Tech Tip: Enhancing Security by Dividing Administrative Privileges
In Laserfiche, privileges are a set of permissions that secure elements of your repository beyond the basic functions of feature rights or the object-specific functions of access rights. While some of these privileges may be appropriate for regular users, many are specifically administrative. For example, the Manage Entry Access privilege allows a user to see (although not open) every entry in the repository, and set access right security for those entries, and the Manage Tags privilege allows the user to set, unset, and grant all the tags in the repository. Because these rights are powerful, if your repository uses security to restrict access to the repository, it’s a good idea to only grant those privileges to trusted administrative users.
If you have a secure repository, particularly one with a restrictive security policy, you may want to be particularly careful about granting certain privileges. Certain privileges or combinations or privileges can be particular powerful.
Separating Trustee Privileges
One pair of privileges that is particularly powerful in conjunction with one another is Manage Trustees and Set Trustee Privileges. The former, Manage Trustees, allows the user to create new users and set user passwords. The latter, Set Trustee Privileges, allows the user to grant rights to a particular user.
This means that a user with both privileges can create a new user, set the password for that user, grant them all the rights in the repository, and then log in as them. Essentially, setting both rights on a user allows that user to do anything in the repository. For a small site with only one or two administrators, or a site without a restrictive security policy, this may be acceptable. However, for larger sites, or sites with restrictive security policies, you may want to avoid this situation.
To avoid granting a user all rights in the repository, simply make sure that no single user has both Manage Trustees and Set Trustee Privileges. By splitting this right between multiple users, you can ensure that there are checks and balances on your security policy.
Granting Rights to Individual Templates and Fields
In many cases, you may want or need to have non-administrative users manage certain templates and fields. For instance, you might want the Accounting manager to be able to make changes to the Accounting template and the fields in that template, since he or she knows more about the template and fields than the general repository administrators.
Your first instinct may be to grant the Accounting manager the Manage Templates and Fields privilege. This privilege would allow the Accounting manager to manage the Accounting template and its fields… but it would also allow him or her to manage all the templates and fields for other departments as well.
Instead, you can use template and field access rights to grant the Accounting manager the right to handle the Accounting department’s templates and fields. This allows you to grant the general Manage Templates and Fields privilege only to administrators who should be able to handle all the repository’s templates and fields. (For specific instructions on template and field access rights, see the Laserfiche Administration Console help files, in the “Security” chapter.)
Managing Entry Access Rights
The Manage Entry Access Rights privilege is a very powerful privilege: it allows the user to brows e any entry in the repository, it allows the user to manage documents in the recycle bin, and it allows the user to set entry access rights for every entry in the repository. While this is an appropriate right for high-level administrators who are in charge of managing security for the entire repository, it is not appropriate for many other users, even power users.
However, you may want to allow power users to manage entry access security for certain folders. For example, you may want the Sales manager to be able to set entry access rights for documents in the Sales folder—without giving him or her access to documents in other departments’ folders.
It was for this situation that the Write Entry Security entry access right was created. Write Entry Security allows a user to manage entry access rights, but only for the entries on which they have been granted that right. This means that you can grant Write Entry Security to your Sales manager on the Sales folder, with the scope This entry, subfolders and documents, and thus allow the manager to configure security for his or her folder and subfolders, but not for other folders in the repository.