Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

ApplicationXtender Document and User Security


This document provides both summary and detailed description of ApplicationXtender (AX) security features.

Executive Summary

OpenText is leading manufacturer of content management software with over 7,800 corporate customers.
The ApplicationXtender (AX) suite provides a wide range of security and auditing features, allowing for flexible protection of electronic documents and data.
The entire imaging and retrieval system is contained within the client's facilities and behind its firewall. Outside access is not permitted.
Your Admin Department is responsible for configuring AX Group Security for each business area.
The client's network personnel are responsible for adding and subtracting employee ID from the various AX groups as directed by business areas.
Your employees log into AX using their existing network ID.
Your Admin Department will configure the AX Audit Trails to record such events as login; document viewing, emailing and printing. Numerous other events are tracked.

ApplicationXtender Security

AX Security Overview


The AX system provides a wide range of security and auditing features, allowing for flexible protection of electronic documents and data. Using Group Security, security settings are defined for groups of users for each application (Electronic Filing Cabinet).


Functional Security governs the group's ability to access features and functionality inside each AX application. Through Document Level Security, particular documents inside and a specific application can be made accessible or inaccessible to groups.


Managing Security


Managing group security entails adding and deleting groups, adding and removing users from groups, and assigning and modifying group privileges. Security of the client's documents stored in AX is achieved through the combination of authentication and authorization.


AX Authentication


Authentication requires all users to enter a valid user name and password. You manage authentication using the same Windows security used to provide all employees access to the network. The AX system can be configured so that employees use their existing network id and password to authenticate into the AX archives. If your personnel terminate an employee's network ID, then the employee can be set to automatically loose access to documents stored in the AX archives.


AX Authorization


Authorization is the granting of specific access privileges to user groups. This can be a two-part process. First, your personnel create groups and add employees to relevant groups. Then you precisely configure each group with least privileges to various AX applications, functions and document selections.


You create AX User Groups also via Windows security. You are responsible for adding and subtracting users from the groups as directed by the business areas managers. You ascertain which groups actually need to be created for each business area and create security profiles with group specific privileges.


You can utilize the three levels of security (application, functional, and document) to prevent unauthorized users from gaining access to sensitive information stored in the AX systems. Each of the three security levels will now be reviewed.


Application Level Security


Application level security grants group access to AX applications, which can also be referred to as Electronic Filing Cabinets (EFC). You can develop various EFC's for each business area based on the assessment of needs for storage, security and retrieval. For example, a specific AX application can be built to store the Human Resource department images. One or more groups can be granted access to this EFC using application level security. Profiles are created to grant access to specific applications or to all applications.


Global security profiles can be established to automatically assign a uniform set of access privileges for a group every time a new application is created. When a global profile exists for groups, the privileges assigned in that profile are automatically assigned for every application created.


Application security profiles, like global security profiles, allow you to grant a particular set of privileges to a group. You can define different privileges for each application. One group may have full privileges in a human resources application, for instance, but only display privileges in a payroll application.


Application-specific security settings override global security settings. For example, if a group of users has privileges to create documents in their global profile, and an application-specific profile is set up (for this group) that does not have create document privileges, the users will not be able to create documents in the specific application.


Functional Security


Within each security profile, you enable privileges to perform AX functions. You can control the activities of users within applications by granting privileges only for the functions needed. Each security profile contains privilege settings for a variety of user functions, such as creating, modifying, and deleting applications; and scanning and printing documents. There are also settings for accessing commands on certain menus, such as Image Enhancement. For example, if a group cannot delete documents, the privilege to use this feature remains disabled in the security profile.


Document Security


With the Document Level Security feature, AX administrators can protect particular documents in an application from access by unauthorized users, or can allow users access to only particular documents in an application. AX uses a document's index values to achieve this protection. You can mark particular fields in an index as Document Level Security fields when an application is built. You can mark particular values in those index fields as inaccessible or accessible to groups of users. If a marked value is found, AX either grants or denies access to the document with that index value based on the settings configured in the Document Level Security function.


In order for Document Level Security to be used for a field, you must enable the Document Level Security field flag during the field definition portion of application creation. To assign secured values, you form an association between a particular Document Level Security enabled field and a particular group of users, and then assign values for that field that either allow or deny the particular group of users access. Document level security can be used to prevent a user from viewing certain documents in an application, assuming they have display privileges in that application.


