- Print
- DarkLight
- PDF
Security Management
Managing security is about giving users and user groups read, write, and delete permissions to the contents of a collection. Permissions can be managed across the entire collection or at multiple levels, either at the administrative unit, folder, and document level.
It is important to distinguish between roles and permissions. Roles are permissions granted on Constellio features while permissions are permissions granted on content and recordings in Constellio.
Context of Use
While users are an essential part of using Constellio, group management is a feature that makes it easier to manage the security and roles of multiple users. Security and roles, on the other hand, are functions that allow you to use Constellio while ensuring the protection of content and the setting of actions. These features meet the following needs:
- Allow users to be created or imported
- Enable group creation and addition of users to groups
- Enable security management on the entire content of the collection or on a specific part
- Administrative units
- Records
- Documents
- Allow you to create and edit roles in Constellio
- Enable the assignment of roles to users and groups.
1. Authorization
Permissions allow you to configure security in Constellio in order to grant or even remove different rights in the application. These permissions can be separated into two different groups: access and roles.
The authorization page is divided into three sections.
Global Accesses
Access to the collection refers to the permissions applied to the entire collection.
Inherited authorization
Inherited permissions refer to inherited permissions from user groups.
Specific authorization
Specific permissions refer to permissions granted on administrative units, folders, and documents.
1.1 Access
Accesses are used to give a read, write or delete right to a record (example: a document, folder, container) of Constellio. This restricts users from accessing the various pages of consultation, modification, but also to perform most of the actions related to these recordings.
1.2 Roles and permissions
The Role management are an addition to Constellio's access system. This mechanism does not modify access, but rather secures specific actions or scenarios. Roles (such as administrator) are associated with users to grant them permissions (for example, Edit Inactive Folder). For more details, see the Role management .
2. Security structure
Constellio's security is managed at two levels, users and groups.
The term user is used to refer to a person who uses Constellio. The " Users " tab allows you to see all the users present in the collection. It is from here that it will be possible to create, view, modify and delete user profiles. Viewing a user also allows you to add or edit the groups in which they are located. To learn more about user management, see the "User management " article.
In Constellio, a group is made up of users with the same functions in the organization and therefore need the same access to security and roles. Groups make it easier to assign security because by associating a user with a defined group, the user will automatically inherit the roles and access assigned to that group. For more information on group management, see the article "Group management ".
Roles are what offer responsibilities or rights of action in Constellio. So, depending on the roles assigned, the options and possible actions in Constellio are not the same. To add a user or group, it is possible to add manually to create a local account, or rather LDAP Synchronization.
Constellio's security consists of giving read, write, and delete permissions to the contents of the collection, from it (administrative units, folders, and documents) or in its entirety. Constellio's security is applied on several levels. For records, security can be applied to Administrative units , Folder overview, documents, tasks, workflows, connector documents, Office 365 documents, and metadata.
3. Authorizations
Permissions are given on the entire collection or by administrative units:
- Click on " Administration " in the navigation menu;
- Click on " Manage Security ";
- Click on the " Manage Security " icon to the right of the name of a user or group for which you wish to view or add access to the collection and units.
The authorization page is divided into three sections.
Global Accesses
Global Accesses refers to the permissions applied to the entire collection.
Inherited authorization
Inherited authorization refer to inherited permissions from user groups.
Specific authorization
Specific authorization refer to permissions granted on administrative units, folders, and documents.
4.1 Add a specific authorization
Authorizations are determined by the administrative units. When selecting a unit, the user or group will be able to access all folders and documents classified under that unit.
- Click on " Administration " in the navigation menu;
- Click on " Manage Security ";
- Click on the " Manage Security " icon to the right of a user's or group's name;
- Click on " Add an authorization " on the right side of the screen;
- In the " Add an authorization " window, complete the metadata and click " Save".
Metadata in the permissions form | |||
---|---|---|---|
Field Name | Description | Image | |
Secured content | Obligatory | Allows you to select an administrative unit. Secured content If you select a unit in which there are subunits, the user will have access not only to the unit, but also to all subunits. | |
Access | Obligatory | Allows you to select read, write, and delete access. | |
Start date | Facultative | Allows you to select a start date. | |
End date | Facultative | Allows you to select an end date. Authorization If no start or end date is indicated, the authorization will be permanent. |
4.2 Modify a specific authorization
It is only possible to change a specific authorization. To edit a inherited authorization, go to the parent group since the permission will be specific there.
- Click on "Administration" in the navigation menu;
- Click on "Manage Security";
- Click on the " Manage Security " icon to the right of a user's or group's name;
- In the permissions, click on the notebook to the right of the authorization to be modified;
- In the edit window, change the desired permissions, then "Save".
4.3 Delete a specific permission
To remove a permission, go to the user's profile or group. It is only possible to remove specific permissions. To remove inherited permissions, go to the parent group since the permission will be specific there.
- Click on "Administration" in the navigation menu;
- Click on "Manage Security";
- Click on the " Manage Security " icon to the right of a user's or group's name;
- In the permissions, click on the red "X" to the right of the permission to be deleted;
- A confirmation window appears, confirm the deletion.
