Changing Documentum’s Installation Owner

Category:

When initially installing Documentum, the installation owner is set to the logged-in user that performs the Documentum installation. It is preferable to install Documentum and never change the installation owner. However, sometimes company policy dictates that the original installation must be changed. Reasons for the change may be that the user name does not conform to a new naming policy or that originally the user was not a domain user but now should be.Changing the installation owner involves changes to both the operating system and the docbase configuration. This is not a minor change within Documentum, so upfront planning and coordination between the Documentum System Administrator and Infrastructure Team is required.
To get the most from this article, you should already have:
A detailed knowledge of Documentum Content Server
A detailed knowledge of your company’s implementation of Documentum
A detailed knowledge of Windows 2000 Operating System
For purpose of this document, we are going to refer to the following users:
Original Installation Owner:
username = “dmadmin”
password = “dmadmin”
domain = “it”
New Installation Owner:
username = “new_dmadmin”
password = “new_dmadmin”
domain = “dctm”
How Documentum uses the installation owner ?
The Documentum installation owner is the operating system user that owns the server executable and other related files along with the OS process when the server is running. The installation owner is originally determined when the server is installed; it is the logged-in user that performed the Documentum installation. This user is given the following privileges:
Operating System:
‘Log On As’ rights to start Documentum Services such as Docbase, Docbroker, Java Method Server and other installed Documentum products (i.e. Site Caching Services).
Permission to change the Content Server configuration (i.e. upgrade, create, and delete docbases)
Folder level permission to view data, configuration, and many log files located under the %DOCUMENTUM_HOME% directory.
Docbase & Content Server:
Superuser and System Administrator rights
Assignment to administrator (Web Publisher), docu, and admingroup groups
Set as the r_install_owner value in the dm_server_config object.
Set as the operating system user to run several Administrative jobs such as dm_DataDictionaryPublisher and dm_FulltextMgr
Preparing to Make the Change
Preparation is an important step when making any major change within your Documentum environment. The following are steps recommended to make your life easier when updating the installation owner.
Determine best approach for changing the installation owner. The three documented approaches are:
Minimal Impact - Update only the operating system user and the user_os_name of the docbase user
Medium Impact - Create a new user in the docbase to be the installation owner while letting the old installation owner continue to own any existing objects
Largest Impact - Create a new user in the docbase to be the installation owner and reassign the previous installation owner’s objects to the new user.
Communicate and Make a Plan – Have your team ready and ensure everyone is aware of the plan. Communication is an important factor for success. Ensuring everyone is aware of their role will help make the change go smoothly.
TEST – Set up a test docbase to test updating the installation owner prior to making any change in a Production environment
Purge all old log files – Changing the installation owner requires updating permissions on Documentum data and log files. Reducing the amount of unneeded data will greatly speed up the process. This is especially important if you will be following Approach 3
Run the Consistency Checker – This report gives you a list of bad data within your system. Cleaning up inconsistent data before making the change will speed up the process and in the end make your life easier.
Back up all environments – Before performing any major change within Documentum you should ALWAYS back up your environment. This is a System Administration best practice. Work with your database administrators and infrastructure team to back up both the content server files and the database.
Set up the new installation user
Add the new installation user to the Administrator group on the Windows 2000 machine
Set the user to act as part of the operating system on the Windows 2000 machine. This setting can be found under Control Panel\Administrative Tools\Local Security Settings\Local Policies\User Rights Assignment\Act as part of the operating system
Update permission on all folders, subfolders and files under %DOCUMENTUM_HOME%> to remove the old installation owner and add new installation owner with full control
Approach 1: Updating only the installation user OS name
The simplest way to change the installation owner is to change the existing docbase user’s user_os_name/user_domain. This is the recommended solution in most cases.
Pros
Simple way to change the installation owner. This solution does not require updating Documentum objects therefore it reduces the risk of error and amount of work required with large Docbases.
Cons
The user_name within Documentum remains the same therefore the previous installation owner name will appear as the display name within Documentum.
Steps
Log into Documentum as an administrator
Update the current Documentum installation user’s user_os_name to the new installation owner: update dm_user object set user_os_name = ‘new_dmadmin’, set user_domain = ‘dctm’ where user_name = ‘dmadmin’;
Log onto the Windows 2000 server as current installation owner
Stop Services for all Documentum services (i.e. Docbases, DocBroker, Java Method Server, Site Caching Services)
Edit the install_owner and user_auth_target parameters in the server.ini file to reference the new installation owner and domain for each Docbase in the installation. The server.ini file is located in %DOCUMENTUM_HOME%\dba\config\docbase_name\server.ini or it can be accessed through the Documentum Server Manager.
Within Windows Explorer, change permission to give the new installation user full control on the all directories, subdirectories and files under the Content Server installation root directory (%DOCUMENTUM_HOME%). To update permission within Explorer:
Select the directory and right click to display a menu; choose Properties from the menu
Select the Security tab on the Properties dialog box
Select ‘Add’ to add a new user; select the new installation owner
Check Allow for Full Control
Remove the previous installation owner from the list of users with permission on the directory; Click Ok
Many subfolders and files under %DOCUMENTUM_HOME% are not set out of box with the allow inheritable permissions from parent to propagate to this object checked. Therefore you cannot assume that a subfolder or file is inheriting permission from its parent and you must ensure that you update the permission on ALL files and subfolders located under %DOCUMENTUM_HOME%. %DOCUMENTUM_HOME% subfolders and files that need to be update because they are not inheriting permission from its parent include but may not be limited to: \data; \data\[docbase_name]\’all subfolders’; \dba; \dba\auth; \dba\config\[docbase name]\dbpasswd.txt; \dba\config\[docbase name]\webcache.ini; \dba\config\[docbase name]\webcache.ini.old; \dba\log\’subfolders’; \dba\secure; \dba\secure\aek.key; \fulltext; \product; \share; \share\data\common\’subfolders’; \share\data\events\’subfolders’; \share\temp\replicate\’subfolders’; \share\temp\dm_ca_store\’subfolders’
Note: If your content storage directories are not located under the %DOCUMENTUM_HOME%\data directory, change the permissions on each content storage directory as well.
Edit the Windows Registry with new installation owner:
Update HKEY_LOCAL_MACHINE\SOFTWARE\Documentum\Server\version_no
Change the value of DM_DMADMIN_USER to the new installation owner user name
Change the value of DM_DMADMIN_DOMAIN to the new installation owner user domain
Set up the appropriate start-up information for Documentum Services
Choose Control Panel -> Administrative Tools -> Services
Select Documentum Services (i.e Documentum Docbase docbase_name, Documentum Docbroker, Documentum Java Method Server, Documentum SCS_Source)
Right click on Service and select Properties
On the Log on Tab, enter the new installation name and password under Log On As: This Account
Move any Documentum-related Programs in start menu (C:\Documents and Settings\old_user_name\Start Menu) to the new installation owner
Restart Windows 2000 Server; Log in as the new installation owner
Start the Docbases; View logs to check for errors
Approach 2: Creating a new Documentum installation user without Object Reassignment
This procedure is recommended if your policies require that the docbase user’s user_name be changed but do not requite that existing objects be assigned to the new user.
Pros
The user_name within Documentum is updated to the new installation owner therefore it will appear as the display name within Documentum (similar to how it would appear if the docbase had been installed originally as this user).
Cons
The old installation user remains within the docbase. However, if the old operating system user has been removed no one will be able to log in as this user
Tasks that were previously assigned to the old installation owner will not be accesible
Steps
Log onto the Windows 2000 server as current installation owner
Stop Services for all Docbases and the DocBroker.
Edit the install_owner and user_auth_target parameters in the server.ini file to reference the new installation owner and domain for each Docbase in the installation. The server.ini file is located in %DOCUMENTUM_HOME%\dba\config\docbase_name\server.ini or it can be accessed through the Documentum Server Manager.
Within Windows Explorer, change permission to give the new installation user full control on the all directories, subdirectories and files under the Content Server installation root directory (%DOCUMENTUM_HOME%). To update permission within Explorer:
Select the directory and right click to display a menu; choose Properties from the menu
Select the Security tab on the Properties dialog box
Select ‘Add’ to add a new user; select the new installation owner
Check Allow for Full Control
Remove the previous installation owner from the list of users with permission on the directory; Click Ok
Many subfolders and files under %DOCUMENTUM_HOME% are not set out of box with the allow inheritable permissions from parent to propagate to this object checked. Therefore you cannot assume that a subfolder or file is inheriting permission from its parent and you must ensure that you update the permission on ALL files and subfolders located under %DOCUMENTUM_HOME%. %DOCUMENTUM_HOME% subfolders and files that need to be update because they are not inheriting permission from its parent include but may not be limited to: \data; \data\[docbase_name]\’all subfolders’; \dba; \dba\auth; \dba\config\[docbase name]\dbpasswd.txt; \dba\config\[docbase name]\webcache.ini; \dba\config\[docbase name]\webcache.ini.old; \dba\log\’subfolders’; \dba\secure; \dba\secure\aek.key; \fulltext; \product; \share; \share\data\common\’subfolders’; \share\data\events\’subfolders’; \share\temp\replicate\’subfolders’; \share\temp\dm_ca_store\’subfolders’
Note: If your content storage directories are not located under the %DOCUMENTUM_HOME%\data directory, change the permissions on each content storage directory as well.
Edit the Windows Registry with new installation owner:
Update HKEY_LOCAL_MACHINE\SOFTWARE\Documentum\Server\version_no
Change the value of DM_DMADMIN_USER to the new installation owner user name
Change the value of DM_DMADMIN_DOMAIN to the new installation owner user domain
Update – HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DmServerdocbase_name
Change the -install_owner parameter in the value for ImagePath to the new installation owner user name
Set up the appropriate start-up information for Documentum Services
Choose Control Panel -> Administrative Tools -> Services
Select Documentum Services (i.e Documentum Docbase docbase_name, Documentum Docbroker, Documentum Java Method Server, Documentum SCS_Source)
Right click on Service and select Properties
On the Log on Tab, enter the new installation name and password under Log On As: This Account
Move any Documentum-related Programs in start menu (C:\Documents and Settings\old_user_name\Start Menu) to the new installation owner
Restart Windows 2000 Server; Log in as the new installation owner
Start the Docbases; View logs to check for errors