Security Limitations


Maximum Groups per database is 250,000

Maximum Users per database is 250,000


Implementing Security in AppXtender Admin
The ApplicationXtender (AppXtender) system provides a range of security features, allowing for flexible, easy-to-administer data protection. AppXtender Admin allows you to specify credentials for various AppXtender server authentication accounts; specify a security provider for each data source; change encryption; and configure timestamps for digital signatures. Using the User and Group Security functions in the AppXtender AppGen module, you can define global or application-level security settings for individual users or for groups of users. These security settings, called privileges, govern the ability of a user or group of users to access functions in AppXtender.
Through the Document Level Security function in the AppXtender AppGen module, particular documents can be made accessible or inaccessible to groups of users based on index values attached to the documents. Annotation groups allow you to control users' access to specific annotations.
Using Directory Services for User Authentication
The AppXtender software has two pre-packaged security providers for authentication, CM and Windows, which allow you to import users and groups from Windows. You can also create a directory service security provider that allows you to import users and groups from an LDAP directory service.
Implementing Group Security
An AppXtender system administrator can create or import a group of users to grant the same security settings to all of the members of the group. Groups can be used to assign global and application-level security settings (by configuring group security profiles) or to protect documents from access at the document level.
Group security, like user security, uses profiles to assign privileges in AppXtender, but privileges assigned to a group apply to all members of the group, rather than a single user. The privileges to perform functions in AppXtender, such as adding documents, printing, and creating and modifying applications, are assigned in security profiles. By creating group security profiles, you can easily assign the same privileges to all of the members of a group.
Group security profiles, like user security profiles, can be used to grant privileges to all applications in the data source, or to assign privileges to a specific application. A global security profile allows the members of the group to access the AppXtender functions enabled in the profile in all AppXtender applications. An application security profile allows the members of the group to access the functions enabled in the application to which the profile applies.
Groups are also used when assigning Document Level Security (DLS) settings. You associate a group with an index field and assign values for that field that either grant or deny access to documents.

This Privilege

Grants This Ability

Required Co-Privileges

Scan/Index Online

The user can perform online indexing of scanned documents.

Add Page

Enhance Pages

The user can perform image enhancement functions such as deskew, inverse text correction, and dot shading removal.

Add Page and Display

Batch Scan

The user can perform batch creation
functions, and use Batch Create and Batch Import. (The Batch Scan and Add Page privileges are both necessary in order to perform these functions in AppXtender Document Manager. Only the Batch Scan
privilege is necessary in order to perform batch creation functions in AppXtender Image Capture.)


Batch Index

The user can perform batch indexing.

Add Page

Modify Index

The user can modify the document indexes.

Display

Display

The user can display documents. This privilege also allows ODMA users to open documents in read-only mode.


Print

The user can print, fax, e-mail, or export pages or documents in AppXtender Document Manager (and can print and fax pages in AppXtender Image Capture). The user can also cut pages, copy pages, or copy text from documents. (The Print and Display privileges are both necessary in order to e-mail, export, copy pages, or copy text. The Print, Display, and Delete Page privileges are all necessary in order to cut pages.)


Configure WS

The user can access all tabs of the AppXtender Document Manager or AppXtender Image Capture Configuration dialog box. (The user can always access the View, Display, Fonts, and Scan tabs of the AppXtender Document Manager
Configuration dialog box and the View, Display, and Scan tabs of the AppXtender Image Capture Configuration dialog box.)


Delete Doc

The user can delete documents in the application, including those marked as final revisions. This privilege also allows ODMA users to delete document revisions.


Delete Page

The user can delete pages in the document. This privilege also allows ODMA users to check in and replace the current document revision. (The Delete Page and Display
privileges are both necessary in order to perform these functions.)


Add Page

The user can add pages to documents in the application. (The Add Page and Display privileges are both necessary when adding pages to existing documents.) This privilege
also allows ODMA users to check in, check out, and save documents.


Create App

The user can create new applications.


Modify App

The user can modify existing applications.


Delete App

The user can purge or delete applications.


Migrate App

The user can perform application migration.

AppXtender Administrator

COLD Import

The user can perform COLD/ERM extracts.


COLD Import Maint

The user can maintain COLD/ERM extract definitions.

COLD Import

Cold Batch Extract

The user can perform COLD/ERM batch extractions.


Administrator

The user can:
• Access ApplicationXtender Administrator

• Change the license configuration in Application Generator

• Access in AppXtender any applications with names that begin with an underscore (_), such as _FORMS or _RSTAMP

• Reset a batch in AppXtender Document Manager or AppXtender Image Capture

• Create, modify, or delete custom data types and custom data formats

• Use the Archive Wizard or AppXtender Migration (The Migrate App and AppXtender Administrator privileges are
both necessary in order to perform this function.)

• Use the Full Text Indexing Wizard.

• Delete documents filed for RM retention. Documents filed for retention cannot be deleted until the retention period has
expired.


Multiple Logins

The user can log into AppXtender from different workstations simultaneously.


DLS Maint

The user can configure the Document Level Security tab for an application in AppXtender AppGen.


Key Ref Maint

The user can configure the Key Reference File Setup tab for an application in AppXtender AppGen.


Auto Index Maint

The user can configure the Auto Index Import Setup tab for an application in AppXtender AppGen.


