Changing Documentum’s Installation Owner

About This Article

When initially installing Documentum, the installation owner is set to the logged-in user that performs the Documentum installation. It is preferable to install Documentum and never change the installation owner. However, sometimes company policy dictates that the original installation must be changed. Reasons for the change may be that the user name does not conform to a new naming policy or that originally the user was not a domain user but now should be.

Changing the installation owner involves changes to both the operating system and the docbase configuration. This is not a minor change within Documentum, so upfront planning and coordination between the Documentum System Administrator and Infrastructure Team is required.

To get the most from this article, you should already have:

• A detailed knowledge of Documentum Content Server
• A detailed knowledge of your company’s implementation of Documentum
• A detailed knowledge of Windows 2000 Operating System

For purpose of this document, we are going to refer to the following users:

                    
		Original Installation Owner:
		username = "dmadmin"
		password = "dmadmin"
		domain = "it"
		
                

                    
		New Installation Owner:
		username = "new_dmadmin"
		password = "new_dmadmin"
		domain = "dctm"
		
                

How Documentum uses the installation owner

The Documentum installation owner is the operating system user that owns the server executable and other related files along with the OS process when the server is running. The installation owner is originally determined when the server is installed; it is the logged-in user that performed the Documentum installation. This user is given the following privileges:

• Operating System:
  • ‘Log On As’ rights to start Documentum Services such as Docbase, Docbroker, Java Method Server and other installed Documentum products (i.e. Site Caching Services).
  • Permission to change the Content Server configuration (i.e. upgrade, create, and delete docbases)
  • Folder level permission to view data, configuration, and many log files located under the %DOCUMENTUM_HOME% directory.
• Docbase & Content Server:
  • Superuser and System Administrator rights
  • Assignment to administrator (Web Publisher), docu, and admingroup groups
  • Set as the r_install_owner value in the dm_server_config object.
  • Set as the operating system user to run several Administrative jobs such as dm_DataDictionaryPublisher and dm_FulltextMgr

Preparing to Make the Change

Preparation is an important step when making any major change within your Documentum environment. The following are steps recommended to make your life easier when updating the installation owner.

• Determine best approach for changing the installation owner. The three documented approaches are:
  1. Minimal Impact - Update only the operating system user and the user_os_name of the docbase user
  2. Medium Impact - Create a new user in the docbase to be the installation owner while letting the old installation owner continue to own any existing objects
  3. Largest Impact - Create a new user in the docbase to be the installation owner and reassign the previous installation owner’s objects to the new user.
• Communicate and Make a Plan - Have your team ready and ensure everyone is aware of the plan. Communication is an important factor for success. Ensuring everyone is aware of their role will help make the change go smoothly.
• TEST - Set up a test docbase to test updating the installation owner prior to making any change in a Production environment
• Purge all old log files - Changing the installation owner requires updating permissions on Documentum data and log files. Reducing the amount of unneeded data will greatly speed up the process. This is especially important if you will be following Approach 3
• Run the Consistency Checker - This report gives you a list of bad data within your system. Cleaning up inconsistent data before making the change will speed up the process and in the end make your life easier.
• Back up all environments - Before performing any major change within Documentum you should ALWAYS back up your environment. This is a System Administration best practice. Work with your database administrators and infrastructure team to back up both the content server files and the database.
• Set up the new installation user
  • Add the new installation user to the Administrator group on the Windows 2000 machine
  • Set the user to act as part of the operating system on the Windows 2000 machine. This setting can be found under Control Panel\Administrative Tools\Local Security Settings\Local Policies\User Rights Assignment\Act as part of the operating system
  • Update permission on all folders, subfolders and files under %DOCUMENTUM_HOME%> to remove the old installation owner and add new installation owner with full control

Approach 1: Updating only the installation user OS name

The simplest way to change the installation owner is to change the existing docbase user’s user_os_name/user_domain. This is the recommended solution in most cases.

Pros

• Simple way to change the installation owner. This solution does not require updating Documentum objects therefore it reduces the risk of error and amount of work required with large Docbases.

Cons

• The user_name within Documentum remains the same therefore the previous installation owner name will appear as the display name within Documentum.

