ApplicationXtender Document and User Security
This document provides both summary and detailed description of ApplicationXtender (AX) security features.
Executive Summary
OpenText is leading manufacturer of content management software with over 7,800 corporate customers.
The ApplicationXtender (AX) suite provides a wide range of security and auditing features, allowing for flexible protection of electronic documents and data.
The entire imaging and retrieval system is contained within the client's facilities and behind its firewall. Outside access is not permitted.
Your Admin Department is responsible for configuring AX Group Security for each business area.
The client's network personnel are responsible for adding and subtracting employee ID from the various AX groups as directed by business areas.
Your employees log into AX using their existing network ID.
Your Admin Department will configure the AX Audit Trails to record such events as login; document viewing, emailing and printing. Numerous other events are tracked.
ApplicationXtender Security
AX Security Overview
The AX system provides a wide range of security and auditing features, allowing for flexible protection of electronic documents and data. Using Group Security, security settings are defined for groups of users for each application (Electronic Filing Cabinet).
Functional Security governs the group's ability to access features and functionality inside each AX application. Through Document Level Security, particular documents inside and a specific application can be made accessible or inaccessible to groups.
Managing Security
Managing group security entails adding and deleting groups, adding and removing users from groups, and assigning and modifying group privileges. Security of the client's documents stored in AX is achieved through the combination of authentication and authorization.
AX Authentication
Authentication requires all users to enter a valid user name and password. You manage authentication using the same Windows security used to provide all employees access to the network. The AX system can be configured so that employees use their existing network id and password to authenticate into the AX archives. If your personnel terminate an employee's network ID, then the employee can be set to automatically loose access to documents stored in the AX archives.
AX Authorization
Authorization is the granting of specific access privileges to user groups. This can be a two-part process. First, your personnel create groups and add employees to relevant groups. Then you precisely configure each group with least privileges to various AX applications, functions and document selections.
You create AX User Groups also via Windows security. You are responsible for adding and subtracting users from the groups as directed by the business areas managers. You ascertain which groups actually need to be created for each business area and create security profiles with group specific privileges.
You can utilize the three levels of security (application, functional, and document) to prevent unauthorized users from gaining access to sensitive information stored in the AX systems. Each of the three security levels will now be reviewed.
Application Level Security
Application level security grants group access to AX applications, which can also be referred to as Electronic Filing Cabinets (EFC). You can develop various EFC's for each business area based on the assessment of needs for storage, security and retrieval. For example, a specific AX application can be built to store the Human Resource department images. One or more groups can be granted access to this EFC using application level security. Profiles are created to grant access to specific applications or to all applications.
Global security profiles can be established to automatically assign a uniform set of access privileges for a group every time a new application is created. When a global profile exists for groups, the privileges assigned in that profile are automatically assigned for every application created.
Application security profiles, like global security profiles, allow you to grant a particular set of privileges to a group. You can define different privileges for each application. One group may have full privileges in a human resources application, for instance, but only display privileges in a payroll application.
Application-specific security settings override global security settings. For example, if a group of users has privileges to create documents in their global profile, and an application-specific profile is set up (for this group) that does not have create document privileges, the users will not be able to create documents in the specific application.
Functional Security
Within each security profile, you enable privileges to perform AX functions. You can control the activities of users within applications by granting privileges only for the functions needed. Each security profile contains privilege settings for a variety of user functions, such as creating, modifying, and deleting applications; and scanning and printing documents. There are also settings for accessing commands on certain menus, such as Image Enhancement. For example, if a group cannot delete documents, the privilege to use this feature remains disabled in the security profile.
Document Security
With the Document Level Security feature, AX administrators can protect particular documents in an application from access by unauthorized users, or can allow users access to only particular documents in an application. AX uses a document's index values to achieve this protection. You can mark particular fields in an index as Document Level Security fields when an application is built. You can mark particular values in those index fields as inaccessible or accessible to groups of users. If a marked value is found, AX either grants or denies access to the document with that index value based on the settings configured in the Document Level Security function.
In order for Document Level Security to be used for a field, you must enable the Document Level Security field flag during the field definition portion of application creation. To assign secured values, you form an association between a particular Document Level Security enabled field and a particular group of users, and then assign values for that field that either allow or deny the particular group of users access. Document level security can be used to prevent a user from viewing certain documents in an application, assuming they have display privileges in that application.
