You are viewing limited content. For full access, please sign in.

Question

Question

Laserfiche Rio Security Version 11

Security Laserfiche Version 11 Self-Hosted
Updated April 6, 2023
asked on April 4, 2023

Apparently, we have a very complicated repository, and our vendor does not know how to handle our situation.

We have 105 locations and several types of documents (Leases, Certs Permits and Licenses, environmental records, etc.) Let's take User A as an example.

User A should only be able to access location leases and Certs Permits and Licenses for Location 1, but their rights are different per doc type. Here's a simplified example of how our repo is organized, with User A's rights in parentheses:

  • Location 1
    • Leases (READ-ONLY Access with only Search as a feature right)
    • Certs Permits and Licenses (WRITE Access with full feature rights)
    • Environmental Records (NO ACCESS)
  • Location 2 (NO ACCESS to any type of document)
    • Leases 
    • Certs Permits and Licenses
    • Environmental Records 

 

Our AD groups work great for controlling what the user should see in the tree view. Our problem comes when User A does a search. When the search is executed for all documents with the Location Leases Template, they get all Leases for ALL Locations, not just the one they can see in their tree view.

Now we have users who may only need to see 10 leases, but when they do a search, it returns all 225.

We have a separate group for each Location, as well as separate read and write groups for each document type). Like I said, these work great for the tree view. The problem is that search is letting them see all leases across all locations. We already have about 150 AD groups to handle what is working on the tree view, and we would like to avoid having to create AD groups for each location, doc type, and access level combination, if possible.

Anyone out there have a similar situation that you've solved for?

0 0

Answer

APPROVED ANSWER
replied on April 4, 2023 Show version history

The discrepancy between what the user can see in the tree vs what they turn up via search likely comes down to an entry access rule not propagating down to folder contents. That maybe the rule that denies them access to the folder is scoped to just the folder, rather than also including to its contents. While search is one way for this to show up, the user would also be able to improperly access these documents via shortcut entries, document links, or direct links (url for web client, lfe for Windows client).

3 0
replied on April 4, 2023

Seconding everything Brian said. 

I suspect you'll find it helpful to check out the Effective Rights report for User A on one of those documents showing up in search. It'll tell you exactly where they're getting the Browse and Read permissions on the entry from. To quote the docs:

By default, you will see effective rights for the currently-connected user. To view effective rights for another user, remove Current Connection and add another trustee in the Add trustee option

[...]

To view more information about inheritance for a specific right, select View detailed inheritance information at the bottom of the dialog box and then select a right. Information as to why a particular right was granted or denied (including folder tree inheritance and group inheritance) will be displayed at the bottom of the dialog box.

2 0

Replies

replied on April 4, 2023

Thank you, Brian! We reviewed the access to each folder and then took one location and added the location group to both the location's folder and document type folder with the correct scope at each level. I ran a quick test, and it seems to have worked. Now to hopefully write a workflow to apply this so we don't have to manually touch every folder!

Thanks so much for taking the time to reply!

Erica

2 0
replied on April 4, 2023

Glad that worked!

There's a highly rated Laserfiche Aspire learning course called Managing Access Rights in the Repository you might find helpful. If you don't have access, I believe you can poke your Solution Provider to sort that out.

For the Workflow, you'll be looking at using the Assign Rights activity. Good luck!

1 0
replied on April 6, 2023

We're getting set up with Aspire this week! 

The solution actually didn't work. Our vendor is implementing a solution using filtered expressions. We ran some preliminary tests, and now we're seeing the results that we need.

Thanks again for your help! It's great to know that there are users like the two of you who are so willing to help out!

1 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...