Security Overview
- Product-level security determines whether the user can manage and create business processes.
- Process-level security determines the actions a user can take on a particular business process.
Product-Level Security
On the System Security page (click your account name and select Administration), you can set product-level security roles for Laserfiche Forms users.
Laserfiche Forms supports two types of users: Named users and Authenticated participants.
- Named users are users from Laserfiche Directory Server, a particular Laserfiche repository, Active Directory server, or LDAP server that have a named user license. Named users can be assigned one of several roles.
- System Administrator can create, modify, import, export, and delete business processes.
- Process Creator can create and manage their own business processes.
- Basic User cannot create business processes, but can have process-level roles that will allow them to administer business processes.
- Inherit From Group inherits the security settings of the group of which the user or group is a member. If a user is part of multiple groups, the most permissive setting will be applied.
Tip: Apply security at the group level whenever possible. Group-based security is easier to apply, faster to update, and ensures consistent access based on your organization's structure.
- Participants are limited-functionality users. Non-Laserfiche Directory Server participant users can sign in with a particular email address that has been assigned a participant license from the Participants tab of the System Security page. Directory Server user accounts with participant licenses can sign in with their expected user names. Participant users can start process instances and perform user tasks, but they cannot create or administer business processes.
Assigning roles to named users
The Named Users tab of the System Security page lists each user that has been assigned a named user license from the Laserfiche Server or Directory Server. It also includes Laserfiche groups.
Note: For LDAP users to appear on this page, they must have a named user licenses for the Laserfiche Server that Forms connects to. You can grant named user licenses from the Laserfiche Administration Console.
Note: Users will inherit the Basic user role until a group they are a member of is given a different security setting or until the security on the individual user has been changed.
- To assign a product-level role to a user or group, select a role from the Role drop-down list for that user.
Note: Any roles assigned to an invalid user are ignored.
- To assign a product-level role to several users or groups, select the checkbox next to each user, click Change Role, and then select the appropriate role.
- To find a user or group, enter their name in the search box and press ENTER.
Note: There is a built-in group named _everyone_group which includes all valid users and participants in the system. This group can be used to configure access rights for: system security, data sources rights, volume rights, process rights, and report manage access rights. There is no option for Inherit From Group for the _everyone_group on the system security page.
Synchronizing Users
The list of named users is automatically synchronized with Laserfiche, LDAP server, and AD server at a given time interval (specified on the Forms Configuration page). Users are also synchronized between Forms and Active Directory, the Laserfiche repository, or LDAP any time the following happens:
- You change the Active Directory domain controller.
- You change the Laserfiche Server, repository, or SSL connection.
- You change the LDAP profile for an LDAP participant.
- The account synchronization interval elapses.
Alternatively, click the Synchronize users button to manually synchronize users.
You can filter the list by selecting a filter from the Show drop-down, which allows the following options to make management easier:
- all users and groups
- users only
- groups only
- all invalid users and groups
- invalid users only
- invalid groups only
Invalid users and groups
Users that are no longer named users in the Laserfiche repository, groups that no longer exist in the Laserfiche repository, and users and groups that no longer have a valid LDAP profile are marked as invalid in the Named Users list. Invalid users cannot access Laserfiche Forms until they are restored on the Laserfiche server or in LDAP. You can delete these users from this list by clicking the x in the Status column.
Managing authenticated participants
In the Participants tab of the System Security page, you can grant authenticated participant licenses to users based on their email address. Participant users only use an authenticated participant license if they are enabled.
Tip: The number of enabled participant users cannot exceed the number of available authenticated participant licenses.
To create an authenticated participant user
- In the Participants tab of the System Security page, click Add.
- In the Add Participant window, select a username, email address, name, and password for the user. When you are finished, click OK.
Note: By default, the newly added user will be enabled. To disable this participant user, select Disabled from the License Status drop-down list.
