Best Practices in Laserfiche Security

Connie Anderson, Technical Writer at Laserfiche, walks through best practices in setting up security within Laserfiche.

When setting up security, each Laserfiche repository will be different and have different requirements to consider. Without careful planning and regular updates as your site grows and changes, your system may become chaotic and unsecured. To keep this from happening, have the following recommendations in mind when setting up Laserfiche security.

Windows accounts vs. Laserfiche accounts

There are various ways that users can be authenticated into the Laserfiche system. Administrators can either configure separate Laserfiche accounts or they can take advantage of existing Windows or LDAP accounts (domain accounts) already in place in the organization.

Benefits of domain accounts include the following:

  • If a Windows account for a new user has been created on the domain, this account will subsequently—and automatically—be added to Laserfiche under the very same Windows group.
  • If a user leaves the organization, the administrator can simply disable or remove that person’s domain account. The user will then be automatically removed from Laserfiche.
  • Users can log into the repository automatically without needing to remember a separate username and password.
  • Named user licensing is optimized to work best with Windows or LDAP accounts.

Domain accounts can be added to Laserfiche groups just like Laserfiche accounts. It is possible for a user to be in more than one Laserfiche and Windows group at the same time. You can use this to assign several sets of rights to the same user. For example, a manager in the accounting department could be a member of the “Managers” group, which assigns rights and privileges, as well as the “Accounting” group, which has access to accounting department folders.

Four factors in implementing entry access rights

Entry access rights govern the operations that a user can perform on folders or documents. For example, users may be able to read invoices, but not edit or delete them.

It is a best practice to assign entry access rights to groups rather than individual users. In this way, you can simply add users to groups and they will automatically be assigned the correct rights.

1. Who: Figure out which users need to be in which group.

  • Categorize users into groups:
    • By department. For example, members of the sales department have different rights than members of the accounting department.
    • By role. For example, administrators have different rights than scanner operators.
  • This way, if a new person is hired, simply add them to a particular group and they will automatically inherit the correct security.

2. What and how much: Figure out what content needs to be accessed by which group and how much access they should have.

  • For example, members of the accounting department need to create, read and modify financial statements, but most other departments don’t even need to know where the financial statements are stored.

3. Scope: Apply entry access rights at the broadest level possible while still restricting access in the way that you need.

  • Use the default scope “This Folder, Subfolders and Documents” to easily grant or deny access to entire sections of your folder tree. Then restrict access based on which folders you want particular groups to have the ability to access.
  • Example: If you want everyone to have access to everything in the “Human Resources” folder, then assign them a default scope.
  • If you want them to have access to everything except for the folders and documents in the “Annual Review Information” folder, then assign scope to be the “Human Resources” folder and its immediate children.

  • Use the folder tree to organize your security, with certain sections of the tree being accessible to certain groups, and use scope to grant only the appropriate sections to the appropriate groups.
  • Create structures with restricted rights at higher levels and more permissive rights at lower levels of the folder tree.

4. Where: Simplify granting security by making sure documents with similar security needs are stored in the same folder. It is a best practice to apply security at the folder level rather than at the document level.

  • After setting up security on a folder, assuming you’ve considered scope correctly, users will automatically have the appropriate rights to the documents residing in it.

Privileges

Privileges are special account rights that grant the ability to perform operations dealing with the management of a Laserfiche repository. Privileges can be divided among different types of administrators.

For example, a high-level administrator can be granted Manage Entry Access and Manage Metadata privileges while a department manager will have Manage Templates and Fields and Manage Stamps.

The number one rule about privileges is: know what a privilege does before you grant it.

 

The “Everyone” group

Since all users will always be part of the “Everyone” group, you should give it only very limited security access. It is a best practice that a newly created user has no entry access rights until you grant them.

 

By default, all members of the “Everyone” group are assigned two privileges that confer significant system performance benefits. These privileges allow them to bypass certain security settings:

If you will be using the Folder Filter Expressions advanced security feature, or restricting the Browse right for certain folders, you will need to remove the relevant privilege from the “Everyone” group. Otherwise, it is recommended that you leave these privileges in place.

 

Other security considerations

Security Tags

Since it is a best practice to grant entry access rights to particular folders, not individual documents, if you want to control access to documents regardless of where they are located in the folder tree, you can use security tags. A security tag ensures that only users who have been granted that tag will be able to see documents that have that tag applied to them, regardless of where the document is in the repository.

Use security tags for documents that:

  • Require more restricted access than other documents in the same folder.
  • Will move through many folders during their life cycle.

Entry Ownership

Entry ownership allows a document’s owner the ability to manage (modify and delete) his own documents without needing to involve an administrator. By default, the document’s creator is the entry’s owner. If you wish to change the default document owner, or if you want documents to be created with no default owner, you can do so in the Administration Console.

Security Interactions

Remember that a user needs to have all applicable rights in order to perform a particular task. For example, to open a document and view its pages, a user needs a combination of the appropriate entry access and volume access rights.