User Security Maint

The user can maintain user security. This privilege is required to access the Users, Groups, and Annotation Groups nodes in AppXtender AppGen and to change the security provider.


Key Ref Import

The user can import Key Reference files.


Auto Index Import

The user can import Auto Index files.


Index/Image Import

The user can configure the Index/Image Import Setup tab for an application in AppXtender AppGen, and can import Index
Image files.


Create Annotations

The user can add annotations.

Display

Edit Annotations

The user can edit, delete, or hide the annotations created by the same user.

Display

Create Redactions

The user can add redactions.

Create Annotations and Display

Edit Redactions

The user can edit, delete, or hide redactions created by the same user.

Edit Annotations and Display

Global Annotations

The user can add annotations; can edit, delete, or hide annotations created by other users, and can view the text of text annotation icons created by other users. In addition, if Edit Redactions is selected, the user can add redactions and can edit, delete, or hide redactions created by other users.

Edit Annotations and Display

Full Text Index

If the Allow full-text option on the AppXtender Document Manager Configuration dialog box Full Text tab is enabled for the workstation, the user can submit documents in the application to the AppXtender Index Server for full-text
indexing. If you enable or disable the Allow full-text option, you must restart AppXtender Document Manager for the
change to take effect.


Full Text Query

If the Allow full-text option on the AppXtender Document Manager Configuration dialog box Full Text tab is
enabled for the workstation, the user can perform a full-text search for documents in the application. If you enable or disable the Allow full-text option, you must restart
AppXtender Document Manager for the change to take effect. (The Full Text Query and Display privileges are both necessary in order to view the results of the full text
search.)


OCR

If the Allow OCR option on the AppXtender Document Manager Configuration dialog box OCR tab is enabled for the workstation, the user can process documents in the application with optical character recognition (OCR). If you enable or disable the Allow OCR option, you must restart
AppXtender Document Manager for the change to take effect.


PAL User

Public Access Licenses are used when you are using ApplicationXtender Web Access in combination with AppXtender Desktop to make AppXtender documents
available over the World Wide Web or over intranets. If this privilege is enabled, the user's privileges are restricted when using ApplicationXtender Web Access. The user can only access AppXtender documents in read-only mode using the AppXtender Web Thin Client. (A user with the AppXtender Web PAL User privilege cannot log into any other AppXtender component, regardless of the other privileges in the user security profile.)


Report View

Allows the user to query AppXtender applications specifically for and view reports generated by AppXtender Reports Mgmt.

Display

Retention Administrator

Enable and configure retention, either AppXtender software-based or EMC Centera, for an application.

In addition, if retention is enabled for the AppXtender application, the user can perform the following retention-related tasks:
• File a document for retention using any policy defined for the application

• Place and remove a retention hold

• Manage expired documents under Retention

IMPORTANT: Both AppXtender software-based and EMC Centera retention require a valid license.

Display
Delete(delete expired documents)

Retention User

If retention is enabled for the AppXtender application, the user can file a document for retention.

IMPORTANT: Both AppXtender software-based and EMC Centera retention require a valid license.

Display


Implementing Document Level Security
ApplicationXtender offers a powerful security feature, called Document Level Security (DLS), which pinpoints user access within an AppXtender application. With DLS, you can deny a group of users access to any classified or sensitive document(s), without restricting access to other documents in the application. DLS can also be configured to grant a group of users access to only a specific set of documents in an application.
In AppXtender, documents are catalogued for retrieval at the time they are stored by attaching an index record containing values for each of the application's index fields. Document Level Security is implemented by creating an association between an index field and a group of users and then creating a list of secured field values that are either accessible or inaccessible to that group of users.
When a member of the group searches for a document in the application, AppXtender checks the search criteria values against the secured values in the list and grants or denies access based on whether or not the values match. Document Level Security can also be implemented using wildcards and keywords.
Implementing Annotation Groups
You can use privileges to apply annotation-related security measures. However, if you want to control users' access to specific annotations, you must use annotation groups. Annotation groups allow you to create associations between users, groups, and specific annotations. You can specify which users and groups can view or modify specific annotations, and which users and groups can hide or modify specific redactions.

To Give the User This Ability

Enable These Options

View all annotations in the current annotation group

Annotations > View

Create annotations

Annotations > View Annotations > Create

Edit one's own annotations in the current annotation group

Annotations > View Annotations > Edit

Edit all annotations in the current annotation group

Annotations > View Annotations > Edit Global Edit

Hide all redactions in the current annotation group

Redactions > Hide

Create Redactions

Annotations > View Annotations > Create
Redactions > Hide Redactions > Create

Edit one's own redactions in the current annotation group

Annotations > View Annotations > Edit Redactions > Hide Redactions > Edit

Edit all redactions in the current
annotation group

Annotations > View Annotations > Edit Redactions > Hide Redactions > Edit
Global Edit

  • No labels