Laserfiche 10 Settings Lockdown Limitations

replied on July 30, 2019

"Settings lockdown is configured using trustee attributes on the Everyone group. (This is true even if you are not locking the settings category for everyone.) Which user or group to lock is specified using the trustee's security identifier (SID). "

So, all lockdown flags go into Everyone's attributes. You can use the SID to narrow the lockdown to a specific user or group, but you still save that as an attribute on Everyone.

0 0

View 4 previous replies

replied on July 30, 2019

Thanks for the reply Miruna.

I understand all [Lockdown] category flags go in the Everyone group attributes.
I'm asking specifically about attribute settings such as [Settings]KeepPDFFile that fall under a locked down category.

So there is no way to do what I'm asking?

Two different users, both have the "AdvancedImport" category locked down (in the Everyone Group) and need different settings (True/False) for the [Settings]KeepPDFFile attribute.

0 0

replied on July 31, 2019

Lockdown doesn't let you specify what the settings values are, only that the users can't change them.

In your example, you would still specify the attributes as needed for each user. Then you apply a lockdown to the appropriate SID(s) to prevent them from changing those settings.

2 0

replied on August 1, 2019

That is the way I had expected it to work, but it's not.

Basically, what I'm seeing is the Lockdown feature ignoring User specific attributes.

The only way I can get a specific attribute like [Settings]KeepPDFFile to apply is to have it set in the Everyone group attributes. If instead I set it under a user's attribute it is ignored.

In the Everyone Group the AdvancedImport category is locked down for the User1 sid.
Confirmed the setting is locked down. Cannot modify Import options in the Client with User1
In the attributes of User1 have [Settings]KeepPDFFile set to FALSE (or No, have tried both)
In the Client under Tools\Options\New Documents\Settings the "Keep original PDF files" option still shows as enabled (which it shouldn't be). Importing a PDF confirms this is the case as the PDF is kept (which it shouldn't be)
If I add the same [Settings]KeepPDFFile = FALSE to the Everyone group the setting in the Client is properly turned off and the PDF is not kept on import, but now this applies to all users that have had AdvancedImport locked down.
I've tried defining the user specific attributes before and after turning on the lockdown setting without it making a difference.
I have been sure to log out of the Client after any changes to attributes so it isn't a caching issue.
Tried on a 10.4.0 and 10.4.1 server/client with same results.

0 0

replied on August 5, 2019

Hi Tony,

I confirmed we currently don't support locking down different users to different settings. When a user is locked down, we get the setting value from the attribute applied to the everyone group. If the attribute isn't set on everyone, we use the settings default value.

Why does the customer want User1 to remove the original PDF and User2 to keep it? Understanding the specific problem the customer is trying to solve can help us reshape the feature in future releases.

1 0

replied on August 6, 2019

If that is the case, you may want someone to clarify the online help since it reads as though you can. Or just simply state that categories that are locked down only use universal attributes from the Everyone Group.

https://www.laserfiche.com/support/webhelp/Laserfiche/10/en-us/administration/Default.htm#../Subsystems/LFAdmin/Content/settings-lockdown.htm?

Under: Setting Repository Defaults for Locked Categories

"However, you can also use trustee attributes to configure customized repository defaults, which will be used instead."

As for a reason for wanting this, I am in the process of configuring settings for a client. There are multiple departments with different default settings desired. They use different Volumes, Templates and some want PDF's to be kept on import and and others don't. I wanted to use the Lockdown option to simplify things for the end users by hard setting values. Due to this limitation I can't. There are also always cases where there is one or more "problematic" user that would benefit from having their settings locked down to specifically what they need without having to use the same lockdown settings for everyone else.

My suggestions:
Trustee attributes should be used for attributes that fall under the locked down categories. Adding the attribute tab back to Groups would also be very helpful with being able to assign locked down attributes. If that's not possible for whatever reason, add a way to define that trustee (user or group) using the sid in the Everyone group the same way you do to define the lockdown categories.

Such as:

[Settings]KeepPDFFile
S-1-1-11-2222222222-333333333-4444444444-55555=FALSE

1 0

replied on August 6, 2019

Hi Tony,

Thanks for your response. The use cases you provided are very helpful. I'll pass this on to our product management team. I'll also reach out to User Education to clarify the help files to make it clear that the repository defaults are applied to the entire repository, not user by user.

0 0

replied on August 1, 2023

Hi Ryan,

Is there new about Tony's suggestions to add the ability to set the default attributes for specific groups/users on Everyone group the same way of lockdown attributes?

0 0

Question

Question

Laserfiche 10 Settings Lockdown Limitations

Replies

Sign in to reply to this post.