...
Executive Summary
OpenText is leading manufacturer of content management software with over 7,800 corporate customers.
The ApplicationXtender (AX) suite provides a wide range of security and auditing features, allowing for flexible and thorough protection of electronic documents and data.
The entire imaging and retrieval system is contained within the client's client’s facilities and behind its firewall. Outside access is not permitted. Your Admin Department is responsible for configuring AX Group Security for each business area.
The client's network personnel are responsible for adding and subtracting employee ID from the various AX groups as directed by business areas.
Your employees log into AX using their existing network ID.
Your Admin Department will configure the AX Audit Trails to record such events as login; document viewing, emailing and printing. Numerous other events are tracked.
ApplicationXtender Security
...
AX Security Overview
The AX system provides a wide range of security and auditing features, allowing for flexible protection of electronic documents and data. Using Group Security, security settings are defined for groups of users for each application (Electronic Filing Cabinet).
Functional Security governs the group's ability to access features and functionality inside each AX application. Through Document Level Security, particular documents inside and a specific application can be made accessible or inaccessible to groups.
Managing Security
Managing group security entails adding and deleting groups, adding and removing users from groups, and assigning and modifying group privileges. Security of the client's documents stored in AX is achieved through the combination of authentication and authorization.
AX Authentication
Authentication requires all users to enter a valid user name and password. You manage authentication using the same Windows security used to provide all employees access to the network. The AX system can be configured so that employees use their existing network id and password to authenticate into the AX archives. If your personnel terminate an employee's network ID, then the employee can be set to automatically loose access to documents stored in the AX archives.
AX Authorization
Authorization is the granting of specific access privileges to user groups. This can be a two-part process. First, your personnel create groups and add employees to relevant groups. Then you precisely configure each group with least privileges to various AX applications, functions and document selections.
You create AX User Groups also via Windows security. You are responsible for adding and subtracting users from the groups as directed by the business areas managers. You ascertain which groups actually need to be created for each business area and create security profiles with group specific privileges.
You can utilize the three levels of security (application, functional, and document) to prevent unauthorized users from gaining access to sensitive information stored in the AX systems. Each of the three security levels will now be reviewed.
Application Level Security
Application level security grants group access to AX applications, which can also be referred to as Electronic Filing Cabinets (EFC). You can develop various EFC's for each business area based on the assessment of needs for storage, security and retrieval. For example, a specific AX application can be built to store the Human Resource department images. One or more groups can be granted access to this EFC using application level security. Profiles are created to grant access to specific applications or to all applications.
Global security profiles can be established to automatically assign a uniform set of access privileges for a group every time a new application is created. When a global profile exists for groups, the privileges assigned in that profile are automatically assigned for every application created.
Application security profiles, like global security profiles, allow you to grant a particular set of privileges to a group. You can define different privileges for each application. One group may have full privileges in a human resources application, for instance, but only display privileges in a payroll application.
Application-specific security settings override global security settings. For example, if a group of users has privileges to create documents in their global profile, and an application-specific profile is set up (for this group) that does not have create document privileges, the users will not be able to create documents in the specific application.
Functional Security
Within each security profile, you enable privileges to perform AX functions. You can control the activities of users within applications by granting privileges only for the functions needed. Each security profile contains privilege settings for a variety of user functions, such as creating, modifying, and deleting applications; and scanning and printing documents. There are also settings for accessing commands on certain menus, such as Image Enhancement. For example, if a group cannot delete documents, the privilege to use this feature remains disabled in the security profile.
Document Security
With the Document Level Security feature, AX administrators can protect particular documents in an application from access by unauthorized users, or can allow users access to only particular documents in an application. AX uses a document's index values to achieve this protection. You can mark particular fields in an index as Document Level Security fields when an application is built. You can mark particular values in those index fields as inaccessible or accessible to groups of users. If a marked value is found, AX either grants or denies access to the document with that index value based on the settings configured in the Document Level Security function.
In order for Document Level Security to be used for a field, you must enable the Document Level Security field flag during the field definition portion of application creation. To assign secured values, you form an association between a particular Document Level Security enabled field and a particular group of users, and then assign values for that field that either allow or deny the particular group of users access. Document level security can be used to prevent a user from viewing certain documents in an application, assuming they have display privileges in that application.
Security Limitations
Maximum Groups per database is 250,000
Maximum Users per database is 250,000
...
This Privilege
...
Grants This Ability
...
Required Co-Privileges
...
Scan/Index Online
...
The user can perform online indexing of scanned documents.
...
Add Page
...
Enhance Pages
...
The user can perform image enhancement functions such as deskew, inverse text correction, and dot shading removal.
...
Add Page and Display
...
Batch Scan
...
The user can perform batch creation
functions, and use Batch Create and Batch Import. (The Batch Scan and Add Page privileges are both necessary in order to perform these functions in AppXtender Document Manager. Only the Batch Scan
privilege is necessary in order to perform batch creation functions in AppXtender Image Capture.)
...
...
Batch Index
...
The user can perform batch indexing.
...
Add Page
...
Modify Index
...
The user can modify the document indexes.
...
Display
...
Display
...
The user can display documents. This privilege also allows ODMA users to open documents in read-only mode.
...
...
...
The user can print, fax, e-mail, or export pages or documents in AppXtender Document Manager (and can print and fax pages in AppXtender Image Capture). The user can also cut pages, copy pages, or copy text from documents. (The Print and Display privileges are both necessary in order to e-mail, export, copy pages, or copy text. The Print, Display, and Delete Page privileges are all necessary in order to cut pages.)
