Security Example: Personal Folders

One common way that security can be used is to create personal folders for individual users. For example, you might want most folders in your repository to have tight controls over who can add, remove, or modify entries within them, but also want to provide members of your team with their own folders where they have more leeway. This gives them a space where they can create and work with their own documents, including organizing them within subfolders, modifying their contents, and deleting them. You may even want to allow them to manage security for documents and folders within their personal folder. You can do this with entry access rights.

Configuring personal folders requires setting rights for some select entries on individual users. Laserfiche security best practices generally recommends against setting rights for individual users, as it is generally far less scalable than setting rights on groups. However, in some cases, rights truly do apply to only a single user, as in this case where the folder on which the rights are set is for an individual person. In those cases, setting security for individual users is appropriate.

Before You Begin

This example will demonstrate the security configurations for a user, Elena, on her folder "Williams, Elena," inside the "Employees" folder of the Sales department's parent folder. In addition, Elena is a member of the Sales group. For the purposes of this example, assume that Elena has all rights necessary to browse to, open, and view the contents of the "Sales" folder, but no rights (whether explicit or inhereited) to the contents of that folder. In addition, as this example is for setting rights controlling access to a specific folder, it will not cover other security features such as feature rights, or field and template access rights.

Configuring a Personal Folder

1. Create or identify a folder that you want to use as the parent folder for your users' personal folders. In the above example, we will specify the "Employees" folder for this purpose and place all personal folders for this department within it.

2. To ensure that members of the Sales group can open this folder and view its contents (but not modify or delete those contents), select the "Employees" folder. Open the entry access rights dialog box and add the Sales group, then expand the View group and grant the rights Browse and Read with a scope of This entry only. This will allow members of the Sales group to open the Employees folder and see the existence of the folder's immediate contents.

   Explanation: Because we used the scope This entry only, this security configuration will allow members of the Sales group to open the Employees folder. It does not grant them any additional rights. Show screenshot.

3. Within this folder, create or navigate to the personal folder for the user you want to configure. In this case, select the "Williams, Elena" folder. Open the entry access rights dialog box and add the user Elena. With a scope of This folder, subfolders, and documents, apply the following sets of rights:

   1. View

   2. Add

   3. Modify

   4. Delete

   5. See Through Redactions

   Explanation: Because we used the scope This folder, subfolders, and documents, Elena will be able to perform the specified actions on this folder, all of its contents, and any contents added in the future. This allows Elena to create documents, modify them, set metadata, organize them in subfolders, delete them, and otherwise generally work with them.Show screenshot.

4. Click Save to save your changes.

5. Repeat the steps above for each employee for whom you want to configure a personal folder.

   Tip: You can automate this process using the Configure Trustee Security activity in a workflow.