Login
    Contents x
    Security management
    • 20 Oct 2022
    • 9 Minutes to read
    • Contributors
    • Print
    • Dark
      Light
    • PDF
    Contents

    Security management

    • Updated on 20 Oct 2022
    • 9 Minutes to read
    • Contributors
    • Print
    • Dark
      Light
    • PDF
    Article Summary

    Security Management

    Managing security is about giving users and user groups read, write, and delete permissions to the contents of a collection. Permissions can be managed across the entire collection or at multiple levels, either at the administrative unit, folder, and document level.

    It is important to distinguish between roles and permissions. Roles are permissions granted on Constellio features while permissions are permissions granted on content and recordings in Constellio.

    Context of Use

    While users are an essential part of using Constellio, group management is a feature that makes it easier to manage the security and roles of multiple users. Security and roles, on the other hand, are functions that allow you to use Constellio while ensuring the protection of content and the setting of actions. These features meet the following needs: 

    • Allow users to be created or imported
    • Enable group creation and addition of users to groups
    • Enable security management on the entire content of the collection or on a specific part
      • Administrative units
      • Records
      • Documents
    • Allow you to create and edit roles in Constellio
    • Enable the assignment of roles to users and groups.

    1. Authorization

    Permissions allow you to configure security in Constellio in order to grant or even remove different rights in the application. These permissions can be separated into two different groups: access and roles.

    The authorization page is divided into three sections.

    Global Accesses

    Access to the collection refers to the permissions applied to the entire collection. 

    Inherited authorization

    Inherited permissions refer to inherited permissions from user groups.

    Specific authorization

    Specific permissions refer to permissions granted on administrative units, folders, and documents. 

    1.1 Access

    Accesses are used to give a read, write or delete right to a record (example: a document, folder, container) of Constellio. This restricts users from accessing the various pages of consultation, modification, but also to perform most of the actions related to these recordings. 

    For example, giving write access to a folder not only allows the user to edit the folder, but to move it. 

    1.2 Roles and permissions

    The Role management  are an addition to Constellio's access system. This mechanism does not modify access, but rather secures specific actions or scenarios. Roles (such as administrator) are associated with users to grant them permissions (for example, Edit Inactive Folder). For more details, see the Role management

    For example, the Edit Inactive Folder permission restricts the scenario of editing a folder when it reaches a paid or destroyed status. The Return folders borrowed by others permission allows an administrator to force the return of folders borrowed by another user, so read/write/delete access is not accessed. 

    2. Security structure

    Constellio's security is managed at two levels, users and groups

    The term user is used to refer to a person who uses Constellio. The " Users " tab allows you to see all the users present in the collection. It is from here that it will be possible to create, view, modify and delete user profiles. Viewing a user also allows you to add or edit the groups in which they are located. To learn more about user management, see the "User management " article.

    In Constellio, a group is made up of users with the same functions in the organization and therefore need the same access to security and roles. Groups make it easier to assign security because by associating a user with a defined group, the user will automatically inherit the roles and access assigned to that group. For more information on group management, see the article "Group management ". 

    Roles are what offer responsibilities or rights of action in Constellio. So, depending on the roles assigned, the options and possible actions in Constellio are not the same. To add a user or group, it is possible to add manually to create a local account, or rather LDAP Synchronization.

    Constellio's security consists of giving read, write, and delete permissions to the contents of the collection, from it (administrative units, folders, and documents) or in its entirety. Constellio's security is applied on several levels. For records, security can be applied to Administrative units Folder overview, documents, tasks, workflows, connector documents, Office 365 documents, and metadata. 

    3. Authorizations

    Permissions are given on the entire collection or by administrative units: 

    1. Click on " Administration " in the navigation menu;
    2. Click on " Manage Security ";
    3. Click on the " Manage Security " icon to the right of the name of a user or group for which you wish to view or add access to the collection and units. 

    The authorization page is divided into three sections. 

    Global Accesses

    Global Accesses refers to the permissions applied to the entire collection. 

    Inherited authorization

    Inherited authorization refer to inherited permissions from user groups. 

    Specific authorization

    Specific authorization refer to permissions granted on administrative units, folders, and documents. 

    4.1 Add a specific authorization

    Authorizations are determined by the administrative units. When selecting a unit, the user or group will be able to access all folders and documents classified under that unit.

    1. Click on " Administration " in the navigation menu;
    2. Click on " Manage Security ";
    3. Click on the " Manage Security " icon to the right of a user's or group's name;
    4. Click on " Add an authorization " on the right side of the screen;
    5. In the " Add an authorization " window, complete the metadata and click " Save".


    Metadata in the permissions form
    Field Name
    		DescriptionImage
    Secured contentObligatoryAllows you to select an administrative unit.
    Secured content
    If you select a unit in which there are subunits, the user will have access not only to the unit, but also to all subunits.
    AccessObligatoryAllows you to select read, write, and delete access. 
    Start dateFacultativeAllows you to select a start date.
    End dateFacultativeAllows you to select an end date.
    Authorization
    If no start or end date is indicated, the authorization will be permanent.


    4.2 Modify a specific authorization

    It is only possible to change a specific authorization. To edit a inherited authorization, go to the parent group since the permission will be specific there.

    1. Click on "Administration" in the navigation menu;
    2. Click on "Manage Security";
    3. Click on the " Manage Security " icon to the right of a user's or group's name;
    4. In the permissions, click on the notebook to the right of the authorization to be modified;
    5. In the edit window, change the desired permissions, then "Save".

    4.3 Delete a specific permission

    To remove a permission, go to the user's profile or group. It is only possible to remove specific permissions. To remove inherited permissions, go to the parent group since the permission will be specific there. 

