This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Hyland
- Enterprise Platforms
- OnBase
- OnBase Technical
- OnBase Technical Forum
- Re: Onbase - User Security Groups - users in multi...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Onbase - User Security Groups - users in multiple groups - design considerations
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-04-2023 05:37 AM
Hi,
We are implementing OnBase (version EP5, 21.1.14), coming from Nolij Web 6.8.
At our university, for our implementation we are primarily working with offices that have documents associated for students. We have documents that an office may be is an owner and have elevated privileges (scan/index, power user) and then for certain documents need other offices to only view them. In addition, those offices that view such documents, also have their own documents , therefore will have elevated privileges (scan/index, power user) Of course the other offices have their own documents that they manage
With user security groups, we have groups with names such as - DeptXXX - Viewer, Dept XXX-scan/index, Dept XXX-Power User ; assigning product rights, privileges, and document types accordingly.
In some scenarios, there will be users that will have multiple user groups across different departments. DeptA-PowerUser, DeptC-Viewer ; we discovered that document types that are defined in DeptC-Viewer, the user can manipulate them since they are in DeptA-PowerUser;
We are managing/assigning users the user security groups through AD; The management of the users groups is decentralized out to the deparments.
Did you design your user security groups similarly, combining the product rights, privileges, and document types together?
Would you be able to share any documentation or matrix you may have about your user groups - that you may share with your users, as they make requests, as to how things are defined?
Do you use Override privileges within user groups for document types ?
What is your Global Client Settings for Document Type Permissions Overrides Least Restrictive or Most Restrictive ?
We are set to Least Restrictive.
Thanks
Pam
Pamela Lantzy
University at Albany
Labels:
- Labels:
-
Authentication and Security
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-06-2023 05:54 AM
Hi
From an AD to OnBase perspective, there are a few options ...
- AD is only used for User authentication and User Group management is done in OnBase
- This scenario doesn't allow for User provisioning (creating and mapping of an AD User into OnBase User Groups)
- AD is only used for basic User authentication into a single mapped User Group and further User Group management is done in OnBase
- This scenario allows for User provisioning into the single AD mapped OnBase User Group
- All other User Group mapping is done by an OnBase Admin in OnBase (Config | Users)
- AD is used for User authentication and User Group management
- This scenarios allows for User provisioning
- User management is mostly done in AD, but there is functionality to manage Users in OnBase (Config | Utils | Directory Services Authentication | Active Directory - Enhancement)
In regard to your User Group permissions questions, in general, an additive approach is recommended. This means you start with the base User Groups and then add the unique permissions to other User Groups as necessary. For instance ...
- User Group - View
- View Keywords
- View Documents
- User Group - Creator
- Modify Keywords
- Create Documents
In this scenario, if you wanted a user to have View and Create permissions, you would add them to both User Groups instead of adding all permissions to the User Group - Creator. Override permissions have their place, but they can often times get lost in the mix. I would use them sparingly in your design.
Finally, Least vs. Most Restrictive. This would depend on how you design your solution. Ask yourself ...
- How often are you going to have Users in multiple User Groups with competing permissions?
- How do you want the software to behave in this scenario when a User is in multiple User Groups with competing permission?
- Grant them all permissions granted between the two User Groups?
- Grant them only the permissions which overlap between the two User Groups?
Take care.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-06-2023 06:49 AM
Hi Adam.
A follow up is related to document types that are in user groups ; The Document Types defined in user groups are accessible based on the "additive" that a user has.
Example:
Document Type - Transcript
Transcript Document Type is in a user group
DeptC - Viewer that has View Permissions
DeptB - Create Permissions, has multiple document types . including Transcript)
DeptA - Create - other doc types not including Transcript
If a User is in DeptA - has Create Documents and DeptC - Viewer , then this user based on "additive" can Create Transcripts
What is best to address this?
thanks
Pam
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-06-2023 07:01 AM
Hi
The additive approach would require creating more User Groups for the permissions. If I understand what you are describing, you would like to have a the "DeptA - Create" User Group have permission to Create Documents, except for Documents of the "Transcripts" Document Type. If that is the case, then the "DeptA - Create" User Group should not be assigned the "Transcripts" Document Type. Some options would be ...
- Users in DeptA could be assigned to the "DeptC - Viewer" User Group
- Create another User Group called "DeptA - Viewer"
This is why this approach is often used as a shared responsibility when mapping to AD so the OnBase Admin has more control over permissions within the system instead of relying on all User Groups in OnBase to be mapped to AD User Groups.
Take care.
Related Content
- Thick Client displaying Scan Queues for a user group they are not a part of in OnBase Technical Forum
- Onbase - User Security Groups - users in multiple groups - design considerations in OnBase Technical Forum
- IdP in the DMZ - Unable to start .NET Core process because the port cannot be bound. Is there a way to define a static port so we can add it to the exclusion list? in OnBase Technical Forum
- Using AD Enhanced with Multiple Domains OnBase v18 in OnBase Technical Forum
- A basic Question of Security Keyword assigned to an User Group? in OnBase Technical Forum
Getting started
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.
