released:A major version
In Process:A checked in minor version
Reservation:A document whose content is currently being edited
Superseded:A major or minor version that is no longer the most recent
version
Frozen Versions
Versionable.freeze method prevents changes to the custom properties of a
versionable object
You can freeze any checked-in document version, but you cannot freeze a
reservation object.
System-maintained properties of a frozen document version are updated
by the system as needed
IsFrozenVersion property is set to true for the Versionable object
Once a document version has been frozen, it cannot be unfrozen. A new
version has to be created
Freeze state does not prevent
Checkout
Further versioning of any new unfrozen versions
Promote and demote a frozen version
Reservation Object
Created when a new document is created or an existing document is check
out
Deleted when a document is checked in or cancelled check out
Is not a separate class, "is" the unchecked-in version of document
Not more than one Reservation in a version series
Reservations are always Minor versions
If a document is a reservation object, the value of its VersionStatus property
is
Versionable. RESERVATION
Checkin a Document
Major Version
Document.checkin (autoClassify, checkinType)
Notes :
checkinType= CheckinType.MAJOR_VERSION
Must have Access rights: (AccessLevel.
MAJOR_VERSION_DOCUMENT)
Minor Version
Document.checkin(autoClassify, checkinType)
Notes:
checkinType= CheckinType.MINOR_VERSION
Must have Access rights: (AccessLevel.
MINOR_VERSION_DOCUMENT)
Checkout a Document

 To check out successfully

Document Class of the object must be version enabled
(IsVersioningEnabled is true)
User must have the appropriate access rights
Check for the current version of the document and also it should not be
already reserved
if((objDoc.get_IsCurrentVersion() == true) &&
(objDoc.get_IsReserved() == false))
//Also can be done as
//objDoc.get_VersionSeries().get_IsReserved()
Creates a reservation object
objDoc.checkout();
Promoting a Document
To successfully promote a document
User must have the appropriate access rights
objDoc is the document to be promoted. Check to be sure that the
document is the latest minor version and current version
if((objDoc.get_IsCurrentVersion() == true) &&
if(objDoc.get_VersionStatus.getValue() ==
VersionStatus.IN_PROCESS_AS_INT))
{
objDoc.promoteVersion();
}
Demoting a Document
objDoc is the document to be demoted. Check to be sure that the document
is the current version, latest major version and does not currently have a
reservation on it
if((objDoc.get_IsCurrentVersion() == true) &&
if(objDoc.get_VersionStatus.getValue() ==
VersionStatus.RELEASED_AS_INT) && objDoc.get_IsReserved()
== false)
{
objDoc.demoteVersion();
}
Retrieving a Reservation Object
Using get_Reservation on anyVersionable object
document.get_Reservation()
You can get the reservation type by using
document.get_ReservationType()
Possible values of ReservationType property
COLLABORATIVE
EXCLUSIVE
OBJECT_STORE_DEFAULT
Retrieving a VersionSeries Object
From the Document object
Document aDoc = Factory.Docuement.fetchInstance(os,docId,null);
VersionSeries objVersionSeries = aDoc.get_VersionSeries();

 From the Factory.VersionSeries. fetchInstance method

VersionSeries aVS = Factory.VersionSeries.fetchInstance(os,vsid,null);
Retrieving All Objects in a Version Series
VersionableSet allDocs = objVersionSeries.get_Versions();
Then, Iterate through theVersionableSet object to get all the documents in a
version series.
Retrieving an Object's Current or Released Version
Retrieves the current version, then checks it out of the objectStore
Document curDoc = (Document)
objVersionSeries.get_CurrentVersion();
curDoc.checkout();
Retrieves the current released version, then demotes it to a minor version
Document objDoc = (Document)
objVersionSeries.get_ReleasedVersion();
objDoc.demoteVersion();

------END OF VERSIONING------SECUIRTY:
Objectives
Review Security concepts, including:
JAASAuthentication
Security Policy
SecurityTemplate
Permissions/Access Rights
Create security policy using enterprise manager
Apply security policy to a folder
Set security inheritance from a folder to a document
Security Implementation
Security model leverages third-party directory service products
Currently Microsoft Active Directory, Sun ONE Directory Server, Novell
eDirectory, IBM Directory Server, MS ADAM
Configured directory service on Content Engine authenticates the user
name and password against a proprietary database
Single P8 LDAP configuration in Content Engine
Authentication
The Content Engine server accepts incoming requests over two transport
protocols: EJB and Content Engine web service (CEWS) transports.
CE uses JAAS as the basis for authentication
Authentication occurs between a J2EE client application, a J2EE application
server, and one or more JAAS LoginModules.

