You are viewing limited content. For full access, please sign in.

Question

Question

Applying Security Tags in Workflow.

asked on September 4, 2019

My company is getting ready to start storing employee files in Laserfiche. One of the things I am trying to do is restrict that information so only select people have access to it, I have made Security Tags but I can't find a way to dynamically add them on to the document via Workflow or Forms.

The process starts with a Form that HR uses to upload the document, select document type, employee name, site and department, from there Forms throws it into the employee's file or makes the file if needed, then I want Workflow to start and collect the Metadata and apply Security Tags for the Site and Department to insure only the select individuals will have access. 

However, the Assign Tags option does not let me apply Tags based on Metadata. Theoretically, I could make 91827638736491 WorkFlows for each document type and site to scan and apply the Tags but this should have as little moving parts as possible.

Any and all help would be greatly appreciated!

0 0

Replies

replied on September 4, 2019 Show version history

Security tags are not "ideal" depending on what you're trying to accomplish. If the goal is to restrict access, folder-based security is preferable.

If you need to hide specific documents within a single folder, tags might be the way to go, but it'll me much easier to manage security if you can handle it at the folder level.

That being said, you can set tags with the Assign Tags activity in Workflow (I don't believe you can assign tags directly through Forms).

If want a "flexible" workflow, you would create branches in a Conditional Decision activity that look at the selected document type and assign the associated tag.

However, I really want to emphasize that tags are usually not the best solution. Our original vendor used tags as the primary security mechanism for our HR documents and it was highly problematic.

Check out this link for a better explanation of best practices to see if that is really the ideal approach for your specific situation.

 

As an example, if employee content, and access rights, are based on department, you might be much better off creating department subfolders; that way you could set permissions at the folder level without modifying every individual document. Additionally, if an employee changes departments, moving the folder would automatically update who has access.

2 0
replied on September 5, 2019

So here is what my plan is or was, let me know if you feel tags are not the best for this. 

We have close to 500 employees, with any number of temps rolling through for any number of months. 

The design is started with a form that HR fills out when adding in a document, it collects the employee name, site, department and file type. Then it puts the file in under \HR\Employee Name\Folder for each document type\ 

From here only HR should have access to everything, Site Managers need to be able to access Flu Shot and CPR training only, Department heads will need to access stuff like Resumes and Applications for hiring purposes. Rather than having to make thousands of folders by hand and manage unique entry rights on each I feel like STags would be the best approach, Site Manager A has access to any form tagged with CPR, Flu Shot, and Site A and from there the Employee would their folder tagged with the appropriate folder and each folder in it would have the appropriate document tag so the Site Manager only sees CPR and Flu Shot.

Would Security Tags still be a bad idea?

0 0
replied on September 5, 2019

Well, based you what you describe, it may backfire a bit and you could run into the same problem as our HR users encountered because of how they used tags.

Tagging a folder will hide the folder, but the users still need access rights to the documents contained in that folder. If the folder is hidden with a tag, that does not affect the visibility of documents in searches.

For example, if I tag Folder A with a tag only HR can see, then only HR can browse to, search for, or open that folder. However, the documents contained within that folder are still subject to the access rights so it is possible people without access to the folder tag could still search for and open those documents depending on the entry-level permissions.

On the other end of things, if a document is tagged, then only people with access to that tag will ever be able to see it AND I believe they will also have rights to remove the tags. So if you tag a document to allow managers to see it, you need to give HR access to that tag as well or else it will be hidden from them.

In my experience tags should be used conservatively, not as a main method of controlling access. The main intent of security tags is to hide content from users who have access to other documents in the folder, not the other way around.

0 0
replied on September 5, 2019

So for my situation what do you think would be the best approach?

If HR has access to all the tags and Site Managers only had access to Site and CPR Tags then wouldn't "\Employee Name [with Site Tag]\CPR [Site and CPR Tag]\Actual CPR Doc [with Site and CPR tag]" be secure and only those with both tag would be able to look up these documents? 

0 0
replied on September 5, 2019

You really shouldn't tag folders. It doesn't do anything other than hiding the folder from view because it doesn't affect the content. You'll need to use groups anyway, so you're much better off using a group to just set access rights on the folder.

I can't say for sure what the best choice is for the documents, but the really important thing to know is that tags alone on a folder will NOT prevent users from getting to the documents if they search for them.

0 0
replied on September 5, 2019

I know, thats why I asked about tagging both the folder and the documents, this way people don't have to search through hundreds of folders they can't and shouldn't be accessing and the documents inside would be tagged to.

0 0
replied on September 5, 2019

I wouldn't recommend tagging the folders at all. You'll probably want to assign group rights to the tag anyway, so you're much better off assigning access rights to the folder based on that group rather than using tags.

The tags would hide a folder from users without access to the tag, but you still need to set access rights to allow people to view or edit the contents of the folder, so folder tags don't really provide any benefits.

It would be far easier, and more manageable, to just use the same groups to set access rights on the folder structures. Any user without access rights to the folder wouldn't see them or be able to search for them anyway.

1 0
replied on September 5, 2019 Show version history

Jason's recommendation is a much more scale-able and maintainable long term solution. As indicated, tags can work in some cases, but it's easy to paint yourself into a corner.

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.