- Print
- DarkLight
- PDF
Security Management in Constellio
There are several elements available to manage security in Constellio. Here is an example of a best practice to manage the security of your Constellio and make it optimal for the future.
1. LDAP
Very useful for optimizing your change management. With LDAP, you ensure that your users can log in with the same username and password as they did in the morning when they entered the office. This is managed by your IT system, limits the number of passwords to remember, and reassures users about using Constellio.
Also, by using LDAP, you won't have to create the users. This will avoid the chance of errors when creating and losing passwords.
2. Manage roles
To get started with security management, you need to define the roles in the organization. Don't hesitate to make an excel. For example, each row is a permission and each column is a role within the organization. You will find similarities between some roles and can group them under the same role. Constellio offers four basic roles: Administrator, Documentation Manager, Manager, and User. You can use these roles in any way that works best for you. Typically, these four roles are enough to manage users in an organization, but it is possible to create more.
Here's how roles are typically used:
- Administrators: These are the people who manage the platform, IT and sometimes directors in smaller organizations;
- Document management manager: These are the people who manage the platform, so often archivists and documentation technicians;
- Manager: Team leaders, directors, super-users, etc. These are people who are involved in downgrading and confirming the process, or in the case of super-users, they have some permissions that users don't have that help them;
- Users: The basic user of the organization. These are the average person who uses Constellio on a daily basis for basic tasks.
Some permissions may be complementary. Later, you will also assign security to your user, so the role is also complementary to security access.
3. Manage security
Several levels of security are available, for each level it is possible to determine whether the accesses are read, write or deleted. Here's the best way to manage your security for a maximal, simple, and clear effect.
3.1 Granting Permissions
3.1.1 Assignment by Group
Group-based security management is the most recommended one. In Constellio, a group is made up of users who have the same functions in the organization and therefore need the same access in terms of security and roles. Groups make it easier to assign security because by associating a user with a defined group, the user will automatically inherit the roles and access assigned to that group.
3.1.2 Assignment by User
It is also possible to assign permissions for specific users. It is less advisable to do the entire security management per user. Indeed, this will lead to much more complex security management. However, it is possible to grant permissions on records or by sharing to users to meet one-time needs.
3.2 Types of Permissions
3.2.1 Collection
Collection access refers to permissions applied to the entire collection. This authorization must be granted with great care, since it takes precedence over any other security measures put in place. It is possible to assign permissions on the collection only to users and not to groups.
3.2.2 Administrative units
Permissions by administrative units are the best way to start assigning access. When selecting a unit, the user will be able to access all the files and documents classified under that unit.
3.2.3 Permissions on Records
In order to create more granular permissions, it is possible to apply permissions directly to folders or documents. It is also possible to apply so-called "negative" authorisations. Granting a negative permission is the process of granting, or denying, access to a folder or document to a defined user or group of users. The functionality therefore makes it possible to order access in a specific way, according to the various documentary needs. The big difference from positive assignment is that negative permissions are handled at the lower levels of the tree, rather than on an extended set of folders or documents.
Security classifications
Finally, the "Security Classification" tab allows you to add a second layer of security to the records through metadata. You can assign accesses with grades, which you create according to your needs, to be applied to your records. These grades determine whether users or groups have access to a record based on their assigned rank.