mng.ExportSecuritySystem

This job exports the security system clauses defined at the group level for a selection of user groups or for all groups. For each group × cabinet × object type, one entry is returned with the configured main rights, annotation rights and the optionally configured clauses.

The security system has two mechanisms: clauses at the group level (this job) and ACL rules at the object level (see dms.ReadSD).

1. Input Parameters

Name Type Required Description

Flags

INT

Yes

Reserved. Always pass 0.

GroupIDs

STRING

Yes

Comma-separated list of numeric group IDs (see the id field returned by mng.GetGroupList). An empty string exports all groups.

2. Output Parameters

Name Type Dependency Description

FileCount

INT

Always 1

3. Output Files

Name Description

File list

Path and name of the UTF-8 encoded XML export file. The filename follows the pattern ecmind_<uuid>.xml.

4. XML Structure

<AdmInfo timestamp="YYYY-MM-DDTHH:MM:SS">
  <GroupClauses>
    <GroupClause … />     <!-- 1 entry per (group × cabinet × object type) -->
    …
  </GroupClauses>
  <ExportedGroups>
    <ExportedGroup groupid="…" groupname="…"/>
    …
  </ExportedGroups>
</AdmInfo>

<AdmInfo> contains exactly two child elements: the list of clause entries <GroupClauses> and the list of groups included in the export <ExportedGroups>.

4.1. <GroupClause> Attributes

Attribute Type Description

groupid

INT

Numeric ID of the group.

groupname

STRING

Name of the group.

cabinetid

INT

Numeric ID of the cabinet.

cabinetname

STRING

Display name of the cabinet.

objecttypeid

INT

Numeric ID of the object type (cabinet folder, folder, register, subregister or document). Structure and computation: Object Type ID.

objecttypename

STRING

Display name of the object type.

rights

INT

Bitfield of the configured main rights — see rights — the five main rights.

annotations

INT

Bitfield of the configured annotation rights — see annotations — the two annotation rights.

delete_clause

STRING

Clause for the D right (delete object).

write_clause

STRING

Clause for the W right (write index data).

obread_clause

STRING

Clause for the X right (output object).

obwrite_clause

STRING

Clause for the U right (write object).

hlp_clause

STRING

Clause for the R right (display index data). The historical name "auxiliary right" stems from older enaio® versions, where displaying index data was modelled as the prerequisite right for all further actions.

str_clause

STRING

Legacy attribute without an actively used right; always empty in the export and can be ignored.

All clause attributes are optional. If no clause is configured, the server returns an empty string. Clauses exist only for the five main rights; the annotation rights (G, P) are pure bitmask markers without an associated clause.

4.2. <ExportedGroup> Attributes

Attribute Type Description

groupid

INT

Numeric ID of the group.

groupname

STRING

Name of the group.

5. Rights Bitfields

5.1. rights — the five main rights

Every group × object type combination can carry five rights, encoded as a bitfield in rights:

Bit Value Right Description

0

0x01 (1)

X

Output object (open, print, export).

1

0x02 (2)

D

Delete object.

2

0x04 (4)

W

Write index data.

3

0x08 (8)

R

Display index data.

4

0x10 (16)

U

Write object (create / modify).

0x1F (31) = R+W+D+X+U (all five rights set).

5.1.1. Dependency Rules

When setting multiple rights, the following prerequisites apply on the server side:

  • R is a prerequisite for every other right. Without R, W, D, X, U have no functional effect.

  • U additionally requires X.

5.2. annotations — the two annotation rights

Bit Value Right Description

0

0x01 (1)

G

View / edit annotations.

1

0x02 (2)

P

PDF / print annotations.

0x03 (3) = G+P. Annotation rights are pure bitmask markers and carry no clauses.

5.3. Mapping Clause Attribute → Right

Attribute Right Meaning

delete_clause

D

Delete object

write_clause

W

Write index data

obread_clause

X

Output object

obwrite_clause

U

Write object

hlp_clause

R

Display index data (historical "auxiliary right")

str_clause

Legacy, always empty, ignore

6. Clause Language

The strings in the *_clause attributes are the raw clauses, that is, exactly what the enaio® server evaluator reads. They differ from the editor UI form.