 FileNet code is not involved in the authentication process for EJB transport
as it is handled through JAAS framework. Callers are authenticated by the
J2EE application server before they can access the EJB layer.
FileNet code is involved in the authentication process of a web service
based client (for CEWS transport).When a web service request arrives in the
FileNet P8 Content Engine server, the Content Engine web service listener
extracts theWS-Security header and, based on its contents, performs a JAAS
login.
Login Modules
Specified in a JAAS configuration file.
The configuration file contains one JAAS configuration for various needs of
the CE itself or clients using the CE
Each JAAS configuration (stanza) in the configuration file is a list of
LoginModules
Each entry in the list specifies the fully qualified name of a Java
LoginModule class, a flag ("required", "optional", "sufficient", or "requisite"),
and options for that LoginModule.
The FileNet-supplied stanzas are the following:
1. FileNetP8 -used by Java thick clients to perform authorizations before
using the EJB transport.
2. FileNetP8Engine -used by the Content Engine server (theWSI Listener)
when authenticatingWSI transport calls. Users can modify this stanza but
only if usingWS-EAF.
3. FileNetP8Server -used by server-side applications (such as servlets,
applets, EJBs, and FileNet P8Workplace) to perform authentication over the
EJB transport. Clients that are running within an application server
container should use this stanza for username/password logins.
4. FileNetP8WSI -used by a Java thick client to force the use of theWSI
transport.
5. FileNetP8KerberosService -used internally and should not be modified
by users.
6. CELOgin -Identifies and locates the program module or modules that
are used for logins by the CE_Operations component.
LoginContext
Performing and using a JAAS login consists of three steps:
Obtaining a LoginContext object
Calling the LoginContext.login() method
Impersonating the logged-in user to perform the actual work
LoginContext lc = new LoginContext("mysystem", new
UserPasswordHandler
("[email protected]", "password"));
// LoginContext lc = new LoginContext("mysystem", new
DialogCallbackHandler());
lc.login();
// Associate the JAAS Subject with the UserContext

UserContext uc = UserContext.get();
uc.pushSubject(lc.getSubject());
Authorization
Object Level Security
User, Group
Read/Write
Permissions
Object's Access Control List
Security Grantee
User/Group
Permissions
Class/Interfaces
Permission - Represents the full set of access control entries (ACEs)
associated with an object
AccessRight - Provides a set of constants that identify individual
permissions (access rights) that can be applied to an object.
AccessLevel - Provides a set of commonly-used combinations of access
rights for use when setting permissions
AccessPermission /AccessPermissionList
Defines access permissions through a bitmask of access rights.
AccessType - Security access (allow or deny) that a user has for a given
AccessPermission object
PermissionSource - Specifies the source of a given access permission.
Create Object Permissions :
Create a new access permission object
AccessPermission ap = Factory.AccessPermission.createInstance();
Create a new permissions list
AccessPermissionList apl = Factory.AccessPermission.createList();
Set access permissions
ap.set_GranteeName("test1");
ap.set_AccessType(AccessType.ALLOW);
ap.set_AccessMask(new Integer
(AccessLevel.FULL_CONTROL_DOCUMENT_AS_INT));
Add the permissions to the permissions list
apl.add(ap);
Set the Permissions list to the object
myDocument.set_Permissions(apl);
Update/Modify Object Permissions
Get the object permissions
AccessPermissionList apl = objCustom.get_Permissions();

 Create a new access permission object

AccessPermission ap = Factory.AccessPermission.createInstance();
Set access permissions
ap.set_GranteeName("test1");
ap.set_AccessType(AccessType.ALLOW);
ap.set_AccessMask(new Integer
(AccessLevel.FULL_CONTROL_DOCUMENT_AS_INT));
Apply Permissions to the object
apl.add(ap);
objCustom.set_Permissions(apl);
Access Rights:
Rights
READ
WRITE
MAJOR_VERSION
LINK
UNLINK
MINOR_VERSION
VIEW_CONTENT
CREATE_INSTAN
CE
CREATE_CHILD
CHANGE_STATE
PUBLISH
DELETE
READ_ACL
WRITE_ACL
WRITE_OWNER
CONNECT
STORE_OBJECTS
MODIFY_OBJECT
S
REMOVE_OBJEC
TS
WRITE_ANY_OW
NER