Approach 3: Creating a new Documentum installation user with Object Reassignment
If the requirements around changing the installation owner include changing the Documentum Installation user_name and removing the old installation user from Documentum, then you must create a new installation Documentum user and reassign the previous user’s objects and tasks to the new user. This is the most complex, time consuming, and risky procedure and is not recommended unless completely necessary.
Pros
The user_name within Documentum is updated to the new installation owner therefore it will appear as the display name within Documentum
The previous Documentum installation owner will be removed from the Docbase
Cons
Reassigning the previous installation owner to the new installation is error prone and time consuming for large docbases. However, risk can be reduced by purging old log files prior to changing the installation owner
Steps
The steps are the same as in Approach 2 with the following steps required at the end:
Log into Documentum Administrator as the new installation owner
Navigate to Administration -> User Management -> Users
Select the previous installation owner (’dmadmin’)
Select Tools -> Reassign User
Repeatedly run the following query: select count(*), acl_name from dm_sysobject where acl_domain = ‘dmadmin’ group by acl_name Note: The job may take a while to run depending on the amount of data. Once the query returns no rows the job is complete.
Smoke Testing the Change
After any major change to your Documentum infrastructure you should Test, Test, Test. Detailed test steps vary based on your Documentum application environment. It is important to have a test plan defined during your preparation. However, below are some brief smoke test steps which should prove helpful:
If you are using Web Publisher:
Log into Web Publisher as the new installation owner
Create content based on a template
Start a workflow; Log in as the workflow approver to ensure the task went to the correct user
Access Web View
If you are using Documentum Administrator:
Log into Administrator as the new installation owner
Spot check jobs (i.e. dm_DataDictionaryPublisher, dm_FulltextMgr , etc.) to ensure they are successfully running
If you are using Site Caching Services:
Log into Administrator as the new installation owner
Navigate to Site Publishing Configuration
Check a configuration; run an ‘End to End’ test
If you are using any other Documentum products:
Log into each application
Perform everyday user tasks
Run Consistency Checker (dm_ConsistencyChecker) Job. This report appears under System/SysAdmin/Reports
Common Issues/Helpful Hints
Setting user permission on %DOCUMENTUM_HOME% can be cumbersome, is there an easier way to perform this task?Yes. It would be recommended to have a system administrator run a windows scripts to update all folders and files under %DOCUMENTUM_HOME%. Another shortcut would be to set the local Administrator group on the Windows 2000 with Full Control permission on all subfolders and files under %DOCUMENTUM_HOME%. Later, when updating an installation owner you would just need to add/remove users from the local Administrator group. Setting the Administrator group permissions in this fashion also eases backing up Content Server files.
Can you update only the user domain?Yes. To update only the user domain you will need to:
Add the new domain user to the Administrator group on the Windows 2000 server; Set up the user as act as part of the operating system
Update the user_domain attribute of the installation owner: update dm_user object set user_domain = ‘[new domain]‘ where user_name = ‘[installation owner]‘
Edit the user_auth_target parameters in the server.ini file to reference the new domain for each Docbase in the installation.
Update permission on all subfolders and files under %DOCUMENTUM_HOME% to use the new domain user.
Update Windows Registry – HKEY_LOCAL_MACHINE\SOFTWARE\Documentum\Server\version_no
Change the value of DM_DMADMIN_DOMAIN to the new domain
Set up the appropriate start-up information (Log on As: This Account) for Documentum Services to use the new domain user
Can you update only the user password?Yes. Stop all Documentum services (Docbases, DocBroker, Java Method Server, Site Caching Services). Within the service properties under the Log on Tab, enter the new password under Log On As: This Account.
What if after running the Reassign User job there are still objects referencing the old user?This sometimes happens if there are many objects (such as log files) owned by the old installation owner. A solution to this is to wait for the job to complete and then recreate the previous installation owner within Documentum then run ‘Reassign User’ again. Continue this until the following queries return 0 rows:
select count(*), acl_name from dm_sysobject where acl_domain = '[old installation owner]‘ group by acl_name;
select r_object_id from dm_sysobject where owner_name= ‘[old installation owner]‘;

Comments (0)

Post a Comment