You are viewing limited content. For full access, please sign in.

Discussion

Discussion

Feature Request: Enable/Disable Repository Group

Laserfiche Administration Feature Ideas
Updated October 4, 2019
posted on October 4, 2019 Show version history

After experimenting with a lot of different configurations, we eventually landed on creating Repository Groups to handle our permissions, and we then associate those groups with AD groups.

This approach has worked pretty well for a number of reasons, however, things do get a bit tricky when it comes time to retire a group so a couple features I'd really love to see are the following:

  1. Disable/Enable a Repository Group as you would a user
  2. Generate a list of entries with explicit rights for the selected group

Item 1 would allow us to turn a group off to make sure nothing breaks before we delete it entirely making for an easier/safer process because we could just turn it back on if something goes wrong instead of having to recreate the permissions or memberships depending on how it was "disabled."

Item 2 would let us know whether or not a group is even still in use (similar to how deleting a field first checks if it is assigned to any documents). Things evolve over time and old groups are effectively retired, but without a clear way to check, people end up being overly cautious and leaving everything.

UPDATE: Per Miruna's post, Item 2 can be accomplished with an entry access report generated from the Client.

0 0
replied on October 4, 2019

Wait. There is no such thing as group linking. By adding a domain group to a Laserfiche group, you're just adding them to the group. Only repository users can be linked to domain accounts (as a legacy feature that made it easier to log in way back when). Linking users is deprecated (but still supported at this time). Putting groups into other groups or Windows users into repository groups is not going anywhere.

For #2 in the original post, you can already do that by generating an entry access report from the Client.

0 0
replied on October 4, 2019 Show version history

That makes sense. However, Blake is correct that the documentation explicitly mentions connecting Windows Domain groups to Repository Groups is a legacy feature.

I completely missed the entry access report part. Thanks!

Depending on the long term plan for repository groups, my request for Item 1 may still be valid as it could still be helpful to have the ability to turn Repository Groups on/off for troubleshooting and maintenance purposes.

0 0
replied on October 4, 2019

As a workaround, you could remove the members of the group.

0 0
replied on October 4, 2019

That's what we are doing for our current cleanup, and it gets the job done.

Honestly, it rarely comes up so it isn't a "huge" issue, I just wanted to throw the idea out there on the off chance it was easy to implement.

0 0
replied on October 4, 2019

The ability to link a Laserfiche Group with a Windows Group or even a Repository User with a Windows Account is a legacy feature. I would imagine at some point in the future this feature will be removed entirely.

0 0
View 2 previous replies
replied on October 4, 2019

What makes you say that it is a legacy feature? I'm just curious if that is the official stance or if it is just implied by the trends, like with desktop client vs. web client.

Personally, I wouldn't want to see repository groups go away entirely because it gives us granular access control at the repository level separate from the broader LFDS or AD administration.

I honestly like being able to set up repository access that way because we can change things without it updating the access control tables (i.e., add a new AD group to a repo group and done). Now we could have an AD group for a similar purpose, but I know our engineers really wouldn't want us adding a ton of narrowly focused groups to replace the highly-granular repo groups.

We've already replaced the few repository users we had with LFDS, but LFDS groups don't have nearly the same visibility at the repository administration level, especially since we don't want all of our support staff to have access to LFDS.

0 0
replied on October 4, 2019

It mentions that it is a legacy feature in the online help documentation.

1 0
replied on October 4, 2019

Good to know. I guess we'll need to start planning for that lol.

Our engineers are not going to be happy about a bunch of new AD groups, but I suppose that's our only option since we also don't want to give more people access to LFDS without the ability to limit what they can see/change.

0 0
replied on October 4, 2019

I am a little confused when you talk about your users having access to LFDS. Can you expand on what you mean by that?

0 0
replied on October 4, 2019 Show version history

I mean some of our IT users; currently, they can access the admin console, and with repository groups we can allow them to view/maintain certain aspects of a specific repository without giving them broader access.

LFDS groups give us a similar amount of granular control without creating a bunch of AD groups and we can limit LFDS rights to a certain degree, but not enough to make our people comfortable giving more of the support techs access (i.e., we don't want them to be able to change groups related to certain repositories or Laserfiche Forms).

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...