Key Concepts
Authentication
Authentication is the process of presenting and verifying credentials before allowing that connection to create a repository session. Laserfiche verifies the identity of a user before granting that user access to the Laserfiche repository. This process requires that a user present credentials, which are then verified by the Laserfiche Server. There are three authentication methods supported by Laserfiche: Laserfiche password authentication which requires users to log in with a user name and password, Windows domain authentication which uses the credentials of the current Windows user, and LDAP directory authentication which requires users to log in with an LDAP user name and password.
Users and Groups
Laserfiche security is based on users and groups. The permissions assigned to users or groups form the basis of your security policy on objects (i.e., documents, fields, volumes, etc.). Therefore, the maintenance of Laserfiche accounts or Windows or LDAP Account users and groups is essential to Laserfiche security.You can either grant authorization directly to users or, as is recommended, you can grant authorization to groups. Members of those groups will then inherit the authorization granted to their groups.
Authorization
Authorization is the process of controlling what users can see, do, and modify in the repository. Security administrators can control which operations users are allowed to perform on securable objects. Documents and folders (collectively referred to as entries), templates, fields, and volumes are securable and hence subject to access control. In order for a user (either a Laserfiche user or a Windows or LDAP account user) to perform an action within a Laserfiche repository or to perform an administrative task on it, he or she must be authorized to do so.
- Permissions: Permissions is a general term that encompasses many aspects of Laserfiche security. In short, permissions determine the actions that a particular user or group can perform in the repository. All actions within a repository, from viewing a document to advanced administration, are governed by permissions; a user cannot perform a certain action if he or she has not been granted the permissions that govern that action.
- Entry Access Rights: Entry access rights are the primary method of controlling security on documents stored in the repository. Entry access rights control what operations are possible on an entry, and you can allow or deny different rights to grant different levels of access to documents within a repository. Documents and folders can inherit the entry access rights assigned to a parent folder. To create a cohesive and consistent security policy, we recommend using inheritance wherever possible, rather than configuring security independently on individual documents.
- Field and Template Access Rights: Field access rights secure field information by determining who can view and/or modify field data. Field access rights do not apply to a template as a whole. Instead, field access rights are individually assigned to each field in a template, allowing you to determine the amount of access that a user will have on each field. Template access rights secure the template definition. Without the appropriate template access rights, a user will not be able to modify or delete a template.
- Volume Access Rights: Volume access rights can secure the images, text, attachment annotations, and electronic files associated with documents stored on a particular volume. They provide an additional layer of security for the content of a document.
- Feature Rights: These rights control whether a command (such as printing or scanning) is available to that user when they open the Laserfiche web or Windows client. Feature rights are a quick way to prevent users from performing basic types of activity in the Laserfiche Windows client, though you should remember that feature rights are not as secure as entry access rights.
- Privileges: Privileges control who can perform repository-specific administrative tasks. Each privilege covers a specific type of administrative task, allowing you to limit the amount of administrative tasks privileged users will be allowed to perform. This allows your organization to create a system of checks and balances, where no single user has complete control over all administrative tasks. It is a good idea to divide privileges among two or more administrators.
- Entry Ownership:Ownership lets users have particular control over their own documents without having to contact an administrator and without having larger-scale rights over the repository.For example, an entry's owner can configure security for that entry.
- Security Tags: Security tags are metadata you can apply to a document which only allow certain users or groups to view the entry. They act as single-point security, affecting only the documents to which they have been applied. A user must have both the appropriate entry access rights and the appropriate security tag to see a document with a security tag. A user with full access rights on a document, but not granted a matching security tag, remains unable to browse that file.
- Folder Filter Expressions: Folder Filter Expressions are a dynamic form of security that use an advanced syntax string to determine what users should be able to access which documents in a folder.
Note: VERS Classification Levels allow you to safeguard against entries being moved into folders with less security. By setting a numeric classification level on documents and folders, you can ensure that entries with a classification level cannot be moved to a folder with a lower numeric level.
System Managers can perform Server-wide administrative tasks such as repository creation, but not administrative tasks within a repository. The system manager account also defines who can perform high-level administrative tasks, and you should carefully consider which users should be added as System Managers.
In addition to securing access to a document, you should also secure images, text, and electronic files using Windows file security. Using Windows security prevents users from bypassing Laserfiche security and accessing images, text, and electronic files directly from the file system.
Default Security
Default security on volumes, templates, and fields allows you to design security policies for new objects of these types, which will be set as soon as new volumes, templates, or fields are created. If it has been properly set up, default security reduces the configuration necessary for each new object. You can still customize security on individual volumes, templates, and fields after they have been created.
A user's effective permissions are the sum of the permissions that were granted to the user and to the groups to which he or she belongs. Additionally, Laserfiche security mechanisms are designed to overlap so that any attempted operation may require the appropriate rights in several security mechanisms.
Simplicity
Your security system may be more complex than it needs to be. A properly configured Laserfiche security system should be easy to maintain, based on groups and folders, with few exceptions.