Security Limitations
Maximum Groups per database is 250,000
Maximum Users per database is 250,000
Implementing Security in AppXtender Admin
The ApplicationXtender (AppXtender) system provides a range of security features, allowing for flexible, easy-to-administer data protection. AppXtender Admin allows you to specify credentials for various AppXtender server authentication accounts; specify a security provider for each data source; change encryption; and configure timestamps for digital signatures. Using the User and Group Security functions in the AppXtender AppGen module, you can define global or application-level security settings for individual users or for groups of users. These security settings, called privileges, govern the ability of a user or group of users to access functions in AppXtender.
Through the Document Level Security function in the AppXtender AppGen module, particular documents can be made accessible or inaccessible to groups of users based on index values attached to the documents. Annotation groups allow you to control users' access to specific annotations.
Using Directory Services for User Authentication
The AppXtender software has two pre-packaged security providers for authentication, CM and Windows, which allow you to import users and groups from Windows. You can also create a directory service security provider that allows you to import users and groups from an LDAP directory service.
Implementing Group Security
An AppXtender system administrator can create or import a group of users to grant the same security settings to all of the members of the group. Groups can be used to assign global and application-level security settings (by configuring group security profiles) or to protect documents from access at the document level.
Group security, like user security, uses profiles to assign privileges in AppXtender, but privileges assigned to a group apply to all members of the group, rather than a single user. The privileges to perform functions in AppXtender, such as adding documents, printing, and creating and modifying applications, are assigned in security profiles. By creating group security profiles, you can easily assign the same privileges to all of the members of a group.
Group security profiles, like user security profiles, can be used to grant privileges to all applications in the data source, or to assign privileges to a specific application. A global security profile allows the members of the group to access the AppXtender functions enabled in the profile in all AppXtender applications. An application security profile allows the members of the group to access the functions enabled in the application to which the profile applies.
Groups are also used when assigning Document Level Security (DLS) settings. You associate a group with an index field and assign values for that field that either grant or deny access to documents.
This Privilege |
Grants This Ability |
Required Co-Privileges |
|---|---|---|
Scan/Index Online |
The user can perform online indexing of scanned documents. |
Add Page |
Enhance Pages |
The user can perform image enhancement functions such as deskew, inverse text correction, and dot shading removal. |
Add Page and Display |
Batch Scan |
The user can perform batch creation |
|
Batch Index |
The user can perform batch indexing. |
Add Page |
Modify Index |
The user can modify the document indexes. |
Display |
Display |
The user can display documents. This privilege also allows ODMA users to open documents in read-only mode. |
|
The user can print, fax, e-mail, or export pages or documents in AppXtender Document Manager (and can print and fax pages in AppXtender Image Capture). The user can also cut pages, copy pages, or copy text from documents. (The Print and Display privileges are both necessary in order to e-mail, export, copy pages, or copy text. The Print, Display, and Delete Page privileges are all necessary in order to cut pages.) |
|
|
Configure WS |
The user can access all tabs of the AppXtender Document Manager or AppXtender Image Capture Configuration dialog box. (The user can always access the View, Display, Fonts, and Scan tabs of the AppXtender Document Manager |
|
Delete Doc |
The user can delete documents in the application, including those marked as final revisions. This privilege also allows ODMA users to delete document revisions. |
|
Delete Page |
The user can delete pages in the document. This privilege also allows ODMA users to check in and replace the current document revision. (The Delete Page and Display |
|
Add Page |
The user can add pages to documents in the application. (The Add Page and Display privileges are both necessary when adding pages to existing documents.) This privilege |
|
Create App |
The user can create new applications. |
|
Modify App |
The user can modify existing applications. |
|
Delete App |
The user can purge or delete applications. |
|
Migrate App |
The user can perform application migration. |
AppXtender Administrator |
COLD Import |
The user can perform COLD/ERM extracts. |
|
COLD Import Maint |
The user can maintain COLD/ERM extract definitions. |
COLD Import |
Cold Batch Extract |
The user can perform COLD/ERM batch extractions. |
|
Administrator |
The user can: |
|
Multiple Logins |
