11-04-2023 05:37 AM
Hi,
We are implementing OnBase (version EP5, 21.1.14), coming from Nolij Web 6.8.
At our university, for our implementation we are primarily working with offices that have documents associated for students. We have documents that an office may be is an owner and have elevated privileges (scan/index, power user) and then for certain documents need other offices to only view them. In addition, those offices that view such documents, also have their own documents , therefore will have elevated privileges (scan/index, power user) Of course the other offices have their own documents that they manage
With user security groups, we have groups with names such as - DeptXXX - Viewer, Dept XXX-scan/index, Dept XXX-Power User ; assigning product rights, privileges, and document types accordingly.
In some scenarios, there will be users that will have multiple user groups across different departments. DeptA-PowerUser, DeptC-Viewer ; we discovered that document types that are defined in DeptC-Viewer, the user can manipulate them since they are in DeptA-PowerUser;
We are managing/assigning users the user security groups through AD; The management of the users groups is decentralized out to the deparments.
Did you design your user security groups similarly, combining the product rights, privileges, and document types together?
Would you be able to share any documentation or matrix you may have about your user groups - that you may share with your users, as they make requests, as to how things are defined?
Do you use Override privileges within user groups for document types ?
What is your Global Client Settings for Document Type Permissions Overrides Least Restrictive or Most Restrictive ?
We are set to Least Restrictive.
Thanks
Pam
Pamela Lantzy
University at Albany
11-06-2023 05:54 AM
Hi
From an AD to OnBase perspective, there are a few options ...
In regard to your User Group permissions questions, in general, an additive approach is recommended. This means you start with the base User Groups and then add the unique permissions to other User Groups as necessary. For instance ...
In this scenario, if you wanted a user to have View and Create permissions, you would add them to both User Groups instead of adding all permissions to the User Group - Creator. Override permissions have their place, but they can often times get lost in the mix. I would use them sparingly in your design.
Finally, Least vs. Most Restrictive. This would depend on how you design your solution. Ask yourself ...
Take care.
11-06-2023 06:49 AM
Hi Adam.
A follow up is related to document types that are in user groups ; The Document Types defined in user groups are accessible based on the "additive" that a user has.
Example:
Document Type - Transcript
Transcript Document Type is in a user group
DeptC - Viewer that has View Permissions
DeptB - Create Permissions, has multiple document types . including Transcript)
DeptA - Create - other doc types not including Transcript
If a User is in DeptA - has Create Documents and DeptC - Viewer , then this user based on "additive" can Create Transcripts
What is best to address this?
thanks
Pam
11-06-2023 07:01 AM
Hi
The additive approach would require creating more User Groups for the permissions. If I understand what you are describing, you would like to have a the "DeptA - Create" User Group have permission to Create Documents, except for Documents of the "Transcripts" Document Type. If that is the case, then the "DeptA - Create" User Group should not be assigned the "Transcripts" Document Type. Some options would be ...
This is why this approach is often used as a shared responsibility when mapping to AD so the OnBase Admin has more control over permissions within the system instead of relying on all User Groups in OnBase to be mapped to AD User Groups.
Take care.
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.