We chose Laserfiche due to its very good security features but I couldn't seem to find how I can allow access to only specific subfolders or files without showing its root main folder. This is a major business need as we cannot manage taking out a file/folder and putting in a general use folder everytime we have our volunteers come in to help with metadata management due to the volume of files we have. Please help.
Question
Question
LF10 - Allow read-write access ONLY to 1 specific subfolder or file without showing the main folder and its subfolders
Replies
Hi Bea! If you give them read/write access to just only one subfolder, they will be able to access the content to that folder. The problem is the folder tree before it is hidden because no access has been given to the user, making it difficult to browse to. A couple of things you could do to access it easier:
1. Get the user to search for the folder.
2. Put a shortcut to the folder at the root level, and give them access rights to browse/read that shortcut only.
3. Setup access right so they can only see the folders to the folder they want (I would only recommend this if the subfolder is permanently made available to your user).
There are so many different things you can do with Laserfiche Security so I have provided a couple of links to white papers and presentations so that you can have a better understanding!
-
LSEC203: Security 5: Best Practices presentation.
-
Laserfiche Administration Security help files.
Note that you can also use entry access scope to grant rights differently to the parent folder compared to its contents. So you can give the user the ability to see the existence of the root folder itself, but not grant them rights to see any of the children except for the one folder you want them to see (say by using a shortcut as Cathy describes above).
You need to use security tags for this.
If you create a security tag and assign it to all users except this specific subset (make sure this includes admins and your service accounts like workflow!) you can then assign that security tag to every other folder in your main folder. Since presumably your security is already set correctly that this special group does not have permissions to sub folders/docs, you only need to assign the tags to the top level. Additionally, if your everyone group has read access for everything I'd remove it from the root folder (and anywhere else it is). you can then create a new group that includes all of your other users to grant permissions to everything.
When users log in to the laserfiche, they will only see one folder. The trick to this method is to make sure that all other folders/subfolders are locked away with permissions too, otherwise the users can use a search to see those documents. In addition, you can hide unneeded templates by setting security on the templates to only the other groups. If other users have rights assigned by that former "everyone" group, just add your new everyone else group access to everything at the root level, and the new group you create for your special users only grant it to that subfolder. And try to avoid using Deny as much as possible. It's easy to cause confusion - it's simpler just to not grant rights.
One note: when adding security tags to a user or group, they don't kick in until you log out and log in. So if you add a security tag to a user and a folder at the same time the folder will immediately hide itself from a user and won't be visible until they log back in! So when you do this you might consider adding the tags to everyone first, then let your users know to log out (or wait a day) before starting to add that tag to your root folders.
2nd note: I know I mentioned this above, but don't forget to add your workflow, quick fields, forms, import agent and admins to your security tag too! I used to be the primary person at the VAR I work for and this was a very common call I would receive after changes like this! I usually create a service accounts group and add these users to it and always add all security groups to it. All of the services log in/out with each run so you don't need to reboot or anything for the tags to take effect.
Thanks, Chris, Cathy and Justin. Let me study and try your suggestions and will let you know what worked for us. Have a great day!
Hi All.
The solution I chose was 2-step: give permission to the folder and then, create a shortcut to the folder. Works awesome. Our volunteers only see that folder after clicking on the shortcut.
Thank you all for your suggestions. Appreciate the quick responses.