You are viewing limited content. For full access, please sign in.

Question

Question

Security Report

Updated April 27, 2015
asked on November 28, 2013

Dears,

 

we are facing an issue at some customers where the security is a very sensitive points for their Audit Security Unit. They always requires to have a report which shows the effective rights configured over the entries, the effective features rights and privileges and the effective audit settings.

 

Regarding the above, is it possible to have your answers on each one of the below questions:

 

- Is there a way to retrieve Entry Access right from the SQL Database ?

- If there is no way to have this from the SQL and the toolkit is the only way, is there a way by the toolkit to directly get the access right of the assigned users in stead of checking if each user has the access or not. For example, if we have 1000 users in the repository and User-X is only assigned on Entry X. is it possible to get the effective Rights of User-X without checking if each user of the 1000 has an effective rights or not.

- Same questions for effective feature rights, Privileges, Volume Access Rights and Audit Settings Rights.

 

Thanks,

Dory Mina

1 0

Answer

APPROVED ANSWER
replied on December 2, 2013

Check out the "LFAccessCheck" program that you can download from https://support.laserfiche.com/GetFileRepositoryEntry.aspx?id=2640&mode=download.

 

This is a program that uses the 9.0 SDK to crawl your repository and report on access rights for entries, volumes, templates & fields.

 

Basically you run it like this:

LFAccessCheck.exe -s servername -r repository -t entries -target ADMIN -path \folder

 

and it prints this kind of output showing what the ADMIN user can see under \folder:

Type     Entry Rights                                                 Volume Rights            Tag Access        ID Path
Fold     BrsReaMCnADaDelRenDPgSAnAnnRedWMeCrDCrFRAcWAcCOwSRDFrzEvTCls                          Yes                1 \folder
Doc      BrsReaMCnADaDelRenDPgSAnAnnRedWMeCrDCrFRAcWAcCOwSRDFrzEvTCls DelRAcWAcWOwVRd---VAp--- Yes            29629 \folder\doc1

 

 

1 0
View 4 previous replies
replied on April 23, 2015

Can you please explain how someone might actually run this?  That LFAccessCheck.exe does not seem to be in the zip that you linked to, just a bunch of Visual C# project files and Visual Studio stuff, XML config files.  Am I supposed to compile it first?  This is really unclear.

0 0
replied on April 23, 2015

Yes, this is an SDK example and we normally don't include the executable files.

0 0
replied on April 23, 2015

So if I actually wanted to run this I would...  ???

0 0
replied on April 23, 2015

You would need to get the LF SDK, open the project in Visual Studio, and compile it. We didn't include the executable in the code library because it would be tied to a particular version of the SDK. I will look into getting a compiled version on the support site.

0 0
replied on April 24, 2015

So this looks like I need to specify a user that I want to check rights for, but what I am looking for is the ability to see this from the perspective of the entry, who has access to each entry, as opposed to what access rights this user has to these entries?

 

Are you aware of a way to do that?

0 0
replied on April 24, 2015

Are you talking about LF accounts? We don't currently have a program with that functionality but I think I could help you tweak the program to print a report for every LF account.

0 0
replied on April 24, 2015

I am not interested in seeing it by accounts really.  What I want to do is basically crawl through a repository and find out what the access permissions are for each entry.  

0 0

Replies

replied on December 4, 2013

I'll have to check out the program Robert linked to, as I've always used this one from the Code Library:

https://support.laserfiche.com/CodeLibraryFrames.aspx?id=381

Which crawls the entire repository and dumps out a CSV of the rights.  It is quite slow for large repositories, but I'm not sure if it can be improved greatly.

 

I have actually made it into a more full featured LF security auditor, which dumps out users, groups, memberships, file and folder rights, etc. out to a CSV.  One day I may finish it...

 

1 0
replied on December 13, 2013

Dears,

 

I have a concern which is the below:

 

If a user needs to delete an Entry, all the below conditions should be combined together.

1- The user must have the Delete-feature rights.

2- The user must have the Delete Files -  Volume access right.

3- The User must have the effective "Delete- Access Right.

4- Entry not assigned by a Security Tag which is not owned by the user

 

Is there any function in Laserfiche SDK or whatever, where we can just pass to it the "Action" to check and the "Entry" and it returns for us the "Effective User Right" on the Entry taking into consideration all the above .

 

To make it more clear, "Write Entry Security" requires:

 

- Manage Entry Access.

- Or Entry Owner Ship

- OR Write Security.

 

So if one of that exists, it means the user has the security right to change the security.

 

same for other actions.

 

If this is not possible to be calculated by an SDK function, and it needs to be calculated by our own algorithm, DO YOU HAVE ANY TABLE IN THE REPOSITORY HAVING THE CALCULATION RULE.

 

Thanks,

Dory Mina

 

 

0 0
replied on April 27, 2015

Hi Dory, 

There's a section in the SDK docs called 'Effective Rights'. It's in the TOC under 'Tutorial: Security' -> 'Permissions' -> 'Effective Rights'. That discusses how you can get the Effective rights of a user on an entry. 

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...