Implementing a Security Policy in Laserfiche 8 LAB 201 Steve Hackney
Agenda -Architecture -Authentication -Authorization -Template/ Field Security -Volume Security -Entry Access Rights -Tags -Recycle Bin -Order of Precedence
Architecture
Users and Groups Laserfiche Users and Groups -Laserfiche security is based on User or Group Rights -In order to know which rights someone should have, they should provide credentials to Laserfiche -Tip #1 -Use Groups when possible
Authentication -Verifies users identity -Access to the Repository from any Laserfiche portal/module requires authentication -Authentication provides credentials Authorization defines rights
Authentication Methods of Authentication - Administrator Defined Username and Password -Windows Authentication -User Mapping -Windows Accounts -Tip #2 -Use Windows Authentication when possible
Windows Authentication User Mapping (LF7) Map a Windows user/group account to an existing Laserfiche user/group It is possible to deny LF Access to individual members of a Windows group
Windows Authentication cont. User Mapping (LF 7) Map a Windows user/group account to an existing Laserfiche user/group It is possible to deny access to one member of a Windows group Windows Authentication (LF8) Add a windows user/ group directly into Laserfiche Admin Console and apply rights to the Windows account
Exercise #1 Create Users and Groups - Refer to steps provided in the exercise packet Remember to keep the following best practices in mind: - Use Windows Authentication - Use groups when possible
Authorization Overview -Layers of Security -Privileges -Feature Rights -Entry Access Rights -Setting up Default Security -Template Field Security -Volume Security -Security Tags -Order of Precedence New to Laserfiche 8 -Default Security -Recycle Bin -Annotation Security
Privileges Privileges are administrative abilities for managing the repository -Version 7 – Admin Privileges -Manage Trustees -Manage Volumes -Manage Entry Access Rights -Version 8 – Manager Privileges -Manage Templates and Fields -Create Templates and Fields -Manage Links -Manage Stamps Separate Privileges for Metadata -Manage Tags -Purge Entries -Tip #3 -Take advantage of the manager type Privileges. Giving the managers more administrative responsibilities will make administering the repository more feasible }
Feature Rights Feature Rights include general abilities in the client -Feature rights are not specific to a document or folder -Also can be described as Global (repository wide rights) -Scan -Import -Search -Print -Export -Edit text -Tip #4 -Assign common rights to groups when possible
Exercise #2 Assign Groups and Users Privileges and Feature Rights -Feature Rights and Privileges are global and are therefore set up in the Admin Console -Refer to steps provided in the exercise packet Remember to keep the following best practices in mind: -Assign common rights to groups -This will save you time not only initially, but also when new members of the group are added -Use the Manager type privileges to make your life easier!
Field Security Rights -Read -CreateApplicable to filling out fields -Edit -Modify Field -Delete Field -Read Access Control List (ACL) -Modify Access Control List (ACL) } Field management } Access management }
Template Security Rights -Modify Template -Delete Template -Read Template Security -Change Template Security
Exercise #3 Assign Field and Template Rights to Users and Groups -Template and Field security is set up in the Admin Console -Refer to steps provided in the exercise packet Remember to keep the following best practices in mind: -Assign common rights to groups -This will save you time not only initially, but also when new members of the group are added -Use the Manager type privileges to make your life easier!
Volume Security Rights -Laserfiche 7 -Read -Append Data -Modify/ Delete Documents -Create Documents -Laserfiche 8 -Delete Volume -Read Volume Security -Change Volume Security
Security Tags Security Tags are a dynamic layer of security giving a user the ability to restrict other users’ access to documents -Tags are first created by the admin and then assigned to groups or users -Users that have been assigned a tag can then “tag” documents or folders -Only users who have been assigned the tag can view the documents with that tag -Tip #5 -Assign Administrator All tags
Security Tags 1) If a document is tagged with Tag B, Who can see the document?
Security Tags 1) If a document is tagged with Tag B, Who can see the document?
Security Tags The CEO requests the Executive Level Security Tag 1) If a document is tagged with Tag B, Who can see the document?
Security Tags The CEO requests the Executive Level Security Tag 1) If a document is tagged with Tag B, Who can see the document?
