ECMS - Perceptive Content Fundamentals - Administration - Privileges and Security
Perceptive Content Fundamentals
Security and Privileges
Assigning Privileges
A user with management privileges, a manager, or the owner can assign privileges. As such, you can assign privileges to users and groups. You can assign a privilege using one of three actions: grant a privilege by allowing it, revoke a privilege by denying it, or decide not to set a privilege assignment at all. A user's effective privileges are always evaluated and displayed at the user level, not at the group level. To determine the effective privileges, Perceptive Content evaluates all of the privilege assignments given to a user and all of the privilege assignments (if any) the user has inherited from groups to which the user is a member and then determines which privilege assignments get priority over other privilege assignments.
In most cases, an administrator grants privileges to groups of users who need similar privileges, However, certain users may need specific privileges. For example, you can grant a user access to delete documents in a particular drawer regardless of the privileges set for groups in which the user is a member. To do this, you would grant that user the privilege to delete documents in a specific drawer. Because this is a privilege granted to a user, it overrides any privileges assigned at the group level,
Users and Groups
As a manager or administrator, you can use groups to streamline the task of assigning standard sets of privileges to large numbers of users. For example, you can create a group called Accounting and add the users who need access to the Accounting drawer, users who scan documents into the Accounting drawer, users who create annotations on documents in the Accounting drawer, users who create batches in the Accounting drawer, and so on. The privileges for all the accounting users can be set at the same time by assigning the privileges at the group level.
You can also create different groups for different types of users in the Accounting department. There may be a group of users who perform all of the scanning tasks and require privileges to scan documents into the Accounting drawer only but not to copy or move them. You can create another group with privileges to create and process batches in the Accounting drawer.
You can assign both global privileges and drawer privileges at the group level instead of at the user level. As another example, you could create a group for all the users who need to scan documents and use CaptureNow profiles.
Using groups for the majority of work in assigning privileges cuts down on system administration work and reduces privilege confusion. You can always make exceptions for a particular user by denying a privilege at the user level because the user level privilege overrides the group level privilege within the same level (Drawer privileges or Global privileges). For example, you may have a manager who wants to restrict a particular user in a group from deleting documents in a certain drawer. Denying the Delete privilege at the user level allows the user to continue to perform all the other functions in the software that are assigned as privileges at the group level, while preventingjust that user from deleting documents.
If you assign or manage privileges, consider adding groups using a departmental method of grouping using the following procedure:
Step 1: Add groups with names that describe a particular department orjob, such as Finance, HR, and Marketing.
Step 2: Add drawers with names that correspond to the departments as well. However, it is not required to match group names to drawer names and may not always be the best implementation for a particular department.
Step 3: Assign allow and deny privileges within each new group that meet the needs forthat department. For example, grant the Financial group complete allow privileges for the Financial drawer. Grant the HR access to the HR drawer, and so forth.
Step 4: Add the relevant users to each of the new groups.
Step 5: Add groups to allow for access to another group's drawers. For example, you can create a subgroup in the Financial group that has limited access to the HR drawer.
Perceptive Content Roles
One of the more important tasks for the Perceptive Content Owner and Manager is the management of user accounts, account groups, and drawers. Perceptive Content establishes roles that can be assigned to users to accommodate its security privileges:
User
This user has no management privileges within Perceptive Content. The user is assigned privileges to perform tasks within Perceptive Content by a Power user, Manager, or the Owner. The user can be assigned some or ail of the management privileges (made a Power User) by a Manager or the Owner. The user can be promoted or demoted to the manager role only by the Owner. This type of user scans documents, processes batches, accesses documents in the Perceptive Content Viewer, links scanned documents to drawers, and uses other features available in Perceptive Content.
User with Management Privileges (Power User)
This user must be assigned some or all of the management privileges by a Manager or the Owner. The Power User may be assigned the Users privilege, Groups privilege, Drawers privilege, and other management privileges. Based on the management privileges assigned to them, the Power user may be able to add users, groups, drawers and assign privileges.
Manager User
This user must be promoted to the Manager role by the Owner in Perceptive Content. The Manager can do almost everything that the Owner can do within the system, except promote or demote users to the Manager role. There can be many managers in an implementation of Perceptive Content. The Manager defines Users and Power users and their abilities in the system.
Owner User
Every implementation of Perceptive Content must have one Owner. The Owner is the top level user in the system with access to change all security privileges. Only the Owner can promote or demote users to the level of Manager. The Owner cannot be defined or modified within Perceptive Content for security reasons.
The Privilege Hierarchy
Perceptive Content evaluates all privilege assignments at the user evel. When user privileges and group privileges are different or when a user belongs to several groups in whic the privilege assignments differ, Perceptive Content applies privilege hierarchy rules to resolve the privilege. The following table shows the privilege hierarchy, where user privileges are higher priority than group privileges, and that deny privileges are higher priority than allow privileges.
The following examples show how the privilege hierarchy works:
User privilege opposes privilege inherited from a group. In this example, you grant a user the privilege to delete documents. Additionally, the HR group, to which the user belongs, is denied the ability to delete documents. As a member of the HR group, this user inherits the deny privilege. While the user can delete documents; at the group level, the user cannot delete documents. Perceptive Content uses privilege hierarchy rules to determine whether the user can delete a document. Since user level privileges override group level privileges, the user can delete documents.
Group privilege opposes a privilege from another group. Another area where privilege assignment evaluations occur is at the group level. In this case, the user belongs to two groups. In the HR group, the user is denied the ability to delete documents. In the HR_Records group, the user inherits the ability to delete documents at the group level. So, one group allows the privilege and another group denies the privilege. Because the deny privilege overrides the allow privilege within the same group level, the user is denied the ability to delete documents.
Additional resolutions. When a user is a member of multiple groups where a privilege is allowed or denied in one group and not assigned in any other group, the user's effective privilege is the allowed or denied privilege. In addition, if a privilege is not specifically assigned, the user cannot perform the function.