Entry Access Rights
Plan your entry access rights
In order to successfully secure your documents, you will need to plan carefully, implement your plan, and test your entry access rights. When planning your security policy, consider the following:
- Who: This involves figuring out which users need access to documents. We recommend that you primarily use groups (whether Laserfiche, Windows Domain or LDAP directory groups) to set up entry access rights. Taking advantage of groups reduces the amount of work required to set up and maintain Laserfiche security. Categorizing users into groups and using those groups to set up security reduces the number of trustees that require their own separate entry access right configuration. This reduces the amount of configuration time and the complexity of your security system, making it easier to maintain your system when changes in your organization occur.
- By Department: This strategy involves creating a group for each department in your organization. Securing documents by department relies on the assumption that most members of the same department should have equivalent rights. However, you may find that certain departments may require more detailed rights assignment due to the sensitive nature of the material that they handle. If you have existing Windows domain or LDAP directory groups for your departments, you can add these to Laserfiche to quickly configure security for the members of those groups.
- By Role: This strategy involves creating a group for each role in your organization. For example, some organizations categorize users into one of three groups: Power Users, Scanner Operators, and View Only Users. Securing documents by a user's role relies on the assumption that the security needs for most users can be handled by a generic role. The number of roles that this strategy uses depends upon the needs of your organization. For example, some organizations may only need a Power User group and a Scanner Operator group.
- What and How Much: Typically, the amount of security that needs to be applied to a document depends on the type of document. For example, members of an Accounting department need to be able to add, view, and modify documents that deal with financial statements. However, most other departments don't need to know where financial statements are stored, much less view their content. The type of document can determine how much protection it will need from unauthorized access. In this particular example, it means that the Accounting department needs rights to documents that deal with financial statements, while all other departments should probably not be granted access.
- Where: The location where your documents are stored plays a major factor in whether entry access rights assignment will be quick and easy to maintain. If documents with similar security needs are stored in the same folder, entry access rights can be quickly configured. It is simply a matter of using the appropriate scope when configuring entry access rights on that folder. After setting up security on a folder, users will automatically have the appropriate rights to the documents residing in it. In general, it is a good idea to make the folder structure serve your organization's security needs.
Most organizations use one or more of the following strategies when categorizing users into groups:
Tip: Users can be assigned to more than one group. This means that a single group does not have to grant all of the required entry access rights to a user. For example, a user could be both part of the Accounting Department group and part of the Managers group. However, this feature should be used with care, since it may complicate your security unnecessarily.
Example: Scanner operators need to be able to create documents. They may also need to have rights to modify documents that they have created (for instance, if you want to permit them to delete duplicate or mis-scanned pages). Instead of granting a large set of entry access rights across your repository, you can create a folder that will serve as a work area for your scanner operators. You would then grant the required entry access rights to your scanner operators on the newly created Laserfiche folder.
Tips for entry access rights
- Under most circumstances, it is not necessary to explicitly deny an entry access right. Users only have those rights that have either been granted to them, granted to the groups to which they belong, or inherited from a parent folder. You can check whether a user or group will have a particular right by viewing the effective entry access rights on the document or folder in question.
- Keep in mind that denied rights take precedence over allowed rights. If a right is denied to a group, all users that belong to that group will be denied that right, regardless of whether it has been specifically granted to them. Therefore, if a group contains some users that should have an access right and others that should not, that access right should be left unspecified at the group level. You can then grant the desired access right to authorized users. No additional action is required for the users that should not have that access right. Note that a "blank" right, with neither Allow or Deny checked, is Denied by default, but will not override an inherited Allow from a parent folder or from a group.
- Make use of inheritance to ease maintenance. The best way to use inheritance is to assign entry access rights as high in the folder tree as possible, letting inheritance propagate into the folders and documents as they go from general to specific. (Of course, entry access rights of subfolders and individual users can then be individually modified.) This technique is an effortless way of quickly increasing the number of documents and folders on which your security configuration will be applied. In turn, this decreases the number of unique instances for which you have to configure security. This allows you to quickly configure security and decrease the amount of maintenance required. Keep in mind that the selected scope determines the extent to which the assigned entry access rights will be inherited. Configuring security on individual documents is not recommended, as it is difficult to keep track of and maintain.
Free Training: Entry Access and Scope eLearning course in Aspire.
Learn more about entry access rights