Group - A group is a set of users, groups, or a mixture of both. It is normally used to assign permissions on an object.

Role A role is a special kind of group; it too can contain a set of users, other groups, or both. The difference is that a role is used by a client application to filter out certain operations. WDK framework supports scoping of WDK components by role. For example, the Administration node in Webtop is only visible if the user is an administrator. Roles are NOT used to assign permissions on an object. So what is client capability? Client capability Legacy setting that is defined for each user object. The four values for client_capability attribute are consumer, contributor, coordinator, and (system) administrator. The client capability setting is used as a default role for a user. This setting was created long before the concept of roles was created. WDK/Webtop uses the client capability role if the user is not assigned to any custom roles. Once you start creating custom roles, you need to configure/remap the client_capability role to your custom roles, if you still want to use client_capability setting. FYI The list of actions available to a specific client capability role is listed in the WDK Development Guide. To summarize: 1. groups permissions 2. roles filtering actions 3. client capability default roles

Role is a subtype of group this is why see you them in the results of your query. Groups are used in acls and workflows. Roles are used to filter our application features. For example, if set the client_capability=consumer for a user (consumer is a default role), the edit feature is disabled

Grafical Overview: Client Capability

Several people in the Documentum world think Client Capability (Consumer / Contributor / Coordinator / Administrator) is enforced by Documentum. The fact is, content server does not enforce client capability (a.k.a roles). Its something that client applications such as webtop can enforce it. E.g: A consumer can not delete documents from Webtop, even though he has delete permission on the document. Of course nothing prevents him from deleting it via API / DQL.

Grafical overview: user privileges

A user with Sysadmin privilege has following abilities:

It has lower privileges as well (Create Type, Create Cabinet, Create Group) It can activate/deactivate a user It can manipulate users and groups It can grant and revoke the lower privileges to other users It can create or modify system-level permission sets

It can administer full-text indexing and repository It can manage lifecycles It can manipulate workflows

On the other hand, a user with Superuser privilege has the following features:

It has Sysadmin privileges as well It can grant and revoke Sysadmin and Superuser privileges and extended privileges It can delete system-level permission sets It can become owner of all objects in the repository It can unlock checked out objects It can manipulate others custom types It can create null types (types with no supertypes) It can manipulate others permission sets It can query any underlying RDBMS tables, even if they are not registered

grafical overview: user permission

Groups
A set of members or other groups. group_class is a single and string property of dm_group. Indicates what kind of group this group is.

group role module role privilege group domain

Dynamic Groups
A set of predefinied members ca be added and is active only for one session.

Privileged groups
The property group_class is privilege group. A privileged group is a group whose members are allowed to perform privileged operations even though the members do not have those privileges as individuals.

Roles
Roles and Domains are special kinds of groups. Roles are enforced by client applications. The Module role is a group and usesd internally for BOF mdules.

Domain
A domain identify all the roles that apply to an application The members of a domain are roles. For creating a group (dm_group object) you must have Create Group privilege and System Administrator client capability when using Webtop.
Exam question: Property in dm_user object to specify the role/group/domain?

Answer: group_class
Exam question: Who see private groups?

Answer: visible for group owner and sysadmins

Exam question: Minimun of properties to create a user in DA (default / out of the box)?

Answer: 1. Name 2. User Login Name 3. eMail Address

Client capability is preselect: Consumer Privileges preselect: none Ext Privileges: none

screenshot is taken from a default webtop