You are viewing limited content. For full access, please sign in.

Question

Question

Folder security for human resources

Laserfiche Version 11
Updated December 18, 2023
asked on December 13, 2023

I am setting up security for Personnel Files.  I have the folders secured for the Human Resources Group and we plan on giving specific access for each employee to only their own folders.

PROBLEM:  I remember that even though I can set up security and basic users cannot see those folders, if a person were to do a search for a name, they would actually still be able to view those records that were in those hidden folders.

We usually add Security Tags to any documents dropped into security controlled folders so that users can't accidentally come across them via a Search, however, I can't do a Security Tag for Human Resources and still give access rights to an employee for their own folders, since the security tag will stop them from seeing the documents.

One option I can see is having a Human Resources Security tag for every employee, but that would make for SO MANY security tags!  Is there any other option that I have forgotten?

0 0

Replies

replied on December 18, 2023 Show version history

Brian, thank you for your comments!  I did run into issues... When reviewing what I had set up with the Human Resources officer, I discovered that putting Deny on all the groups other than HR stopped the HR officer from moving, renaming, modifying files in the folders so I had to try other things.  I took Deny off the Office group because the HR officer was also part of that group and discovered that was what was blocking her.  The deny in the Office group over-road the Allow in the HR group and even adding her specifically with all Allows, the Deny in the Office group still stopped her from working with the records.  I discovered that leaving the groups with NO allow and NO deny settings did allow her to work with the files AND still stopped others from searching and finding these records through the Search/browse options.

2 0
replied on December 14, 2023

If they are only accessing their folder can you just remove the search right from their security?

1 0
View 1 previous reply
replied on December 14, 2023 Show version history

So, I could Deny Search for Everyone on just those folders, and specifically Allow Browse and View to Human Resources plus a specific employee for each set of personnel folders?  Since it's everyone else that I don't want to be able to search.  That sounds like it should work!  I will try that, thanks Angela!

Are there any downsides to this strategy?

0 0
replied on December 14, 2023

You have to deny the search on each user's account unless you are putting them all in the same group and then you could deny the search on that group and then put each individual on their own folder for access.  

1 0
replied on December 14, 2023 Show version history

UPDATE:  Deny was not the answer in this case using the Office Group to deny everyone from browsing in these folders, since the Human Resources officer was also in the Office Group.

Okay, so this appears to work!  The Human Resources group has Allow on everything.  The Office Group (and the Seasonal group) have Deny.  I tested with another user and they can no longer search and find any of the records within the Personnel folders, even after I removed all the security tags!  So, now I just need to add the individuals each to their own folder.  Thanks, Angela! 

1 0
replied on December 14, 2023

Glad it worked!

0 0
replied on December 18, 2023 Show version history

I disagree that removing search rights is the best solution, in general. Not being able to search may impede discovery, but those documents are still discoverable via links and shortcuts. And removing search rights is often not a good usability tradeoff. I don't think this set up should be too difficult to solve with normal access control. It sounds like you were pretty close, since you were able to restrict access to the folders. One thing that often presents a challenge is if you've granted too much access higher in the tree and then need to remove those rights - it's better instead if users didn't inherit any rights into the HR folders, and then you would selectively grant them rights to their folder and everything under it.

0 0
replied on December 18, 2023

Brian, do you use groups to set folder securities and if so, how would you set this security up?

0 0
replied on December 18, 2023

I gather from your other post that you've worked it out. But the main rule is, use Deny only to handle exceptional cases, and instead don't Allow more than you need to. Remember that not having access is the default, so a Deny is only ever necessary to counteract an Allow. So for the broadest group (whatever that is in your case), Allow View on the HR folder, but don't have that extend to any of the contents. One implication is that you can't have any Allows on any parent folder that propagate excessive rights down into this part of the tree. I think this is a common mistake that that people make early on - they grant excessive permission before they plan out their solution, and then try to build on top of that. So you might have to go up a level and rethink how you have your security set up on that folder, and maybe adjust sibling folders.

A good way to understand the problem is to look at a document and a user who incorrectly has access to it, and figure out where those rights were granted. That's where your changes should start.

2 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...