    1. Click on "Administration" in the navigation menu;
    2. Click on "Manage Security";
    3. Click on the " Manage Security " icon to the right of a user's or group's name;
    4. In the permissions, click on the red "X" to the right of the permission to be deleted;
    5. A confirmation window appears, confirm the deletion.

    4.4 Add an authorization on an administrative unit

    1. Click on " Administration " in the navigation menu;
    2. Click on " Departments ";
    3. Consult the administrative unit of your choice;
    4. Click on the " Manage authorizations " icon in the choice of actions;
    5. Click on the "Add an authorization " icon in the action choices;
    6. In the " Add an authorization " window, complete the metadata and click " Save".

    4.5 Edit an authorization on an administrative unit

    It is only possible to change specific permissions. To edit inherited permissions, go to the parent administrative unit since the permission will be specific there. 

    1. Click on " Administration " in the navigation menu;
    2. Click on " Departments ";
    3. Consult the administrative unit of your choice;
    4. Click on the " Manage authorizations " icon in the choice of actions;
    5. In the " Authorization of the administrative unit " window, click on the notebook to the right of the authorization to be modified;
    6. In the " Edit an authorization " window, it is possible to add or remove authorized users. Edit the information and click on " Save ". 

    4.6 Remove an authorization on an administrative unit

    It is only possible to remove specific permissions. To remove inherited permissions, go to the parent administrative unit since the permission will be specific there.

    1. Click on " Administration " in the navigation menu;
    2. Click on " Departments ";
    3. Consult the administrative unit of your choice;
    4. Click on the " Manage authorizations " icon in the choice of actions;
    5. In the " Administrative Unit Authorization " window, click on the «X» to the right of the authorization to be deleted;
    6. Confirm delete by clicking «Yes».

    4.7 Add Global accesses

    Access to the collection allows full access to all administrative units and their contents. 

    1. Click on " Administration " in the navigation menu;
    2. Click on " Manage Security ";
    3. Click on the " Manage Security " icon to the right of a user's or group's name;
    4. Click on " Global Accesses ".

     

    Global Accesses
    Access to the collection takes precedence over specific or inherited permissions.

     

     

     

    Access metadata on the collection
    AccessDescriptionFootage
    ReadThe user can view the recordings.
    WriteThe user can view, edit, and add content to the records.
    DeleteThe user can view, edit, add content, and delete records.

    4.8 Edit global accesses

    Access to the collection allows full access to all administrative units and their contents. To edit, view access to the collection.

    1. Click on " Administration " in the navigation menu;
    2. Click on " Manage Security ";
    3. Click on the " Manage Security " icon to the right of a user's or group's name;
    4. Click on " Global Accesses ";
    5. Add or remove the access of your choice, then "Save".
    Removing access to the collection
    To remove access to the collection, simply remove the access you want. Thus, the user will no longer have this security access.

    5. Manage authorizations on folders and documents

    This option allows you to add a user- or group-specific authorization for a folder or document. Legacy permissions are those that are automatically added for a subfolder or document based on the permissions in the parent folders, while specific authorizations are specific to folders or documents. 

    5.1 Add permission to a recording

    It is only possible to change specific permissions. To change inherited permissions, go to the parent folder since the permission will be specific there.

    1. In the folder or document, click on " Authorisations ";
    2. In the item's permissions, click on " Add an authorization ";
    3. In the " Add an authorization " window, complete the metadata and click " Save ". 
    Metadata for adding permission
    Field Name
    		Description
    Authorized User(s)FacultativeSelect one or more users.
    Authorized Group(s)FacultativeSelect one or more groups.
    TypeObligatorySelect the type of authorization to accord.
    AccessObligatorySelect the desired access(es) (read/write/delete).
    Start dateFacultativeEnter an access start date.
    End dateFacultativeEnter an access end date. If no end date, the user's  or group's permissions will never cease. 

    5.2 Change an authorization on a recording

    1. In the folder or document, click on " Authorization ";
    2. In the permissions of the item, click on the notebook to the right of the permission to be modified;
    3. In the " Edit permission " window, you can add or remove a user for that permission. To confirm the changes, click on " Save ". 

    5.3 Remove an authorization on a recording

    1. In the folder or document, click on " Authorization ";
    2. In the item's permissions, click the " " to the right of the permission you want to delete. 

    It is also possible to delete only a group or user in a permission, to do this: 

    1. Click on edit permission;
    2. Click on the " X " to the right of the name of the user or group to delete. 

    5.4 Detach

    When a permission is added for a user or group at a parent folder, the same permissions (inherited permissions) will be added for its documents and subfolders. When inheritance is cut inside a folder or document, inherited permissions become specific permissions. It is then possible to remove certain permissions or add permissions on an item. 

    1. In the folder or document, click on " Authorization ";
    2. In the item's permissions, click " Detach ".

    In Constellio, permissions are permissions granted (read, write, or delete) on the content supported in the collection. User and group permissions can be managed for the entire collection or part of it. The Manage Permissions on an Administrative Unit option allows you to manage permissions on a portion of the collection, specifically, on the contents of an administrative unit. 

    5.5 Attach

    When a permission is added for a user or group at a parent folder, the same permissions (inherited permissions) will be added for its documents and subfolders. When the inheritance is cut, it is then possible to delete its permissions. In the event that this view was not intended, it is possible to click on the action "restore inheritance" and the inherited permissions will be restored.

    1. In the folder or document, click on "Authorizations";
    2. In the item's permissions, click " Revert Inheritance ". Legacy permissions will be reinstated.

    5.6 Deny Permissions

    To learn more about denied permissions, see the "Negative authorization" article. 


    Was this article helpful?
    What's Next
    Change password!
    Changing your password will log you out immediately. Use the new password to log back in.
    Change profile
    Success!
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.
    Logout