To upload a list authenticated participant users
- In the Participants tab of the System Security page, click Upload.
- In the Upload Participant User List window, click Upload CSV file.
- Browse to the location of the .csv file that contains the list of participant users you want to add. Click Open.
- To upload another list, select Upload Another File. Or, if you are finished uploading files, click Cancel.
Note: The participant list in the uploaded .csv file must follow a specific format.
To add LDAP participant users
- In the Participants tab of the System security page, click Configure LDAP.
- In the Connection type drop-down, select either Standard LDAP or LDAP with SSL, depending on whether Forms will connect to the LDAP server using an SSL connection.
- Next to LDAP server, specify the domain name for the LDAP server. You can specify a port for the server using the servername:port format in this field.
- In the Authentication type drop-down, specify whether Forms will use simple or anonymous authentication when connecting to the LDAP server.
- In the LDAP account and password fields, specify the credentials that Forms will use to authenticate to the LDAP server.
- Next to Base distinguished name, specify the base distinguished name for the LDAP server. You can add more base distinguished names for the LDAP server by clicking Add base distinguished name.
Note: When configuring LDAP for Forms participants, the Base Distinguished Name needs to point to an Organizational Unit (OU), which contains both users and groups.
- Click Verify and save.
Note: You can edit these LDAP settings at any time by repeating these steps.
Note: The display name for LDAP participant users is taken from the user's Common Name (CN) in the LDAP server and cannot be changed within Forms.
Tip: Learn more about creating these participant list files.
To edit or delete authenticated participants
- To edit a participant, select the checkbox next to the participant's name and click the Edit button at the top of the list. Update the participant's user name, email, name, and password as desired. Click OK.
- To delete participants, click the x in the Status column. To delete multiple participants, select the checkboxes next to the participants' names and click the delete button at the top of the list.
To allocate or remove licenses from a participant
- To allocate or remove a license from an individual user, use the drop-down menu in the License column. Select Yes to allocate a license to the user, select No to remove a license from the user.
- To allocate or remove licenses from several users at once, select the checkboxes next to the users and click the Allocate license or Remove license button at the top of the list.
Participant Identities
Forms participants are identified by a security identifier (SID). A user's action history and currently assigned tasks are attached to the user's SID. Ensuring that a user keeps the same SID across changes in server profiles or authentication methods is key to ensuring that their action histories are retained despite the changes.
Whether participant identities are retained across changes depends on the version of the Forms server at the time that the LDAP server profile was added (note that this may be different from the current version of the Forms server). There are two scenarios:
- LDAP server profiles added in Forms 10.4 or later: Participants' action histories are automatically retained even if you change the authentication method or the LDAP server's distinguished name. No special action needs to be taken.
- LDAP server profiles added in Forms 10.3 or earlier: Changes in the authentication method (e.g. from Laserfiche Server authentication to Laserfiche Directory Server authentication) or in the LDAP server's distinguished name may disrupt the users' action history. To prevent this disruption, do the following before changing the authentication method or the LDAP server's details:
- On the Forms Administration page, navigate to the Participants tab of the System Security page.
- Select Configure LDAP.
- Make the desired changes to the LDAP server profile.
- Select Retain Active Directory SIDs in order to ensure that the participants will retain their action history and current tasks.
- Select Verify and save, then select Yes on the confirmation dialog.
Note: If the LDAP participant already exists as a Windows user in Forms, this conversion to using an Active Directory SID may fail. You can find a list of accounts for which the conversion has failed in the Windows Event Viewer. Look in the following log:
Applications and Services Logs\Laserfiche\Forms\App\Operational
.
Process-Level Security
In addition to the product-level security roles found on the System Security page, you can also set security on each business process you have the rights to administer. There are several security roles for business processes, which you can assign for a particular process on the Access Rights page.
If a user is given no roles, the user will not be able to start or manage the business process. However, the user may be able to participate in the process if the user is assigned a task or is notified during the process.