Policies

Policies control many aspects of the objects they govern, including who can access the governed objects and what tasks they can perform for each state defined in the policy.

For each of these categories, you can assign full, limited, or no access.

Category Description
Public Everyone. When the public has access to perform a task in a particular state, any user can perform the task except if denied in person definition. When defining public access, it is important to define access limits. Should the public be able to check in files to the object, override restrictions for promotions, and delete objects? These are some of the access questions that you should answer when defining the public access.
Owner The person, group, role, or association that currently owns the object. When a user initially creates an object, the user (person) who creates it is the owner. This user remains the owner unless ownership is transferred to someone else. In an object’s lifecycle, the owner usually (though not always) maintains control or involvement. In some cases, the original owner might not be involved after the initial state. Typically, the owner has full access to objects.
User A person, key, group, role, or association that has specific access requirements for a particular state. When a key, group, role, or association is assigned access, all the persons who belong to the key, group, role, or association will have access. Additionally, all persons assigned to groups and roles that are children of the assigned group or role will have access.

For example, you might not want the public to make flight reservations. Therefore, the public is not given access to create reservation objects. Instead, you establish that a Travel Agency group can originate flight reservations. Any member of that group can create a reservation object. When an agent creates a reservation object, that agent is the owner and has all access privileges associated with object ownership.

Assigning user access to groups, roles, and associations is an effective means of providing access privileges to a user. Under most circumstances, a person will have both a group and a role assignment and may also have multiple group and role assignments. In many cases, it is easier to specify the roles, groups, or associations that should have access in a policy rather than list individual users. This way, if personnel changes during a stage of the project, you do not need to edit every policy to change user names.

If a user is assigned access (public, owner, or user) in the current state of an object, the system allows the user to perform the task. For example, suppose a user belongs to a group and a role. If the policy allows the role to perform the task but does not allow the group to perform the task, then the user can perform the task.

For more information about policies, see policy Command.