Login
    Contents x
    Security Management
    • 26 Feb 2025
    • 3 Minutes to read
    • Contributors
    • Print
    • Dark
      Light
    • PDF
    Contents

    Security Management

    • Updated on 26 Feb 2025
    • 3 Minutes to read
    • Contributors
    • Print
    • Dark
      Light
    • PDF
    Article summary

    Security Management in Constellio

    There are several elements available to manage security in Constellio. Here is an example of a best practice to manage the security of your Constellio and make it optimal for the future. 

    Security Mapping
    This is an example of a document that can help you keep track of your security in Constellio. 
    Mapping de Sécurité_Constellio.docx


    1. LDAP

    Very useful for optimizing your change management. With LDAP, you ensure that your users can log in with the same username and password as they did in the morning when they entered the office. This is managed by your IT system, limits the number of passwords to remember, and reassures users about using Constellio.

    Also, by using LDAP, you won't have to create the users. This will avoid the chance of errors when creating and losing passwords. 

    2. Manage roles

    To get started with security management, you need to define the roles in the organization. Don't hesitate to make an excel. For example, each row is a permission and each column is a role within the organization. You will find similarities between some roles and can group them under the same role. Constellio offers four basic roles: Administrator, Documentation Manager, Manager, and User. You can use these roles in any way that works best for you. Typically, these four roles are enough to manage users in an organization, but it is possible to create more. 

    Here's how roles are typically used: 

    • Administrators: These are the people who manage the platform, IT and sometimes directors in smaller organizations;
    • Document management manager: These are the people who manage the platform, so often archivists and documentation technicians;
    • Manager: Team leaders, directors, super-users, etc. These are people who are involved in downgrading and confirming the process, or in the case of super-users, they have some permissions that users don't have that help them;
    • Users: The basic user of the organization. These are the average person who uses Constellio on a daily basis for basic tasks.

    Some permissions may be complementary. Later, you will also assign security to your user, so the role is also complementary to security access.

    3. Manage security

    Several levels of security are available, for each level it is possible to determine whether the accesses are read, write or deleted. Here's the best way to manage your security for a maximal, simple, and clear effect. 

    3.1 Granting Permissions

    3.1.1 Assignment by Group

    Group-based security management is the most recommended one. In Constellio, a group is made up of users who have the same functions in the organization and therefore need the same access in terms of security and roles. Groups make it easier to assign security because by associating a user with a defined group, the user will automatically inherit the roles and access assigned to that group.

    3.1.2 Assignment by User

    It is also possible to assign permissions for specific users. It is less advisable to do the entire security management per user. Indeed, this will lead to much more complex security management. However, it is possible to grant permissions on records or by sharing to users to meet one-time needs. 

    3.2 Types of Permissions

    3.2.1 Collection

    Collection access refers to permissions applied to the entire collection. This authorization must be granted with great care, since it takes precedence over any other security measures put in place. It is possible to assign permissions on the collection only to users and not to groups.

    3.2.2 Administrative units

    Permissions by administrative units are the best way to start assigning access. When selecting a unit, the user will be able to access all the files and documents classified under that unit.  

    3.2.3 Permissions on Records

    In order to create more granular permissions, it is possible to apply permissions directly to folders or documents. It is also possible to apply so-called "negative" authorisations. Granting a negative permission is the process of granting, or denying, access to a folder or document to a defined user or group of users.  The functionality therefore makes it possible to order access in a specific way, according to the various documentary needs. The big difference from positive assignment is that negative permissions are handled at the lower levels of the tree, rather than on an extended set of folders or documents.

    Security classifications

    Finally, the "Security Classification" tab allows you to add a second layer of security to the records through metadata. You can assign accesses with grades, which you create according to your needs, to be applied to your records.  These grades determine whether users or groups have access to a record based on their assigned rank.


    Was this article helpful?
    What's Next
    Change password!
    Changing your password will log you out immediately. Use the new password to log back in.
    Change profile
    Success!
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.
    Logout