The user can log into AppXtender from different workstations simultaneously. |
|
DLS Maint |
The user can configure the Document Level Security tab for an application in AppXtender AppGen. |
|
Key Ref Maint |
The user can configure the Key Reference File Setup tab for an application in AppXtender AppGen. |
|
Auto Index Maint |
The user can configure the Auto Index Import Setup tab for an application in AppXtender AppGen. |
|
User Security Maint |
The user can maintain user security. This privilege is required to access the Users, Groups, and Annotation Groups nodes in AppXtender AppGen and to change the security provider. |
|
Key Ref Import |
The user can import Key Reference files. |
|
Auto Index Import |
The user can import Auto Index files. |
|
Index/Image Import |
The user can configure the Index/Image Import Setup tab for an application in AppXtender AppGen, and can import Index |
|
Create Annotations |
The user can add annotations. |
Display |
Edit Annotations |
The user can edit, delete, or hide the annotations created by the same user. |
Display |
Create Redactions |
The user can add redactions. |
Create Annotations and Display |
Edit Redactions |
The user can edit, delete, or hide redactions created by the same user. |
Edit Annotations and Display |
Global Annotations |
The user can add annotations; can edit, delete, or hide annotations created by other users, and can view the text of text annotation icons created by other users. In addition, if Edit Redactions is selected, the user can add redactions and can edit, delete, or hide redactions created by other users. |
Edit Annotations and Display |
Full Text Index |
If the Allow full-text option on the AppXtender Document Manager Configuration dialog box Full Text tab is enabled for the workstation, the user can submit documents in the application to the AppXtender Index Server for full-text |
|
Full Text Query |
If the Allow full-text option on the AppXtender Document Manager Configuration dialog box Full Text tab is |
|
OCR |
If the Allow OCR option on the AppXtender Document Manager Configuration dialog box OCR tab is enabled for the workstation, the user can process documents in the application with optical character recognition (OCR). If you enable or disable the Allow OCR option, you must restart |
|
PAL User |
Public Access Licenses are used when you are using ApplicationXtender Web Access in combination with AppXtender Desktop to make AppXtender documents |
|
Report View |
Allows the user to query AppXtender applications specifically for and view reports generated by AppXtender Reports Mgmt. |
Display |
Retention Administrator |
Enable and configure retention, either AppXtender software-based or EMC Centera, for an application. |
Display |
Retention User |
If retention is enabled for the AppXtender application, the user can file a document for retention. |
Display |
Implementing Document Level Security
ApplicationXtender offers a powerful security feature, called Document Level Security (DLS), which pinpoints user access within an AppXtender application. With DLS, you can deny a group of users access to any classified or sensitive document(s), without restricting access to other documents in the application. DLS can also be configured to grant a group of users access to only a specific set of documents in an application.
In AppXtender, documents are catalogued for retrieval at the time they are stored by attaching an index record containing values for each of the application's index fields. Document Level Security is implemented by creating an association between an index field and a group of users and then creating a list of secured field values that are either accessible or inaccessible to that group of users.
When a member of the group searches for a document in the application, AppXtender checks the search criteria values against the secured values in the list and grants or denies access based on whether or not the values match. Document Level Security can also be implemented using wildcards and keywords.
Implementing Annotation Groups
You can use privileges to apply annotation-related security measures. However, if you want to control users' access to specific annotations, you must use annotation groups. Annotation groups allow you to create associations between users, groups, and specific annotations. You can specify which users and groups can view or modify specific annotations, and which users and groups can hide or modify specific redactions.
To Give the User This Ability |
Enable These Options |
View all annotations in the current annotation group |
Annotations > View |
Create annotations |
Annotations > View Annotations > Create |
Edit one's own annotations in the current annotation group |
Annotations > View Annotations > Edit |
Edit all annotations in the current annotation group |
Annotations > View Annotations > Edit Global Edit |
Hide all redactions in the current annotation group |
Redactions > Hide |
Create Redactions |
Annotations > View Annotations > Create |
Edit one's own redactions in the current annotation group |
Annotations > View Annotations > Edit Redactions > Hide Redactions > Edit |
Edit all redactions in the current |
Annotations > View Annotations > Edit Redactions > Hide Redactions > Edit |