6.1. Syntax Version Prefix BCCF

Every clause begins with the BCCF prefix. It indicates the clause language version in which the following expression is to be read. No other prefixes are defined in the current API version.

6.2. Field References

Notation Meaning

Direct access to a database column of the current object (typical enaio® columns: feldN, zahlN, realN, datumN).

dbcolumn (without brackets)

Also accepted — the parser recognises the bare column form.

sys'<name>'

Base parameter fields (e.g., sys’modifyuser', sys’created'). Referenced without [[…]] notation.

DB column naming scheme:

Column Data Type Example Field Type

feldN

STRING

Text field, selection list, catalog entry

zahlN

INT / BOOLEAN / TIME

Number, checkbox, radio button, time, date / time stamp

realN

DOUBLE

Decimal number

datumN

DATE

Date field

In the editor the user sees the form [Display Name] or {InternalName}; the export delivers the underlying DB column names. Resolution of cabinetid, objecttypeid and DB columns to the internal field name or display name is performed via the object definition from dms.GetObjDef. Base parameters such as sys’modifyuser' or sys’created' are not part of the per-object-type field list and must be recognised separately as a fixed list of documented base parameters.

6.3. Function folder( <expression> )

folder(…​) shifts the evaluation context: the bracketed sub-expression is evaluated against the enclosing folder of the current object. This allows a clause on a document or register to check conditions on the parent folder.

Consequence: folder object types (cabinet folder, folder) cannot themselves contain folder(…​) — they have no enclosing folder. Such clauses make sense only on register, subregister and document object types.

6.4. Operators

=, !=, >, <, >=, , in, not in, between, not between, and, or.

6.5. Runtime Variables

Variable Meaning

DATE

Today’s date

DATETIME

Current point in time

TIME

Current time

USER

Logged-in user

GROUPS

Groups of the logged-in user

RIGHTGROUP

Active rights group

COMPUTERNAME

Name of the client computer

COMPUTERGUID

GUID of the client computer

COMPUTERIP

IP address of the client computer

7. Examples

7.1. Complete Marker Configuration on a Register Type

A clause of the form = '<letter>' for each main right shows the mapping "clause attribute → right" exemplarily:

<GroupClause groupid="100" groupname="Caseworker"
             cabinetid="42" cabinetname="Files"
             objecttypeid="6488065" objecttypename="Files Register"
             rights="31" annotations="0"
             delete_clause="#BCCF#[[feld1]] = 'D'"
             write_clause="#BCCF#[[feld1]] = 'W'"
             obread_clause="#BCCF#[[feld1]] = 'X'"
             obwrite_clause="#BCCF#[[feld1]] = 'U'"
             hlp_clause="#BCCF#[[feld1]] = 'R'"
             str_clause=""/>

7.2. Cabinet-Wide Visibility Rule via System Field

<GroupClause groupid="100" groupname="Caseworker"
             cabinetid="42" cabinetname="Files"
             objecttypeid="42" objecttypename="Files"
             rights="31" annotations="0"
             delete_clause="" write_clause=""
             obread_clause="" obwrite_clause=""
             hlp_clause="#BCCF#sys'modifyuser' = 'SAMPLEUSER'"
             str_clause=""/>

The entry defines the R clause on the cabinet folder: only objects whose modifier is SAMPLEUSER are readable for the Caseworker group.

7.3. Parent Folder Condition on a Document

<GroupClause groupid="100" groupname="Caseworker"
             cabinetid="42" cabinetname="Files"
             objecttypeid="262144" objecttypename="Files Document"
             rights="11" annotations="2"
             delete_clause="#BCCF#folder ( [[zahl1]] = 12341)"
             hlp_clause="#BCCF#[[zahl4]] = 1 and datum1 = #DATE# and [[real1]] =3.14"
             write_clause="" obread_clause="" obwrite_clause="" str_clause=""/>

rights="11" = R+D+X set; annotations="2" = only P. The D clause checks a column on the parent folder, the R clause combines three conditions on the document itself.

8. Return Value

(INT): 0 = Job successful, otherwise error code.

9. See Also