The way that LiveCycle ES employs user accounts to execute processes causes limitations to the way that LiveCycle Content Services ES and LiveCycle ES Connectors for ECM (IBM FileNet, EMC Documentum, and IBM Content Manager) can be used in processes.

Execution Context

LiveCycle ES processes (as well as all other services) can be configured using Adobe Administration Console so that the operations in the process are executed by a specific user account. The Run As property can have one of the following values:

• (Default) The System user account.
• The user who invoked the process.
• A named user.

However, LiveCycle ES does not provide a way to specify a user while the process is executing. The same user account is used to execute the operations for all process instances.

Note: If the Run As property is not configured for render and submit services that are specified for xfaForm, Document Form, and Form variables, the services are always executed using the System user account. Render and submit services are executed when the xfaForm, Document Form, and Form variable types are used with Assign Task operations (User Service) in long-lived processes.

Content Ownership

For the services that Content Services ES and Connectors for ECM provide, the user account that adds content to a store is made the owner of the content.

• When a process uses the Document Management service (Content Services ES) to store content, the user account that executes the process owns the content.
• When a process uses the Content Repository Connector service (Connectors for ECM) to store content, you can specify the account to use for interacting with the ECM and which therefore owns the content that is stored. You can specify either the user account that is executing the process (the default setting), or a specific user account.

The situation where the user account that executes the process also stores content is satisfactory only when the actual owner of the content and the user account that executes the process are the same person.

For example, the submit service of an xfaForm variable uses the storeContent operation (Document Management service) to store submitted form data in a Content Services ES store. The submit service is always executed by the System account. Therefore, all content that the submit service stores is owned by the System account, regardless of who submitted the data. The stored content can only be accessed by processes that are executed using the System account, or by the Content Services ES administrator.

Strategies for Content Services ES

When a process adds content to a store, you can enable content to be more accessible by using one of the following strategies:

• Create a custom Content Services ES action that sets the appropriate rights to the space when content is stored.
  
• Create a custom Content Services ES action that sets the ownership to a lower level.
• Create several instances of the process that is used to store content. For each process, you need to set the value of the Run As property of the service to the user account that you want to own content. You invoke a process according to the user who should own the content that is being stored.

Custom actions require the identification of the user that the rights or ownership is applied to. You can include this information in the content that is being stored so that the custom action can retrieve it. For example, if the content is a form for a task that is assigned to a user, the render service can be used to insert the user identification:

• An input variable for the render service stores the user's identification. The value of the input variable is set in the properties of the variable that represents the form. (See Configuring render and submit services for form variables.)
• The Set Value service can be used to set the value of the form field. (See Set Value.)

Information about creating custom actions for LiveCycle Contentspace ES is not currently available. However, it will be available soon in Programming for LiveCycle ES.

Strategies for LiveCycle ES Connectors for ECM

The operations that a Content Repository Connector service (LiveCycle ES Connectors for ECM) provides enable you to specify credentials to use for interacting with the content management system. Each operation includes the Login Mode property. You can set the value of the Login Mode property to Use User Credentials and enter the appropriate user name and password.

The Content Repository Connector service operations for EMC Documentum also enable you to use Documentum login tickets for the Login Mode property.

The Content Repository Connector service operations for IBM FileNet enable you to use a FileNet credentials token for the Login Mode property.

Access Control Lists (ACLs) and long-lived processes

When long-lived processes use the Document Management service or Content Repository Connector service to interact with a content repository, the ACLs that are configured for the repository are not enforced. Long-lived processes can access all data in the repository regardless of the user account that is used to execute the process. To ensure that ACLs are enforced, use one of the following strategies:

• Use short-lived processes with the Document Management service, and with the Content Repository Connector service use short-lived processes as well as the process context to log in to the ECM.
• If you need to use a long-lived process, set the value of the Run As property for the long-lived service to the user who owns the content.

Additional Information

• The user account used to execute services can be specified using the Applications and Services pages of Adobe Administration Console. (See " Modifying security settings" in Applications and Services Administration Help.
• User accounts that execute processes must be assigned the Services User role. (See " Default roles in the User Management database" in User Management Help.

Products affected