Andy Pemberton Rotating Header Image

IBM WCM 6 Security Model

Well, I’ve been working with IBM’s content management product for a while now and I figured it was time to write up something useful for others. IBM Workplace Web Content Management (IBM WCM) comes bundled with IBM WebSphere Portal V6 and can be used to manage web content in and out of a Portal. One of the primary features that persuade organizations to use IBM WCM is its security model, so I decided to write up a quick, high-level explanation of how the security model works.

IBM WCM 6 Security Model Diagram

WCM security is controlled at the following levels, from the least to most granular:

  1. Library
  2. Library Item Type
  3. Item-level
    1. workflow or user (depending on whether workflow is enabled for content items)
    2. system
    3. effective (combined view of a-c)

Library Security

The Library-level security controls user access to all items within a Web Content Library. A Portal Administrator changes this security by going to: (Portal Administration > Portal Content > Web Content Libraries > Set Permissions).

IBM recommends an additive security method (see reference 1), where the Library-level security settings are used to grant only read access to the library (with the exception of Administrative acces). So, this basically means that the ‘All Authenticated Portal Users’ group is added to the ‘Users’ role for the library, and then more granular security settings are set per item type in the Library Item Type security settings.

Library Item Type Security

The Library Item Type-level security controls access to individual item types within a Web Content Library; this includes content, templates, components, etc. These settings are also changed by a Portal Administrator by going to: (Portal Administration > Portal Content > Web Content Libraries > Library Resources).

Following the additive security model recommended by IBM, an Administrator grants specific user groups access to specific item types in the Library Resources view. For example, an Administrator could add an ‘authors’ group to the ‘Editor’ role for content in a given library, but not grant them any additional permissions. So, in this case, ‘authors’ can add and edit content, but only Administrators could add additional sites, site areas, or components.

Item Level Security

Item Level security controls access to individual WCM objects, like pieces of content or sites and site areas. In most cases, workflow security should be used to control access to individual items. There are four types of Item Level Security: Workflow Security, User Security, System Security and Effective Security.

Using Workflow Security is the recommended approach to securing individual items. Workflow is enabled out-of-the-box, only for content items, so using Workflow Security for other item types requires enabling it for that type (see Infocenter - Web content authoring options for steps to enable workflow). IBM recommends that you enable workflow for all items (except workflow-related objects themselves). When workflow is enabled for a given item, the security settings set on the workflow stages control the access to a given item – this is called workflow item-level security.

So, for example, imagine that a News entry is in a ‘Review’ workflow stage. The ‘Review’ workflow stage has a set of ‘Workflow Security’ options that allow an Administrator to determine which users/groups have access (read, edit, delete, or approve) to content items in that workflow stage. The Administrator may add the ‘news-approvers’ group to the Approve role in the ‘Workflow Security’ settings for the ‘Review’ workflow stage. Thus, the original author of the article can’t delete or edit the document while it’s in the ‘Review’ stage.

WCM also has a User Security feature that is used only when workflow is not enabled for the given item type. This function allows authors to selectively modify access to a given item when creating it. So, for example, if workflow were not enabled for content items, an author could create a News entry and grant read access only to the ‘managers’ group.

System security can be considered an Administrator override function. This option is always available to Administrators (whether workflow or user security is being used) and can be used to add additional security to a given WCM object.

Effective security is simply a view of the combined security of the workflow OR user security settings, in combination with the system security settings. The effective security view cannot be modified directly; it changes when the workflow, user, or system settings change.


8 Comments on “IBM WCM 6 Security Model”

  1. #1 Chris
    on Mar 17th, 2008 at 6:23 pm

    Nice writeup. I’m sure that took a while to decode from the docs. How would you say that compares (at first glance) to Nuxeo?

  2. #2 admin
    on Mar 19th, 2008 at 9:21 am

    It looks like Nuxeu has some ‘user maintained’ security features for sub-areas of a site - sounds like a pretty good idea. SharePoint has some features like this.

    It also has the typical ‘content buckets’ so, comparing to IBM it looks like

    Nuxeo’s Workspace = IBM’s Library
    Nuxeo’s Section = IBM’s Site

    I’d be interested in looking at Nuxeo; I wonder if there are any Portal integration features… wait, no I don’t. =]

  3. #3 petrus
    on Jun 13th, 2008 at 9:05 am

    Concerning the security in a Web Content Library. 2 users are member of WCMAdmin. A user creates a Component (like a Menu or a Authoring Tool), but the other member (in the same group) don’t have access to this component. We must change permission for each component ?

    Thanks for this writeup ;-)

  4. #4 admin
    on Jun 19th, 2008 at 1:04 pm

    Unfortunately, this will be a complicated answer. It depends on where the user is being denied access (I assume you mean read access) to the object. Try looking through the different access levels I described: Library, Item Type, and Workflow.

    Also, looking at the ‘effective’ security should help in seeing the unified access to the object.


  5. #5 mat
    on Dec 4th, 2009 at 11:33 am


    Where can you see the “Effective” view ??



  6. #6 PortalUser
    on Sep 17th, 2010 at 9:19 am


    Its a Good artical.

    One question, So if i have controlled the security using workflow and the content is in Published stage now.

    Suppose i wants to add one more user as an Editor Role of the content, I have an option that i modify the workflow security and owner of the content shoule restart the workflow on the content item to apply the new security.

    Instead if i want the new user itself to do it himself, is that possible? I think not because he is not the owner of the content and dont have admin rights either.

    The other option i tried was i added him in the Admin role in library resources for content items, But it is also not changing the security on the content.

    So i am not able to understand what is the effective security, It is Liberary Resource security + Workflow security or workflow security overrides the security setup by admin.

  7. #7 Andy Pemberton
    on Sep 19th, 2010 at 9:19 pm

    @PortalUser - if I recall correctly, there’s a task you can run to “update security” for items in a workflow whose underlying stages have changed security.

    Effective is a combined view of Library + Library item Type + ((Workflow OR user) AND System).

    Make sense?

  8. #8 PortalUser
    on Sep 20th, 2010 at 9:18 am

    Hi Andy

    Thanks for your quick reply, I have looked at the task update security, It has something to do with the inheritance of the library permissions but not the workflow security. I tried it once but will try it again if you think it can work.

    There is one more task to enable the workflow on the content items. I tried it considering that it will restart the workflow but it will not do anything on the contents which alredy have workflow attached to them. It will simply enable the the workflow on the content items which dont have workflow attached.

    Somehow when i change the security at resource level it is not reflected in the content’s access details section. If i change at library level it is displayed in the content.

    I appriciate your response.

Leave a Comment