Steps

1. Log into Documentum as an administrator
2. Update the current Documentum installation user’s user_os_name to the new installation owner:
   update dm_user object set user_os_name = 'new_dmadmin', set user_domain = 'dctm' where user_name = 'dmadmin';
3. Log onto the Windows 2000 server as current installation owner
4. Stop Services for all Documentum services (i.e. Docbases, DocBroker, Java Method Server, Site Caching Services)
5. Edit the install_owner and user_auth_target parameters in the server.ini file to reference the new installation owner and domain for each Docbase in the installation. The server.ini file is located in %DOCUMENTUM_HOME%\dba\config\docbase_name\server.ini or it can be accessed through the Documentum Server Manager.
6. Within Windows Explorer, change permission to give the new installation user full control on the all directories, subdirectories and files under the Content Server installation root directory (%DOCUMENTUM_HOME%). To update permission within Explorer:
   • Select the directory and right click to display a menu; choose Properties from the menu
   • Select the Security tab on the Properties dialog box
   • Select ‘Add’ to add a new user; select the new installation owner
   • Check Allow for Full Control
   • Remove the previous installation owner from the list of users with permission on the directory; Click Ok
   Many subfolders and files under %DOCUMENTUM_HOME% are not set out of box with the allow inheritable permissions from parent to propagate to this object checked. Therefore you cannot assume that a subfolder or file is inheriting permission from its parent and you must ensure that you update the permission on ALL files and subfolders located under %DOCUMENTUM_HOME%. %DOCUMENTUM_HOME% subfolders and files that need to be update because they are not inheriting permission from its parent include but may not be limited to: \data; \data\[docbase_name]\’all subfolders’; \dba; \dba\auth; \dba\config\[docbase name]\dbpasswd.txt; \dba\config\[docbase name]\webcache.ini; \dba\config\[docbase name]\webcache.ini.old; \dba\log\’subfolders’; \dba\secure; \dba\secure\aek.key; \fulltext; \product; \share; \share\data\common\’subfolders’; \share\data\events\’subfolders’; \share\temp\replicate\’subfolders’; \share\temp\dm_ca_store\’subfolders’

   Note: If your content storage directories are not located under the %DOCUMENTUM_HOME%\data directory, change the permissions on each content storage directory as well.

7. Edit the Windows Registry with new installation owner:
   • Update HKEY_LOCAL_MACHINE\SOFTWARE\Documentum\Server\version_no
     • Change the value of DM_DMADMIN_USER to the new installation owner user name
     • Change the value of DM_DMADMIN_DOMAIN to the new installation owner user domain
8. Set up the appropriate start-up information for Documentum Services
   • Choose Control Panel -> Administrative Tools -> Services
   • Select Documentum Services (i.e Documentum Docbase docbase_name, Documentum Docbroker, Documentum Java Method Server, Documentum SCS_Source)
     • Right click on Service and select Properties
     • On the Log on Tab, enter the new installation name and password under Log On As: This Account
9. Move any Documentum-related Programs in start menu (C:\Documents and Settings\old_user_name\Start Menu) to the new installation owner
10. Restart Windows 2000 Server; Log in as the new installation owner
11. Start the Docbases; View logs to check for errors

Approach 2: Creating a new Documentum installation user without Object Reassignment

This procedure is recommended if your policies require that the docbase user’s user_name be changed but do not requite that existing objects be assigned to the new user.

Pros

• The user_name within Documentum is updated to the new installation owner therefore it will appear as the display name within Documentum (similar to how it would appear if the docbase had been installed originally as this user).

Cons

• The old installation user remains within the docbase. However, if the old operating system user has been removed no one will be able to log in as this user
• Tasks that were previously assigned to the old installation owner will not be accesible

Steps

1. Log onto the Windows 2000 server as current installation owner
2. Stop Services for all Docbases and the DocBroker.
3. Edit the install_owner and user_auth_target parameters in the server.ini file to reference the new installation owner and domain for each Docbase in the installation. The server.ini file is located in %DOCUMENTUM_HOME%\dba\config\docbase_name\server.ini or it can be accessed through the Documentum Server Manager.
4. Within Windows Explorer, change permission to give the new installation user full control on the all directories, subdirectories and files under the Content Server installation root directory (%DOCUMENTUM_HOME%). To update permission within Explorer:
   • Select the directory and right click to display a menu; choose Properties from the menu
   • Select the Security tab on the Properties dialog box
   • Select ‘Add’ to add a new user; select the new installation owner
   • Check Allow for Full Control
   • Remove the previous installation owner from the list of users with permission on the directory; Click Ok
   Many subfolders and files under %DOCUMENTUM_HOME% are not set out of box with the allow inheritable permissions from parent to propagate to this object checked. Therefore you cannot assume that a subfolder or file is inheriting permission from its parent and you must ensure that you update the permission on ALL files and subfolders located under %DOCUMENTUM_HOME%. %DOCUMENTUM_HOME% subfolders and files that need to be update because they are not inheriting permission from its parent include but may not be limited to: \data; \data\[docbase_name]\’all subfolders’; \dba; \dba\auth; \dba\config\[docbase name]\dbpasswd.txt; \dba\config\[docbase name]\webcache.ini; \dba\config\[docbase name]\webcache.ini.old; \dba\log\’subfolders’; \dba\secure; \dba\secure\aek.key; \fulltext; \product; \share; \share\data\common\’subfolders’; \share\data\events\’subfolders’; \share\temp\replicate\’subfolders’; \share\temp\dm_ca_store\’subfolders’

   Note: If your content storage directories are not located under the %DOCUMENTUM_HOME%\data directory, change the permissions on each content storage directory as well.

