Security management

Manage Security 

Managing security is the process of giving users and user groups read, write, and delete permission to the contents of a collection. Permission can be managed across the entire collection or at multiple levels, including organizational units, folders, and documents.

It's important to distinguish between roles and permission. Roles are permission granted on Constellio features while permissions are granted access to content and records in Constellio.

Context of Use

While users are an essential part of using Constellio, group management is a feature that makes it easy to manage the security and roles of multiple users. Security and roles, on the other hand, are functions that allow Constellio to be used while ensuring the protection of content and the parameterization of actions. These features meet the following needs: 

• Enable user creation or import
• Enable group creation and adding users to groups
• Enable security management on the entire collection content or on a specific part
  • Administrative units
  • The files 
  • Documents
• Enable the creation and modification of roles in Constellio
• Enable the creation of security classifications
• Enable the assignment of roles to users and groups.

1. Security Management

Constellio's security is managed at two levels, the users and the groups. 

1.1 Users

The term user is used to refer to a person who uses Constellio. The " Users " tab allows you to see all the users present in the collection. It is from here that it will be possible to create, view, modify and delete user profiles. Viewing a user also allows you to add or modify the groups in which they are located. To learn more about managing users, see the "Users" article.

1.2 Groups

In Constellio, a group is made up of users who have the same functions in the organization and therefore need the same access in terms of security and roles. Groups make it easier to assign security because by associating a user with a defined group, the user will automatically inherit the roles and access assigned to that group. For more information on managing groups, see the article "Groups". 

1.3 The LDAP directory

Roles are what provides responsibilities or rights of action in Constellio. So, depending on the roles assigned, the options and actions that are possible in Constellio are not the same. To add a user or group, it is possible to add manually to create a local account, or rather to synchronize LDAP. 

1.4 Security Structures

Constellio's security consists of giving read, write, and delete permissions to the contents of the collection, from (administrative units, folders, and documents), or in its entirety. For more details on authorisations, please refer to article Autorizations.

Finally, the " Security Classification " tab allows you to add a second layer of security to records through metadata. You can assign accesses with grades, which you create, according to your needs, to apply to your records. For all the details, see the Security clearance page.

2. Access and roles

2.1 Roles and permissions

The role management are an addition to Constellio's access system. This mechanic does not modify access, but rather secures specific actions or scenarios. Roles (e.g., administrator) are associated with users to grant them permissions (e.g., Edit Inactive Folder). For more details, see page Gestion des rôles. 

2.2 Access

Accesses allow you to give the right to read, write or delete a Constellio record (e.g. a document, folder, container). This restricts users from accessing the various consultation and modification pages, but also from performing the majority of actions related to these records. 

3. Manage permissions

Constellio's security consists of giving read, write, and delete permissions to the contents of the collection, from (administrative units, folders, and documents), or in its entirety. For more details on authorisations, please refer to article Autorizations

1. Click on " Piloting " in the navigation menu;
2. Click on " Manage Security ";
3. Click on the " Manage Security " icon to the right of the name of a user or group for which you wish to view or add access to the collection and units. 

The authorization page is divided into three sections. 

Access to the collection

Collection access refers to permissions applied to the entire collection. 

Inherited permissions

Inherited permissions refer to permissions inherited from user groups. 

Specific Permissions

Specific permissions refer to permissions granted on organizational units, folders, and documents.

3.1 Cutting Legacy

When a permission is added for a user or group at a parent folder, the same permissions (inherited permissions) will be added for their documents and subfolders. When you cut the inheritance within a folder or document, the inherited permissions become specific permissions. It is then possible to remove certain permissions or add permissions to an item. 

1. In the folder or document, click on " Permissions ";
2. In the item's permissions, click on " Cut Inheritance ".

In Constellio, permissions are permissions granted (read, write, or delete) to the supported content in the collection. User and group permissions can be managed for the entire collection or part of it. The Manage permissions on an administrative unit option allows you to manage permissions on a portion of the collection, specifically, on the content of an administrative unit. 

3.2 Restoring the legacy

When a permission is added for a user or group at a parent folder, the same permissions (inherited permissions) will be added for their documents and subfolders. When the inheritance is cut, it is then possible to remove its permissions. In the event that this is not intended, it is possible to click on the "restore inheritance" action and the inherited permissions will be restored.

1. In the folder or document, click on " Permissions ";
2. In the item's permissions, click " Restore Inheritance ." Inherited permissions will be restored.