You are viewing limited content. For full access, please sign in.

Question

Question

Users can increase their own folder access rights

Updated March 19, 2014
asked on March 11, 2014

I need to set up a user group and give it read only rights to certain LF repository folders, but I also need it to be able to export documents (but nor modify or create a LF entry).

 

One problem I'm having, is that users logged in as an account in the user group (the only group it's in), can change the LF folder rights, including increasing the rights to the group they are in. I can understand if they could remove their own rights (although in this case would prefer if they couldn't), but being able to add them doesn't seem appropriate. Any suggestions on why this is happening / what I can do to avoid it?

 

Also, can you advise on how to allow read-only rights, but allow exporting of documents?

 

Thanks,

John

 

Using Laserfiche Client 9.0.3.798

0 0

Replies

replied on March 11, 2014

The problem is because of their individual Rights or Group Rights When setting up your user or group in the Admin console there is an "Assigned Privileges" area (see below). Make sure that is unchecked. Most users and groups will not need any of the rights in that area.

 

0 0
replied on March 11, 2014 Show version history

Thanks Blake,

There were inherited user rights (as opposed to folder rights) from the 'everyone' group wich bypassed folder filters. I've removed that. The only other rights were Records Managment, and I've removed that as well. However, the account can still add group rights to folders to give itself full access. Any other suggestions as to why this might be happening?

 

(Also, any suggestion on how to export with read-only rights?)

 

John

0 0
replied on March 11, 2014

What does the user have on the folder itself?  Go to the folder, go to Access Rights and find the account.  Do they have Read Entry Security or Write Entry Security?

 

You can still export documents on a read-only user.  Typically for a read only user in the Assigned Feature Rights I give them Search, Print, and Export.  On the folder level access rights they should just need Browse and Read.

0 0
replied on March 19, 2014

thanks Chris - I've assigned export feature rights as you suggested and the users can now export.

0 0
replied on March 18, 2014

On the folder itself, the user just has browse and read (but they can add whatever else they want!)

Looking at the user properties in Admin console, they have no rights under the 'rights' tab. Also, viewing effective rights on this tab show no rights either (none inherited).
User:
rights : assigned feature rights: (none)
 : assigned privileges: (none)
 : view effective rights (feature / privileges: none / none)

Group (user is in only this group)
rights : assigned feature rights: (none)
 : assigned privileges: (none)
 : view effective rights (feature / privileges: none / none)

When I log in to LF Client 9 as this account, the rights to the folders are as they should be, but I can change any of the settings.
When I look at the rights to the folder, the effective rights for "current connection" show the option to increase rights on all folders that I can see, but when I change it to the effective rights for the actual account I'm logged in as, (rather than 'current user' write security rights are not enabled. So "current connection" for some reason has higher rights than the named account that I'm actually logged in as! My own account has got Windows Authentication, so I'm wondering if some of my own account's rights are somehow coming through and being applied to the named account (using username and password) I'm logged in as. I've tested this on another user's computer who doesn't have a Windows Authentication LF account in case my WA rights are somehow coming through even though I'm not logged on to LF using it, but the issues are the same.


Any thoughts on what else might be causing this? It's quite a serious security concern if users really can just increase their own rights.

0 0
replied on March 18, 2014

Please contact your reseller to open a case with Laserfiche Support so the matter can be further looked into.

 

We want to confirm the user that's logging into the repository (in case it's a situation where you have a Windows account linked to a repository user account), what groups the user may belong in, and the effective privileges and access rights that user may have.

0 0
replied on March 19, 2014

OK, thanks Alexander, I've logged a call with our reseller.

 

John

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...