D6.5 privileges and permissions

Documentum 6.5 compatible

Grafical Overview: Client Capability


Several people in the Documentum world think Client Capability (Consumer / Contributor / Coordinator / Administrator) is enforced by Documentum.
The fact is, content server does not enforce client capability (a.k.a roles). It’s something that client applications such as webtop can enforce it.
E.g: A consumer can not delete documents from Webtop, even though he has delete permission on the document. Of course nothing prevents him from deleting it via API / DQL.


Grafical overview: user privileges


A user with Sysadmin privilege has following abilities:

  • It has lower privileges as well (Create Type, Create Cabinet, Create Group)
  • It can activate/deactivate a user
  • It can manipulate users and groups
  • It can grant and revoke the lower privileges to other users
  • It can create or modify system-level permission sets
  • It can administer full-text indexing and repository
  • It can manage lifecycles
  • It can manipulate workflows

On the other hand, a user with Superuser privilege has the following features:

  • It has Sysadmin privileges as well
  • It can grant and revoke Sysadmin and Superuser privileges and extended privileges
  • It can delete system-level permission sets
  • It can become owner of all objects in the repository
  • It can unlock checked out objects
  • It can manipulate others’ custom types
  • It can create null types (types with no supertypes)
  • It can manipulate others’ permission sets
  • It can query any underlying RDBMS tables, even if they are not registered

grafical overview: user permission


A set of members or other groups.

group_class is a single and string property of dm_group. Indicates what kind of group this group is.

  • group
  • role
  • module role
  • privilege group
  • domain

Dynamic Groups

A set of predefinied members ca be added and is active only for one session.

Privileged groups

The property group_class is privilege group. A privileged group is a group whose members are allowed to perform privileged operations even though the
members do not have those privileges as individuals.


Roles and Domains are special kinds of groups.
Roles are enforced by client applications.
The Module role is a group and usesd internally for BOF mdules.


A domain identify all the roles that apply to an application

The members of a domain are roles.

For creating a group (dm_group object) you must have Create Group privilege and System Administrator client capability when using Webtop.


Exam question: Property in dm_user object to specify the role/group/domain?

Answer: group_class


Exam question: Who see private groups?

Answer: visible for group owner and sysadmins


Exam question: Minimun of properties to create a user in DA (default / out of the box)?


  1. Name
  2. User Login Name
  3. eMail Address

Client capability is preselect: Consumer

Privileges preselect: none

Ext Privileges: none

screenshot is taken from a default webtop