Library System Security
One of the powerful feature of the library system is the security it provides for your important information. Each time you or any other user adds a document to the library system, you determine the document's descriptive properties and its associated version files and properties that users and groups will be able to access. You provide this information using the document's Access List property. For further security, there is also an Access List property for all users and groups. Three objects commonly referenced by users and administrators contain an access list: the User object, the Group object, and the Item object. However, access rights to entities without access lists (such as versions) are passed down through “parent” objects (such as the Item object). So, the library system provides a simple way to set up and maintain access control, yet allows this security to be as controlled or permissive as necessary. There are five levels of access rights in a library system:
Access Right | Privileges granted |
None | No access. If no other access level is stated in the access list, access rights of None are assumed. An access level of None can also be explicitly stated in an access list. |
Viewer | Generally, the ability to view the object properties or to make copies of the associated versions. |
Author | (Applies to documents and versions only) Viewer access rights plus the ability to checkout ,check in and copy associated versions and modify property values for the version. In addition, you may be allowed to modify designated custom property values for the document. |
Owner | Author access rights plus the ability to delete documents, modify security and modify most properties. |
Admin | Owner access rights plus the ability to modify all property values. Active members of the Administrators group are automatically assigned Admin access rights to all properties, even though their names do not appear in any access lists. Users who are not members of the Administrators group can be explicitly assigned an Admin access level to the properties associated with particular objects. |
DIAL – Default item access list
Access List Defaults
To ensure that each access list contains initial entries, a library system provides some defaults in the User, Group and Item object. In User and Group object access lists, these defaults are standard entries that are always added, as shown in the following:
Name Type Access Level
(Added By User) User Admin
(User's Name) User Owner
General Users Group Viewer
The Added By User value is the user who added the object to the library system. This user and any user with Owner or Admin access rights can modify the values after the User or Group object has been created. The Administrators group always has Admin access rights, even though these rights are not displayed in the access list.
Default Item Access Lists
Another way a library system can help users control access to their files is by inserting default entries in document access lists so that the user does not have to provide the same set of entries each time he or she adds a document. You can specify a set of default item access list entries for each user in his or her User object. Then, each time that user adds a document to the library system from any user interface, the access list of the Item object is filled in with those specified defaults. Of course, to cover special cases, users can always change the access list of any documents they add, but they do not have to start from scratch with each document. In the same way that you add entries to the default item access list in the User object, you can also specify them in Group objects and the System object.
Thus, the access lists of documents do not necessarily have a standard set of default entries. The library system does add default entries to the document's access list as the document is added, but to determine these defaults, the library system will check for entries in the Default Item Access List properties in the following objects and use the first such list with any entries:
1. The User object
2. The Group object for the user's active group
3. The System object
To understand how default item access lists work, consider the following example. At the law firm of Hunter and Bowers, senior lawyer Sarah Black is using IDM Desktop to add an item to a library system. She knows that her system administrator has given her active group (Attorneys) the default item access list (shown below), which will be applied to all documents added by the group's members.
Name Type Access Level
Attorneys Group Author
Managers Group Author
Paralegals Group Viewer
The system administrator has left the Default Item Access List property blank in Sarah's User object because Sarah always wants the default access list for her active group to be applied. (Likewise, whenever Sarah changes her active group, the library system will apply the default item access list of her new active group.) She also realizes that since the default access list at her active group level does not mention her name specifically, she will receive the program default access rights for any user who adds a document and Owner access rights to the document that she is adding to the library system. And with Owner access rights to the new document, she can modify the entries in the document's access list at a later time if necessary.
Posts
No comments:
Post a Comment