Document Security | Handling user data document-security-handling-user-data
AEM Forms document security allows you to create, store, and apply predefined security settings to your documents. It ensures that only authorized users can use the documents. You can protect documents by using policies. A policy is a collection of information that includes security settings and a list of authorized users. You can apply a policy to one or more documents and authorizes users who are added in AEM Forms JEE user management.
User data and data stores user-data-and-data-stores
Document security stores policies and data related to protected documents including user data in a database, such as My Sql, Oracle, MS SQL Server, and IBM DB2. In addition, the data for authorized users in a policy in store in user management. For information about data stored in user management, see Forms User Management: Handling user data.
The following table maps how document security organizes data in database tables.
Access and delete user data access-and-delete-user-data
You can access and export document security data for users in the databases, and if required, delete it permanently.
To export or delete user data from a database, you need to connect to the database using a database client and find out the principal ID based on some personally identifiable information of the user. For example, to retrieve the principal ID of a user using a login ID, run the following select
command on the database.
In the select
command, replace the <user_login_id>
with the login ID of the user whose principal ID you want to retrieve from the EdcPrincipalUserEntity
database table.
select refprincipalid from EdcPrincipalUserEntity where uidstring = <user_login_id>
Once you know the principal ID, you can export or delete the user data.
Export user data export-user-data
Run the following database commands to export user data for a principal ID from database tables. In the select
command, replace <principal_id>
with the principal ID of the user whose data you want to export.
EdcPolicySetPrincipalEntity
with EdcPolicySetPrincipalEnt
in the commands.Select * from EdcPrincipalKeyEntity where principalid = '<principal_id>';
Select * from EdcLicenseEntity where publisherId = '<principal_id>';
Select * from EdcDocumentEntity where id in (Select documentid from EdcLicenseEntity where publisherId = '<principal_id>');
Select * from EdcRevokationEntity where licenseid in (Select id from EdcLicenseEntity where publisherId = '<principal_id>');
Select * from EdcMyPolicyListEntity where principalId = '<principal_id>';
Select * from edcpolicyentity where policyownerId = '<principal_id>';
Select * from edcpolicyxmlentity where policyidref in (Select id from edcpolicyentity where policyownerId = '<principal_id>');
Select * from edcpolicyarchiveentity where policyownerId = '<principal_id>';
Select * from edcpolicysetprincipalentity where principalId = '<principal_id>';
Select * from edcinviteduserentity where principalId = '<principal_id>';
EdcAuditEntity
table, use the EventManager.exportEvents API that takes EventSearchFilter as a parameter to export audit data based on principalId
, policyId
, or licenseId
.To get complete data about a user in the system, you must access and export data from user management database. For more information, see Forms user management: Handling user data.
Delete user data delete-user-data
Do the following to delete document security data for a principal ID from database tables.
-
Shut down the AEM Forms server.
-
Run the following database commands to delete data for the principal ID from database tables for document security. In the
Delete
command, replace<principal_id>
with the principal ID of the user whose data you want to delete.code language-sql Delete from EdcPrincipalKeyEntity where principalid = '<principal_id>'; Delete from EdcMyPolicyListEntity where principalId = '<principal_id>'; Delete from edcpolicyarchiveentity where policyownerId = '<principal_id>'; Delete from edcpolicysetprincipalentity where principalId = '<principal_id>'; Delete from edcinviteduserentity where principalId = '<principal_id>';
note note NOTE To delete data from the EdcAuditEntity
table, use the EventManager.deleteEvents API that takes EventSearchFilter as a parameter to delete audit data based onprincipalId
,policyId
, orlicenseId
. -
Active and archived policy XML files are stored in the
EdcPolicyXmlEntity
andEdcPolicyArchiveEntity
database tables, respectively. To delete data for a user from these tables, do the following:- Open the XML blob of each row in the
EdcPolicyXMLEntity
orEdcPolicyArchiveEntity
table and extract the XML file. The XML file is similar to the one shown below. - Edit the XML file to remove the blob for the principal ID.
- Repeat steps 1 and 2 for the other file.
note note NOTE You must remove the complete blob within the Principal
tag for a principal ID or the policy XML may get corrupt or unusable.code language-xml <ns2:Principal PrincipalNameType="USER"> <ns2:PrincipalDomain>OID</ns2:PrincipalDomain> <ns2:PrincipalName>56F33FEB-098A-1036-A651-00000A2A2656</ns2:PrincipalName> </ns2:Principal> </ns2:PolicyEntry> <ns2:Property PropertyName="isCertified"> <ns2:PropertyValue xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance" xmlns:xs="https://www.w3.org/2001/XMLSchema" xsi:type="xs:string">false</ns2:PropertyValue> </ns2:Property> <ns2:Property PropertyName="encryptionAlgorithm"> <ns2:PropertyValue xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance" xmlns:xs="https://www.w3.org/2001/XMLSchema" xsi:type="xs:string">AES128</ns2:PropertyValue> </ns2:Property> <ns2:Property PropertyName="AccessDeniedErrorMessage"> <ns2:PropertyValue xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance" xmlns:xs="https://www.w3.org/2001/XMLSchema" xsi:type="xs:string"></ns2:PropertyValue> </ns2:Property> <ns2:PolicyEntry> <ns2:Permission PermissionName="ns3:com.adobe.aps.onlineOpen" Access="ALLOW"/> <ns2:Permission PermissionName="ns3:com.adobe.aps.pdf.copy" Access="ALLOW"/> <ns2:Permission PermissionName="ns3:com.adobe.aps.offlineOpen" Access="ALLOW"/> <ns2:Permission PermissionName="ns3:com.adobe.aps.pdf.accessible" Access="ALLOW"/> <ns2:Permission PermissionName="ns3:com.adobe.aps.pdf.editNotes" Access="ALLOW"/> <ns2:Permission PermissionName="ns3:com.adobe.aps.pdf.edit" Access="ALLOW"/> <ns2:Permission PermissionName="ns3:com.adobe.aps.pdf.fillAndSign" Access="ALLOW"/> <ns2:Permission PermissionName="ns3:com.adobe.aps.pdf.printHigh" Access="ALLOW"/> <ns2:Permission PermissionName="ns3:com.adobe.aps.pdf.printLow" Access="ALLOW"/>
In addition to deleting data directly from the
EdcPolicyXmlEntity
table, there are two more ways you can achieve this:Using administration console
- As an administrator, log into the Forms JEE administration console at https://[server]:[port]/adminui.
- Navigate to Services > Document Security > Policy Sets.
- Open a policy set and delete the user from the policy.
Using document security web page
Document security users who have permissions to create personal policies can delete user data from their policies. To do so:
- Users who have personal policies log into their document security web page at https://[server]:[port]/edc.
- Navigate to Services > Document Security > My Policies.
- Open a policy and delete the user from the policy.
note note NOTE Administrators can search, access, and delete user data from personal policies of other users in Services > Document Security > My Policies using administration console. - Open the XML blob of each row in the
-
Delete the data for the principal ID from user management database. For detailed steps, see Forms User Management | Handling user data.
-
Start the AEM Forms server.