4.4 Add an authorization on an administrative unit
- Click on " Administration " in the navigation menu;
- Click on " Departments ";
- Consult the administrative unit of your choice;
- Click on the " Manage authorizations " icon in the choice of actions;
- Click on the "Add an authorization " icon in the action choices;
- In the " Add an authorization " window, complete the metadata and click " Save".
4.5 Edit an authorization on an administrative unit
It is only possible to change specific permissions. To edit inherited permissions, go to the parent administrative unit since the permission will be specific there.
- Click on " Administration " in the navigation menu;
- Click on " Departments ";
- Consult the administrative unit of your choice;
- Click on the " Manage authorizations " icon in the choice of actions;
- In the " Authorization of the administrative unit " window, click on the notebook to the right of the authorization to be modified;
- In the " Edit an authorization " window, it is possible to add or remove authorized users. Edit the information and click on " Save ".
4.6 Remove an authorization on an administrative unit
It is only possible to remove specific permissions. To remove inherited permissions, go to the parent administrative unit since the permission will be specific there.
- Click on " Administration " in the navigation menu;
- Click on " Departments ";
- Consult the administrative unit of your choice;
- Click on the " Manage authorizations " icon in the choice of actions;
- In the " Administrative Unit Authorization " window, click on the «X» to the right of the authorization to be deleted;
- Confirm delete by clicking «Yes».
4.7 Add Global accesses
Access to the collection allows full access to all administrative units and their contents.
- Click on " Administration " in the navigation menu;
- Click on " Manage Security ";
- Click on the " Manage Security " icon to the right of a user's or group's name;
- Click on " Global Accesses ".
Access metadata on the collection | ||
---|---|---|
Access | Description | Footage |
Read | The user can view the recordings. | |
Write | The user can view, edit, and add content to the records. | |
Delete | The user can view, edit, add content, and delete records. |
4.8 Edit global accesses
Access to the collection allows full access to all administrative units and their contents. To edit, view access to the collection.
- Click on " Administration " in the navigation menu;
- Click on " Manage Security ";
- Click on the " Manage Security " icon to the right of a user's or group's name;
- Click on " Global Accesses ";
- Add or remove the access of your choice, then "Save".
5. Manage authorizations on folders and documents
This option allows you to add a user- or group-specific authorization for a folder or document. Legacy permissions are those that are automatically added for a subfolder or document based on the permissions in the parent folders, while specific authorizations are specific to folders or documents.
5.1 Add permission to a recording
It is only possible to change specific permissions. To change inherited permissions, go to the parent folder since the permission will be specific there.
- In the folder or document, click on " Authorisations ";
- In the item's permissions, click on " Add an authorization ";
- In the " Add an authorization " window, complete the metadata and click " Save ".
Metadata for adding permission | ||
---|---|---|
Field Name | Description | |
Authorized User(s) | Facultative | Select one or more users. |
Authorized Group(s) | Facultative | Select one or more groups. |
Type | Obligatory | Select the type of authorization to accord. |
Access | Obligatory | Select the desired access(es) (read/write/delete). |
Start date | Facultative | Enter an access start date. |
End date | Facultative | Enter an access end date. If no end date, the user's or group's permissions will never cease. |
5.2 Change an authorization on a recording
- In the folder or document, click on " Authorization ";
- In the permissions of the item, click on the notebook to the right of the permission to be modified;
- In the " Edit permission " window, you can add or remove a user for that permission. To confirm the changes, click on " Save ".
5.3 Remove an authorization on a recording
- In the folder or document, click on " Authorization ";
- In the item's permissions, click the " X " to the right of the permission you want to delete.
It is also possible to delete only a group or user in a permission, to do this:
- Click on edit permission;
- Click on the " X " to the right of the name of the user or group to delete.
5.4 Detach
When a permission is added for a user or group at a parent folder, the same permissions (inherited permissions) will be added for its documents and subfolders. When inheritance is cut inside a folder or document, inherited permissions become specific permissions. It is then possible to remove certain permissions or add permissions on an item.
- In the folder or document, click on " Authorization ";
- In the item's permissions, click " Detach ".
In Constellio, permissions are permissions granted (read, write, or delete) on the content supported in the collection. User and group permissions can be managed for the entire collection or part of it. The Manage Permissions on an Administrative Unit option allows you to manage permissions on a portion of the collection, specifically, on the contents of an administrative unit.
5.5 Attach
When a permission is added for a user or group at a parent folder, the same permissions (inherited permissions) will be added for its documents and subfolders. When the inheritance is cut, it is then possible to delete its permissions. In the event that this view was not intended, it is possible to click on the action "restore inheritance" and the inherited permissions will be restored.
- In the folder or document, click on "Authorizations";
- In the item's permissions, click " Revert Inheritance ". Legacy permissions will be reinstated.
5.6 Deny Permissions
To learn more about denied permissions, see the "Negative authorization" article.