...
...
Configure WS
...
The user can access all tabs of the AppXtender Document Manager or AppXtender Image Capture Configuration dialog box. (The user can always access the View, Display, Fonts, and Scan tabs of the AppXtender Document Manager
Configuration dialog box and the View, Display, and Scan tabs of the AppXtender Image Capture Configuration dialog box.)
...
...
Delete Doc
...
The user can delete documents in the application, including those marked as final revisions. This privilege also allows ODMA users to delete document revisions.
...
...
Delete Page
...
The user can delete pages in the document. This privilege also allows ODMA users to check in and replace the current document revision. (The Delete Page and Display
privileges are both necessary in order to perform these functions.)
...
...
Add Page
...
The user can add pages to documents in the application. (The Add Page and Display privileges are both necessary when adding pages to existing documents.) This privilege
also allows ODMA users to check in, check out, and save documents.
...
...
Create App
...
The user can create new applications.
...
...
Modify App
...
The user can modify existing applications.
...
...
Delete App
...
The user can purge or delete applications.
...
...
Migrate App
...
The user can perform application migration.
...
AppXtender Administrator
...
COLD Import
...
The user can perform COLD/ERM extracts.
...
...
COLD Import Maint
...
The user can maintain COLD/ERM extract definitions.
...
COLD Import
...
Cold Batch Extract
...
The user can perform COLD/ERM batch extractions.
...
...
Administrator
...
...
Multiple Logins
...
The user can log into AppXtender from different workstations simultaneously.
...
...
DLS Maint
...
The user can configure the Document Level Security tab for an application in AppXtender AppGen.
...
...
Key Ref Maint
...
The user can configure the Key Reference File Setup tab for an application in AppXtender AppGen.
...
...
Auto Index Maint
...
The user can configure the Auto Index Import Setup tab for an application in AppXtender AppGen.
...
...
User Security Maint
...
The user can maintain user security. This privilege is required to access the Users, Groups, and Annotation Groups nodes in AppXtender AppGen and to change the security provider.
...
...
Key Ref Import
...
The user can import Key Reference files.
...
...
Auto Index Import
...
The user can import Auto Index files.
...
...
Index/Image Import
...
The user can configure the Index/Image Import Setup tab for an application in AppXtender AppGen, and can import Index
Image files.
...
...
Create Annotations
...
The user can add annotations.
...
Display
...
Edit Annotations
...
The user can edit, delete, or hide the annotations created by the same user.
...
Display
...
Create Redactions
...
The user can add redactions.
...
Create Annotations and Display
...
Edit Redactions
...
The user can edit, delete, or hide redactions created by the same user.
...
Edit Annotations and Display
...
Global Annotations
...
The user can add annotations; can edit, delete, or hide annotations created by other users, and can view the text of text annotation icons created by other users. In addition, if Edit Redactions is selected, the user can add redactions and can edit, delete, or hide redactions created by other users.
...
Edit Annotations and Display
...
Full Text Index
...
If the Allow full-text option on the AppXtender Document Manager Configuration dialog box Full Text tab is enabled for the workstation, the user can submit documents in the application to the AppXtender Index Server for full-text
indexing. If you enable or disable the Allow full-text option, you must restart AppXtender Document Manager for the
change to take effect.
...
...
Full Text Query
...
If the Allow full-text option on the AppXtender Document Manager Configuration dialog box Full Text tab is
enabled for the workstation, the user can perform a full-text search for documents in the application. If you enable or disable the Allow full-text option, you must restart
AppXtender Document Manager for the change to take effect. (The Full Text Query and Display privileges are both necessary in order to view the results of the full text
search.)
...
...
OCR
...
If the Allow OCR option on the AppXtender Document Manager Configuration dialog box OCR tab is enabled for the workstation, the user can process documents in the application with optical character recognition (OCR). If you enable or disable the Allow OCR option, you must restart
AppXtender Document Manager for the change to take effect.
...
...
PAL User
...
Public Access Licenses are used when you are using ApplicationXtender Web Access in combination with AppXtender Desktop to make AppXtender documents
available over the World Wide Web or over intranets. If this privilege is enabled, the user's privileges are restricted when using ApplicationXtender Web Access. The user can only access AppXtender documents in read-only mode using the AppXtender Web Thin Client. (A user with the AppXtender Web PAL User privilege cannot log into any other AppXtender component, regardless of the other privileges in the user security profile.)
...
...
Report View
...
Allows the user to query AppXtender applications specifically for and view reports generated by AppXtender Reports Mgmt.
...
Display
...
Retention Administrator
...
...
Display
Delete(delete expired documents)
...
Retention User
...
Display
...
To Give the User This Ability
...
Enable These Options
...
View all annotations in the current annotation group
...
Annotations > View
...
Create annotations
...
Annotations > View Annotations > Create
...
Edit one's own annotations in the current annotation group
...
Annotations > View Annotations > Edit
...
Edit all annotations in the current annotation group
...
Annotations > View Annotations > Edit Global Edit
...
Hide all redactions in the current annotation group
...
Redactions > Hide
...
Create Redactions
...
Annotations > View Annotations > Create
Redactions > Hide Redactions > Create
...
Edit one's own redactions in the current annotation group
...
Annotations > View Annotations > Edit Redactions > Hide Redactions > Edit
...
Edit all redactions in the current
annotation group
...
This article reviews ApplicationXtender security settings, as well as how to implement and manage all levels of security.
| View file | ||||
|---|---|---|---|---|
|