Value
1
2
4
16
32

Description
User can read the properties of this object.
User can modify the properties of this object.
User can promote or demote this document
User can link to this object
User can unlink from this object
User can create a new version of this
64 document
128 User can view the content of this document

256
512
1024
2048
65536
13107
2
26214
4
52428
8
10485
76
20971
52
41943
04
83886
08
16777
21

User
User
User
User
User

can
can
can
can
can

create a new instance of this object

create a child object of this object.
change the document state
publish this document object.
delete this object.

User can read the security of this object.

User can modify the security of this object.
User can assume ownership of this object.
User can connect to this object store.
Use can create and store new objects in this
Object Store
User can modify objects in this object store
User can remove objects in this object store
User can change the ownership of this object

Retrieve Access Rights :

Access Rights
Read,Write,publish, version or Delete

 AccessType
Allow or Deny the access right
Current User Rights
Access rights granted to the user requesting this object.
getAccessAllowed ( ) on any IndependentlyPersistableObject object
Specific User Rights
Document doc = ...;
int docMask = doc.getAccessAllowed ();
if ((docMask & AccessRight.READ) == 0)
{
// User does not have the right to read ! }
Retrieve User Information
Get Realm
Factory.Realm.fetchCurrent()
EntireNetwork.get_MyRealm()
Get Group
Realm.findGroups ( )
Get User
Group.get_Users ( )
Realm.findUsers ( )
Get User Information from User object
get_Name(), get_DisplayName(), get_Email(), get_MemberOfGroups(),
get_DistinguishedName(), get_ShortName()
User/Group Name
Distinguished Name
Consists of a group or user's short name and the name of its domain.
For example, for a group with the short name "Domain Computers",
the distinguished name might be "CN=Domain Computers,
CN=Users,DC=westcoast,DC=local"
Short Name
Is the simple, non-unique portion of the distinguished name that does
not indicate its location relative to a domain or directory.
For example, the short name portion of the distinguished name
"CN=Seattle, CN=Users,DC=westcoast,DC=local" is "Seattle"
Security Inheritance
An object can inherit permissions from the following sources:
* An object designated as the security parent (SecurityParent property)
For example, a Document object can inherit the permissions of the
Folder in which it is filed.
* A security policy .
* A combination of security parent and security policy
int type = ap.get_PermissionSource.getValue();
if(type == PermissionSource.SOURCE_TEMPLATE_AS_INT)
{
// inherited from security policy
}
Cannot modify an in-place inherited permission

Security Parent
Example: Folder is a security parent for a Document
Security parent must be enabled to allow permissions inheritance
Permission.set_InheritableDepth()
InheritableDepth Property
0 -No inheritance
1 -Immediate children only.
-1 -All children (infinite levels deep).
To set the security parent of an object, use
set_SecurityParent()
Security Policy
Enables state-based object security
Controls access to an object as it's state changes
Example:All users can view document when its version state is
'released'
Server-managed versioning state changes
Applies to versionable objects
InProcess, Released, Reservation, and Superseded
Application-managed object state changes
Applies to versionable and non-versionable objects
Access rights based on application defined states
Contains collection of permissions called security templates
Object's SecurityPolicy property
A policy can manage objects of different classes
An object can have multiple policies
The SecurityPolicy contains one or more SecurityTemplate objects that
define the permissions to assign to a given object.
Security Template
Predefined set of object permissions that are applied to an object as the
object's state changes
One template for each object state
Types
* Application SecurityTemplate
Application managed object security
Never applied automatically
* Versioning SecurityTemplate
Applied automatically
Security Template
Containable.get_SecurityPolicy()
SecurityPolicy.get_SecurityTemplates()
SecurityTemplate.get_ApplyStateId()
SecurityPolicy.set_SecurityTemplates()

---------------END OF Securities---------------------