Hyland Connect

conrad · ‎03-29-2012

Hi,

We have just finished configuing external email to be able to request a user to join a site.

I received the invitation to my test email account, I've followed the link to accept the invitation. This test account user has never logged into Alfresco before and an account does not exist for the external email address being used.

From test account dashboard however I can select 'sites', 'search for a site' and then click on search without entering any parameters into the search box and I can see all sites except those that are marked 'private'. I can join any site even though I am an external user with an email address that is not part of the domain and I can view content in sites that I have not been invited to.

My understanding from the Alfresco video's was that the external user should only be able to see and join sites they have been explicitly invited to.

The security settings are the default out of the box settings for Alfresco. Is there something I have missed in setting up the application that I neede to change to limit the access an external user has to viewing and joining sites?

Regards,
Conrad

davidcognite · ‎03-30-2012

Hi Conrad,

In Share, any authenticated user is able to view all sites that are set up as "public" - the distinction between internal and external users only applies to Alfresco in the cloud where we've introduced the concept of networks. Was the video you saw referring to the version in the cloud?

It sounds like you're using an on-premise Alfresco install, so any sites you don't want every user to see would need to be made private. It sounds like your use case (collaborating with users outside of your organisation) is exactly the scenario that Alfresco in the cloud is designed to cater for - perhaps it would be worth signing up and giving it a try - that way you don't need to give external users access to your internal systems. Sign up link here: http://cloud.alfresco.com/

conrad · ‎03-30-2012

Hi David,

Thanks for responding. It could have been that the video was referring to the Cloud version. It was during the initial product review and I may not have picked up on the difference.

We are using an on-premise installation as we were planning on developing some specialist reports however these won't be able to run in the cloud.

Being able to collobrate with external clients from a single application without them being able to see our other clients sites was a big draw card for us to Alfresco. Are there any other alternatives to restrict what an external user can see that you could suggest we try?

Thanks and regards,
Conrad

davidcognite · ‎03-30-2012

Hi Conrad,

I think the ideal solution involves having your on-premise install synchronise content to a cloud site - that way all your reports and customisations can run on-premise with external users accessing it via the cloud. The cloud sync functionality is still being written, but the current plan is to release it as an update for 4.0.x as soon as possible.

In the mean time, the solution is probably a combination of making sure information you don't want everyone to access is in private sites (you could add a hook to ensure that all sites are private if you wanted) and perhaps adding a custom module that locks down other features you don't want them to have access to (you can apply modules based on an evaluator that e.g. looks at the user's email address), depending on your needs.

Hope that helps,
David.

Hyland Connect

External user invited to a specific site can access all