Hyland Connect

Kris_Conrads · ‎07-31-2015

We are a newly implementing site. We have a document type for timecards.

We need all users to be able to see their own timecards only, but department heads should be able to see all timecards in the department. I wanted to use the existing All City Employees Active Directory group and put the UserID = UserId keyword on that group. Then, on the department heads, add the department security keyword. I discussed with our implementation team, they said it would act as an "OR". When I went to test, we found that wasn't the case, it seems to be ignoring the dept keyword on the dept heads.

We also need the employees that process payroll (who are not department heads) to be able to see all timecards. I thought I could get around this by adding Dept not equal to "z", which is not a department.

Has anyone fixed a similar issue without a new group that is All Employees minus department heads?

Thanks for your help!

Doug_Paull · ‎08-03-2015

Hi, Kris -

We had a similar dilema with our employee forms. We learned that security keywords are evaluated using "OR" logic as long as it's the same keyword type (Keyword One = "ABC" OR Keyword One = "XYZ"). As soon as you introduce a second keyword type it uses "AND" logic (Keyword One = "ABC" AND Keyword Two = "XYZ"). We also had no success with the "not equal" option.

Our solution was to create a generic "Access Control" keyword that can contain a variety of values like user name, department, form number, etc. We then add as many instances of that keyword as necessary (via workflow) to control access by the appropriate users or groups. The department head would successfully match on the department value, perhaps payroll would match on form number or another appropriate value. It was the best option we could come up with.

It might be something to consider, at least.

View answer in original post

Doug_Paull · ‎08-03-2015

Hi, Kris -

We had a similar dilema with our employee forms. We learned that security keywords are evaluated using "OR" logic as long as it's the same keyword type (Keyword One = "ABC" OR Keyword One = "XYZ"). As soon as you introduce a second keyword type it uses "AND" logic (Keyword One = "ABC" AND Keyword Two = "XYZ"). We also had no success with the "not equal" option.

Our solution was to create a generic "Access Control" keyword that can contain a variety of values like user name, department, form number, etc. We then add as many instances of that keyword as necessary (via workflow) to control access by the appropriate users or groups. The department head would successfully match on the department value, perhaps payroll would match on form number or another appropriate value. It was the best option we could come up with.

It might be something to consider, at least.

Kris_Conrads · ‎08-05-2015

Thank you so much, Doug! Your suggested worked perfectly!

Sandra_Rowley · ‎05-29-2018

Hi Doug,

I am new to OnBase and the Workflow and am not sure if I am understanding exactly what you did. Let me explain a little more about what we have done.

For our Travel Request security, we have done the following:

All Domain Users
(User Security-Employ = <>)

Supervisor
(TRV Security Role = Supervisor)
(TRV Security Role = Employee)
(User Security Employee = *)

Assistant
(TRV Security Role = Assistant)
(TRV Security Role = Supervisor)
(TRV Security Role = Employee)
(User Security Employee = *)

Staff
(User Security Role = *)
(TRV Security Role = *)

Accounting
(User Security Role = *)
(TRV Security Role = *)

Human Resources
(User Security Role = *)
(TRV Security Role = *)

Trainer
(User Security Role = *)
(TRV Security Role = *)

Technical Services Clerk
(User Security Role = *)
(TRV Security Role = *)

Manager
(User Security Role = *)
(TRV Security Role = *)

This appears to be working correctly. The problem occurs when we had in another document type (Injury Report). When we did this our security looks like this:

All Domain Users
(User Security-Employ = <>)

Supervisor
(TRV Security Role = Supervisor)
(TRV Security Role = Employee)
(INJ Security Role = Supervisor)
(INJ Security Role = Employee)
(User Security Employee = *)

Assistant
(TRV Security Role = Assistant)
(TRV Security Role = Supervisor)
(TRV Security Role = Employee)
(INJ Security Role = Assistant)
(INJ Security Role = Supervisor)
INJ Security Role = Employee)
(User Security Employee = *)

Staff
(User Security Role = *)
(TRV Security Role = *)
(INJ Security Role = *)

Rehab
(User Security Role = *)
(INJ Security Role = *)

Safety
(User Security Role = *)
(INJ Security Role = *)

Manager
(User Security Role = *)
(TRV Security Role = *)
(INJ Security Role = *)

When this is added, then it allows anyone who has an * as a role to see all documents in all document groups. For example the Technical Services Clerk can see all injuries. She should only be able to see her own.

What would you suggest I do to fix this?

Sandra_Rowley · ‎06-04-2018

I was able to fix the security by changing the User Security Role to TRV User Security Role-Employee and creating another one called INJ User Security Role-Employee. For each form I create that needs security, I will create a new User Security Role-Employee to keep it separate from the others.

Hyland Connect

Multiple Security Keywords