Security Tags The CEO requests the Executive Level Security Tag 1) If a document is tagged with Tag B, Who can see the document? 2) Who can see the document now?
Security Tags The CEO requests the Executive Level Security Tag 1) If a document is tagged with Tag B, Who can see the document? 2) Who can see the document now?
Security Tags The CEO requests the Executive Level Security Tag 1) If a document is tagged with Tag B, Who can see the document? 2) Who can see the document now? 3) The CEO Tags the document with Tag A. Who can see the document now?
Security Tags The CEO requests the Executive Level Security Tag 1) If a document is tagged with Tag B, Who can see the document? 2) Who can see the document now? 3) The CEO Tags the document with Tag A. Who can see the document now?
Entry Access Rights Entry Access Rights are abilities allowed or denied for specific documents or folders in a repository -Browse -Read -Write -See Annotations -See Through Redactions -Access Control -Write Metadata -Create Documents -Etc.
Scope Scope determines how an access right is inherited -This folder, subfolder and documents -This folder and subfolders -Subfolders and documents only -Documents only -This entry only
Scope
Security: Order Of Precedence Order of Precedence -Inherited rights vs. Explicit Rights -Explicit rights are applied to a specific folder -Inherited rights are propagated through scope -Explicit rights will always take precedence over inherited rights Explicit Inherited
Inherited Allow with Explicit Deny Archie allowed at Sales Department, inherited down Archie denied at Region - Central
Inherited Allow with Explicit Deny Archie allowed at Sales Department, inherited down Archie denied at Region - Central Conclusion: Archie does not have access to Region - Central
Inherited Deny with Explicit Allow Veronica denied access at Sales Department, inherited down Veronica allowed access explicitly at Region - Central
Inherited Deny with Explicit Allow Veronica denied access at Sales Department, inherited down Veronica allowed access explicitly at Region - Central Conclusion: Veronica can access Region - Central, but cannot browse due to security on the Sales Department folder. Veronica can still SEARCH for Region - Central
Security: Order Of Precedence Because rights may overlap, the Order of Precedence will dictate which rights takes priority -Explicit Access Rights –Deny, Allow, or None - If the User is allowed and the Group is denied, then the user does not have access - If the User is allowed and the Group is allowed, then the user has access - If User is allowed and it is not defined at the Group level, then the user is allowed - If it is not defined at the User/Group level, then the user is not allowed
Security: Order Of Precedence Two methods to apply security -Allow all and then deny -Allow nothing then allow -Tip #5 -Use the allow nothing, then allow method when possible -This requires the use of the scope “This Entry Only”
Security: Order Of Precedence -7 Rights Established Sales Team allowed at Sales Department explicitly, inherited down Veronica and Betty denied explicitly at Region - Central Archie and Betty denied explicitly at Region - East Archie and Veronica denied explicitly at Region - West
Security: Order Of Precedence -4 Rights Established Sales Team allowed at Sales Department explicitly, THIS ENTRY ONLY Archie allowed explicit rights to Region - Central Veronica allowed explicit rights to Region - East Betty allowed explicit rights to Region - West
Exercise #4 Assign Access Rights to Users and groups -Access rights are applied to the Folder Structure -Refer to steps provided in the exercise packet Remember to keep the following best practices in mind: -Assign rights to groups wherever applicable -This will save you time not only initially, but also when new members of the group are added -Use the Allow none and then Allow method -Hint: This method requires the use of the scope “This Entry Only”
New to Laserfiche 8 Default Security -Can automate default security for the following -Templates -Fields -Volumes -Can be applied to User/ Groups/ Owner -Owner is the person who created the object Recycle Bin -Purge Entry Privilege -Entry Access Rights Privilege Annotation security
Exercise #5 Setting up Default Security -Access rights are applied to the Folder Structure -Refer to steps provided in the exercise packet -Tip #6 -Use the new security features in Laserfiche 8 to make administering Laserfiche more efficient
New to Laserfiche 8 Recycle Bin -Purge Entry Privilege -Entry Access Rights Privilege Annotation security -Entry Access Rights Privilege