5. Edit the Windows Registry with new installation owner:
   • Update HKEY_LOCAL_MACHINE\SOFTWARE\Documentum\Server\version_no
     • Change the value of DM_DMADMIN_USER to the new installation owner user name
     • Change the value of DM_DMADMIN_DOMAIN to the new installation owner user domain
   • Update - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DmServerdocbase_name
     • Change the -install_owner parameter in the value for ImagePath to the new installation owner user name
6. Set up the appropriate start-up information for Documentum Services
   • Choose Control Panel -> Administrative Tools -> Services
   • Select Documentum Services (i.e Documentum Docbase docbase_name, Documentum Docbroker, Documentum Java Method Server, Documentum SCS_Source)
     • Right click on Service and select Properties
     • On the Log on Tab, enter the new installation name and password under Log On As: This Account
7. Move any Documentum-related Programs in start menu (C:\Documents and Settings\old_user_name\Start Menu) to the new installation owner
8. Restart Windows 2000 Server; Log in as the new installation owner
9. Start the Docbases; View logs to check for errors

Approach 3: Creating a new Documentum installation user with Object Reassignment

If the requirements around changing the installation owner include changing the Documentum Installation user_name and removing the old installation user from Documentum, then you must create a new installation Documentum user and reassign the previous user’s objects and tasks to the new user. This is the most complex, time consuming, and risky procedure and is not recommended unless completely necessary.

Pros

• The user_name within Documentum is updated to the new installation owner therefore it will appear as the display name within Documentum
• The previous Documentum installation owner will be removed from the Docbase

Cons

• Reassigning the previous installation owner to the new installation is error prone and time consuming for large docbases. However, risk can be reduced by purging old log files prior to changing the installation owner

Steps

The steps are the same as in Approach 2 with the following steps required at the end:

1. Log into Documentum Administrator as the new installation owner
   • Navigate to Administration -> User Management -> Users
   • Select the previous installation owner (’dmadmin’)
   • Select Tools -> Reassign User
   • Repeatedly run the following query: select count(*), acl_name from dm_sysobject where acl_domain = 'dmadmin' group by acl_name Note: The job may take a while to run depending on the amount of data. Once the query returns no rows the job is complete.

Smoke Testing the Change

After any major change to your Documentum infrastructure you should Test, Test, Test. Detailed test steps vary based on your Documentum application environment. It is important to have a test plan defined during your preparation. However, below are some brief smoke test steps which should prove helpful:

• If you are using Web Publisher:
  • Log into Web Publisher as the new installation owner
  • Create content based on a template
  • Start a workflow; Log in as the workflow approver to ensure the task went to the correct user
  • Access Web View
• If you are using Documentum Administrator:
  • Log into Administrator as the new installation owner
  • Spot check jobs (i.e. dm_DataDictionaryPublisher, dm_FulltextMgr , etc.) to ensure they are successfully running
• If you are using Site Caching Services:
  • Log into Administrator as the new installation owner
  • Navigate to Site Publishing Configuration
  • Check a configuration; run an ‘End to End’ test
• If you are using any other Documentum products:
  • Log into each application
  • Perform everyday user tasks
• Run Consistency Checker (dm_ConsistencyChecker) Job. This report appears under System/SysAdmin/Reports

Common Issues/Helpful Hints

1. Setting user permission on %DOCUMENTUM_HOME% can be cumbersome, is there an easier way to perform this task?
   Yes. It would be recommended to have a system administrator run a windows scripts to update all folders and files under %DOCUMENTUM_HOME%. Another shortcut would be to set the local Administrator group on the Windows 2000 with Full Control permission on all subfolders and files under %DOCUMENTUM_HOME%. Later, when updating an installation owner you would just need to add/remove users from the local Administrator group. Setting the Administrator group permissions in this fashion also eases backing up Content Server files.
2. Can you update only the user domain?
   Yes. To update only the user domain you will need to:
   • Add the new domain user to the Administrator group on the Windows 2000 server; Set up the user as act as part of the operating system
   • Update the user_domain attribute of the installation owner:
     update dm_user object set user_domain = '[new domain]‘ where user_name = ‘[installation owner]‘
   • Edit the user_auth_target parameters in the server.ini file to reference the new domain for each Docbase in the installation.
   • Update permission on all subfolders and files under %DOCUMENTUM_HOME% to use the new domain user.
   • Update Windows Registry - HKEY_LOCAL_MACHINE\SOFTWARE\Documentum\Server\version_no
     • Change the value of DM_DMADMIN_DOMAIN to the new domain
   • Set up the appropriate start-up information (Log on As: This Account) for Documentum Services to use the new domain user
3. Can you update only the user password?
   Yes. Stop all Documentum services (Docbases, DocBroker, Java Method Server, Site Caching Services). Within the service properties under the Log on Tab, enter the new password under Log On As: This Account.
4. What if after running the Reassign User job there are still objects referencing the old user?
   This sometimes happens if there are many objects (such as log files) owned by the old installation owner. A solution to this is to wait for the job to complete and then recreate the previous installation owner within Documentum then run ‘Reassign User’ again. Continue this until the following queries return 0 rows:

                           
   select count(*), acl_name from dm_sysobject where acl_domain = '[old installation owner]‘ group by acl_name;
   select r_object_id from dm_sysobject where owner_name= ‘[old installation owner]‘;
   
                       

   Note: Many of the return rows may be log files depending on the last time a log purge was performed. To remove log files from the query results add and title not like 'Result of%' to the end of the query.