You are viewing limited content. For full access, please sign in.

Question

Question

Looking for the best way to deal with access rights based on metadata.

Workflow
Updated November 3, 2021
asked on October 18, 2021 Show version history

Currently, I store a bunch of employee data in LF and certain documents need to be only viewable by HR, some should viewable by Medical, Payroll, and select Admin positions. 

Right now rights are applied to a document when it's added to the repository via Forms, then each parent folder is given Access Rights for that specific group. However, when new document types are added, or new departments need access I have to modify the process and retroactively apply rights to these folders and documents. 

 

I've been toying with the idea of having a Workflow set up that just blanket applies rights to each document and parent folder that needs rights every night but that would apply rights to every document regardless of which ones needed it or not as I can't find a way to see what rights are on an entry in workflow so they'd double up. I could apply the "remove all rights" feature and then reapply them but this is a ton of work to maybe grab a few documents each night.

What I would like to do is use Security Tags. That is something those workflows can see so I could have it apply them to only documents that are lacking the tags if new groups are added and need access to documents that already exist. My only issue with this is that I would need to make tags for HR, Payroll, Admin, Medical and then any combinations that may be needed. 

Or is there a better option out there? Something I may be unaware of maybe?

 

Edit : I do realize I've posted a very very similar post just over 2 years ago, that post led to my current design but this design has become to cumbersome to maintain on my own as is. Adding new groups or adding existing documents to existing groups is a ton of extra work, plus the current process doesn't care if one of the above folders already has access rights for a certain group so some folders have rights like Admin, HR, Payroll, Payroll, Payroll, Payroll. 

Ideally I'd love a way to see rights as meta data if possible, or an activity in Workflow that can see who already has rights so they don't double up.

0 0

Replies

replied on November 3, 2021

It would be best practice to not assign access rights directly to a document and assign access rights to the folders instead. To go along with that, you would not want to assign access rights by the user, but instead, assign them to groups.

You mentioned possibly needing to create combination security tags, but you can assign more than one tag to a document, so you shouldn't need to create combination tags to accomplish what you are talking about.

I would recommend reviewing your folder structure and seeing if it might be able to be changed to accomplish what you are looking to do so you can more easily put access rights at the folder level.

0 0
replied on November 3, 2021

I have a working build for this now but I do have some questions to further my own knowledge.

Why is it not best practice to grant rights directly to documents? I am trying to future-proof everything as best as possible and it wouldn't surprise me if some managers wanted to start using more generic folders to hold several different documents that would still need unique access to each. If there is something I am missing then let me know and I can correct that. 

I do not deal with individual user rights, only groups, even if the group is just one person, for instance, the Director of Nursing is a single person but the rights go to a Director of Nursing where she is the only member.

I've scrapped security tags, for now, to avoid the headache down the road. But this may help me use them in the future, to my knowledge if I apply Security Tag A and Security Tag B wouldn't the use need access to both Tag A AND B, or does a user just need access to ANY Security Tag that is on a document or folder?

I've looked into this but as it stands my folder structure looks like this.
Company Level
Department Level (HR for this instance)
Employee Files main folder
Folders for each type of employee, current, former, staff, temp, board members etc.
Named Employee Files
Document Catagory Folder (Onboarding, Payroll, Medical, etc)
Document Type Folder (for Onboarding this would be things like Drug Screens, Applications etc)
Actually Entry.

For instance if you wanted to see my application you'd find it here.
Company\HR\Companies Employee Files\Current Staff Members\Timothy Holton\Onboarding\Application\[File would be right here.]

The only way I could imagine doing this so that I could get around having any rights needed aside from the base folders would be if I split these up, All of Payrolls stuff would be in Company\HR\Employee Files\Payroll\Current Staff Member\Timothy Holton\Payroll\W4 but this would mean for each access rights group I'd have to have their own folder structure but that would spread employee files out between 3-4 different locations, unless I had everything in one central HR folder and then had the Access Rights group folders that just use copies of the OG document, but that means adding a ton of repeat documents and folders and if a search was done HR would see a ton of the same items.

 

For now this is the process as I have it.
 

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...