export_security_system()

Exports the permission clauses and rights bit fields configured at the group level of the security system. Returns one entry per (group × cabinet × object type) with the granted main rights, annotation rights and any configured permission clauses.

The security system has two parallel mechanisms: clauses at the group level (this job) and ACL rules at the object level (dms.ReadSD).

1. Signature

Sync
Async

ecm.security.export_security_system(group_ids: list[int] | None = None) -> ECMSecuritySystemExport

await ecm.security.export_security_system(group_ids: list[int] | None = None) -> ECMSecuritySystemExport

2. Parameters

Parameter Default Description

Parameter	Default	Description
`group_ids`	`None`	List of numeric group IDs (see `mng.GetGroupList` → `id`). `None` or an empty list export every group on the server.

group_ids

None

List of numeric group IDs (see mng.GetGroupList → id). None or an empty list export every group on the server.

3. Return value

ECMSecuritySystemExport with three fields:

Field Type Description

Field	Type	Description
`timestamp`	`datetime`	Server-side creation timestamp from the `<AdmInfo timestamp>` attribute.
`group_clauses`	`list[ECMGroupClause]`	One `<GroupClause>` entry per (group × cabinet × object type).
`exported_groups`	`list[ECMExportedGroup]`	The groups covered by the export.

timestamp

datetime

Server-side creation timestamp from the <AdmInfo timestamp> attribute.

group_clauses

list[ECMGroupClause]

One <GroupClause> entry per (group × cabinet × object type).

exported_groups

list[ECMExportedGroup]

The groups covered by the export.

3.1. ECMGroupClause fields

Field Type Description

Field	Type	Description
`group_id`	`int`	Numeric ID of the group.
`group_name`	`str`	Display name of the group.
`cabinet_id`	`int`	Numeric ID of the cabinet.
`cabinet_name`	`str`	Display name of the cabinet.
`object_type_id`	`int`	Numeric ID of the object type. Resolve via `dms.GetObjDef` / `ecm.system.definition()`.
`object_type_name`	`str`	Display name of the object type.
`rights`	`ECMObjectRight`	Bit field of granted main rights.
`annotations`	`ECMAnnotationRight`	Bit field of granted annotation rights.
`delete_clause`	`str`	Clause for D (delete object). Empty string when no clause is configured.
`write_clause`	`str`	Clause for W (write index data).
`obread_clause`	`str`	Clause for X (output object).
`obwrite_clause`	`str`	Clause for U (write object).
`hlp_clause`	`str`	Clause for R (display index data) — historically called „Hilfsrecht".
`str_clause`	`str`	Legacy attribute, always empty; can be ignored.

group_id

int

Numeric ID of the group.

group_name

str

Display name of the group.

cabinet_id

int

Numeric ID of the cabinet.

cabinet_name

str

Display name of the cabinet.

object_type_id

int

Numeric ID of the object type. Resolve via dms.GetObjDef / ecm.system.definition().

object_type_name

str

Display name of the object type.

rights

ECMObjectRight

Bit field of granted main rights.

annotations

ECMAnnotationRight

Bit field of granted annotation rights.

delete_clause

str

Clause for D (delete object). Empty string when no clause is configured.

write_clause

str

Clause for W (write index data).

obread_clause

str

Clause for X (output object).

obwrite_clause

str

Clause for U (write object).

hlp_clause

str

Clause for R (display index data) — historically called „Hilfsrecht".

str_clause

str

Legacy attribute, always empty; can be ignored.

3.2. ECMObjectRight (flag enum)

Flag Value Meaning

Flag	Value	Meaning
`X`	`0x01`	Output object
`D`	`0x02`	Delete object
`W`	`0x04`	Write index data
`R`	`0x08`	Display index data — prerequisite for every other right
`U`	`0x10`	Write object — additionally requires `X`

X

0x01

Output object

D

0x02

Delete object

W

0x04

Write index data

R

0x08

Display index data — prerequisite for every other right

U

0x10

Write object — additionally requires X

3.3. ECMAnnotationRight (flag enum)

Flag Value Meaning

Flag	Value	Meaning
`G`	`0x01`	See / edit annotations
`P`	`0x02`	PDF / print annotations

G

0x01

See / edit annotations

P

0x02

PDF / print annotations

Annotation rights are pure bitmask markers and do not carry clauses.

4. Examples

4.1. Export all groups

Sync
Async

export = ecm.security.export_security_system()
print(export.timestamp)
for grp in export.exported_groups:
    print(grp.id, grp.name)

export = await ecm.security.export_security_system()

4.2. Find configured delete clauses per group

export = ecm.security.export_security_system()
for clause in export.group_clauses:
    if clause.delete_clause:
        print(f"{clause.group_name} / {clause.object_type_name}: {clause.delete_clause}")

4.3. Filter by selected groups

export = ecm.security.export_security_system(group_ids=[100, 200])

4.4. Inspect rights as flag set

from ecmind_blue_client.ecm import ECMObjectRight

export = ecm.security.export_security_system()
for clause in export.group_clauses:
    if ECMObjectRight.D in clause.rights and clause.delete_clause:
        # Group may delete, but only when the clause matches.
        print(clause.group_name, clause.object_type_name, clause.delete_clause)

5. Clause language

The *_clause strings are the raw server-side clauses. Key rules:

Clauses start with the syntax-version prefix BCCF.
Field references access DB columns of the object (feldN, zahlN, realN, datumN). Resolve to internal field names via ecm.system.definition().
sys'<name>' references base parameters (e.g. sys’modifyuser').
folder( <expr> ) evaluates the inner expression in the parent folder’s context. Not allowed on folder object types themselves.
Operators: =, !=, >, <, >=, ⇐, in, not in, between, not between, and, or.
Variables: DATE, DATETIME, TIME, USER, GROUPS, RIGHTGROUP, COMPUTERNAME, COMPUTERGUID, COMPUTERIP.

6. See also

groups() — returns the groups with their id fields for group_ids
group() — detail attributes of a single group
ecm.system.definition() — resolve cabinet_id, object_type_id and DB columns to display / internal names