Document Security | Handling user data

Last update: June 24, 2024

CREATED FOR:

  • Admin
  • User

AEM Forms document security lets you create, store, and apply predefined security settings to your documents. It ensures that only authorized users can use the documents. You can protect documents by using policies. A policy is a collection of information that includes security settings and a list of authorized users. You can apply a policy to one or more documents and authorizes users who are added in AEM Forms JEE user management.

User data and data stores

Document security stores policies and data related to protected documents including user data in a database, such as My Sql, Oracle, MS® SQL Server, and IBM® DB2®. In addition, the data for authorized users in a policy in store in user management. For information about data stored in user management, see Forms User Management: Handling user data.

The following table maps how document security organizes data in database tables.

Database tableDescription
EdcPrincipalKeyEntityStores information about principal keys for the users. The keys are used in offline document security workflows.
EdcAuditEntityStores information about auditing events like user events, document events, and policy events.
EdcLicenseEntityStores record of a protected document. It stores license details for every protected document.
EdcDocumentEntityStores document name for every license created in the system.
EdcRevokationEntityStores information about revocation and reinstatement of protected documents.
EdcMyPolicyListEntityStores information about users who can create personal policies that appear under the My Policies tab on the Policies page.
EdcPolicyEntityStores information about policies. Each policy corresponds to a row in this table.
EdcPolicyXmlEntityStores XML files for active policies. A policy XML contains references to principal IDs of users associated with the policy. Policy XML is stored as a Blob object.
EdcPolicyArchiveEntityStores information about archived policies. An archived policy contains its policy XML stored as a Blob object.

EdcPolicySetPrincipalEntity

EdcPolicySetPrincipalEnt
(Oracle and MS® SQL databases)

Stores the mapping between policy set and users.
EdcInvitedUserEntityStores information about invited User.

Access and delete user data

You can access and export document security data for users in the databases, and if necessary, delete it permanently.

To export or delete user data from a database, you must connect to the database using a database client and find out the principal ID based on some personally identifiable information of the user. For example, to retrieve the principal ID of a user using a login ID, run the following select command on the database.

In the select command, replace the <user_login_id> with the login ID of the user whose principal ID you want to retrieve from the EdcPrincipalUserEntity database table.

select refprincipalid from EdcPrincipalUserEntity where uidstring = <user_login_id>

Once you know the principal ID, you can export or delete the user data.

Export user data

Run the following database commands so you can export user data for a principal ID from database tables. In the select command, replace <principal_id> with the principal ID of the user whose data you want to export.

NOTE
The following commands use database table names in My SQL and IBM® DB2® databases. When running these commands on Oracle and MS® SQL databases, replace EdcPolicySetPrincipalEntity with EdcPolicySetPrincipalEnt in the commands.
Select * from EdcPrincipalKeyEntity where principalid = '<principal_id>';

Select * from EdcLicenseEntity where publisherId = '<principal_id>';

Select * from EdcDocumentEntity where id in (Select documentid from EdcLicenseEntity where publisherId = '<principal_id>');

Select * from EdcRevokationEntity where licenseid in (Select id from EdcLicenseEntity where publisherId = '<principal_id>');

Select * from EdcMyPolicyListEntity where principalId = '<principal_id>';

Select * from edcpolicyentity where policyownerId = '<principal_id>';

Select * from edcpolicyxmlentity where policyidref in (Select id from edcpolicyentity where policyownerId = '<principal_id>');

Select * from edcpolicyarchiveentity where policyownerId = '<principal_id>';

Select * from edcpolicysetprincipalentity where principalId = '<principal_id>';

Select * from edcinviteduserentity where principalId = '<principal_id>';
NOTE
To export data from the EdcAuditEntity table, use the EventManager.exportEvents API that takes EventSearchFilter as a parameter to export audit data based on principalId, policyId, or licenseId.

To get complete data about a user in the system, you must access and export data from user management database. For more information, see Forms user management: Handling user data.

Delete user data

Do the following to delete document security data for a principal ID from database tables.

  1. Shut down the AEM Forms Server.

  2. Run the following database commands so you can delete data for the principal ID from database tables for document security. In the Delete command, replace <principal_id> with the principal ID of the user whose data you want to delete.

    Delete from EdcPrincipalKeyEntity where principalid = '<principal_id>';

Delete from EdcMyPolicyListEntity where principalId = '<principal_id>';

Delete from edcpolicyarchiveentity where policyownerId = '<principal_id>';

Delete from edcpolicysetprincipalentity where principalId = '<principal_id>';

Delete from edcinviteduserentity where principalId = '<principal_id>';
    NOTE
    To delete data from the EdcAuditEntity table, use the EventManager.deleteEvents API that takes EventSearchFilter as a parameter to delete audit data based on principalId, policyId, or licenseId.

  3. Active and archived policy XML files are stored in the EdcPolicyXmlEntity and EdcPolicyArchiveEntity database tables, respectively. To delete data for a user from these tables, do the following:

    1. Open the XML blob of each row in the EdcPolicyXMLEntity or EdcPolicyArchiveEntity table and extract the XML file. The XML file is similar to the one shown below.
    2. Edit the XML file so you can remove the blob for the principal ID.
    3. Repeat steps 1 and 2 for the other file.
    NOTE
    Remove the complete blob within the Principal tag for a principal ID or the policy XML may get corrupt or unusable.
    <ns2:Principal PrincipalNameType="USER">
    <ns2:PrincipalDomain>OID</ns2:PrincipalDomain>
    <ns2:PrincipalName>56F33FEB-098A-1036-A651-00000A2A2656</ns2:PrincipalName>
</ns2:Principal>
</ns2:PolicyEntry>
    <ns2:Property PropertyName="isCertified">
        <ns2:PropertyValue xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance" xmlns:xs="https://www.w3.org/2001/XMLSchema" xsi:type="xs:string">false</ns2:PropertyValue>
    </ns2:Property>
    <ns2:Property PropertyName="encryptionAlgorithm">
        <ns2:PropertyValue xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance" xmlns:xs="https://www.w3.org/2001/XMLSchema" xsi:type="xs:string">AES128</ns2:PropertyValue>
    </ns2:Property>
    <ns2:Property PropertyName="AccessDeniedErrorMessage">
        <ns2:PropertyValue xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance" xmlns:xs="https://www.w3.org/2001/XMLSchema" xsi:type="xs:string"></ns2:PropertyValue>
    </ns2:Property>
<ns2:PolicyEntry>
<ns2:Permission PermissionName="ns3:com.adobe.aps.onlineOpen" Access="ALLOW"/>
<ns2:Permission PermissionName="ns3:com.adobe.aps.pdf.copy" Access="ALLOW"/>
<ns2:Permission PermissionName="ns3:com.adobe.aps.offlineOpen" Access="ALLOW"/>
<ns2:Permission PermissionName="ns3:com.adobe.aps.pdf.accessible" Access="ALLOW"/>
<ns2:Permission PermissionName="ns3:com.adobe.aps.pdf.editNotes" Access="ALLOW"/>
<ns2:Permission PermissionName="ns3:com.adobe.aps.pdf.edit" Access="ALLOW"/>
<ns2:Permission PermissionName="ns3:com.adobe.aps.pdf.fillAndSign" Access="ALLOW"/>
<ns2:Permission PermissionName="ns3:com.adobe.aps.pdf.printHigh" Access="ALLOW"/>
<ns2:Permission PermissionName="ns3:com.adobe.aps.pdf.printLow" Access="ALLOW"/>

    In addition to deleting data directly from the EdcPolicyXmlEntity table, there are two more ways you can achieve this:

    Using administration console

    1. As an administrator, log in to the Forms JEE administration console at https://[server]:[port]/adminui.
    2. Navigate to Services > Document Security > Policy Sets.
    3. Open a policy set and delete the user from the policy.

    Using document security web page

    Document security users who have permissions to create personal policies can delete user data from their policies. To do so:

    1. Users who have personal policies log in to their document security web page at https://[server]:[port]/edc.
    2. Navigate to Services > Document Security > My Policies.
    3. Open a policy and delete the user from the policy.
    NOTE
    Administrators can search, access, and delete user data from personal policies of other users in Services > Document Security > My Policies using administration console.

  4. Delete the data for the principal ID from user management database. For detailed steps, see Forms User Management | Handling user data.

  5. Start the AEM Forms Server.

Experience Manager


Espressos & Experience Manager: AEM Forms

Espressos & Experience Manager

Thursday, Mar 6, 7:00 PM UTC

Join Adobe's AEM product team as they highlight AEM Forms' latest innovations, including: the new Gen AI Assistant, Unified Composition with AEM Sites, and new ways to deploy forms through conversations.

Register

The True Cost of a Failed Implementation

Online | Session | General Audience

A failed implementation isn’t just an inconvenience — it costs real revenue. Poor execution and misaligned tools disrupt pipelines,...

Wed, Mar 19, 2:00 PM PDT (9:00 PM UTC)

Register

The Future of Forms: Experience Success Across the Enrollment Journey

Online | Session | General Audience

Adobe Experience Manager Forms is the conversion engine to fully capitalize on engagement and personalization efforts, yet it’s frequently...

Wed, Mar 19, 2:00 PM PDT (9:00 PM UTC)

Register

Connect with Experience League at Summit!

Get front-row access to top sessions, hands-on activities, and networking—wherever you are!

Learn more

Register now