Access Control
Electronic Content Management (ECM) users need to protect records from unauthorised change, access and deletion in a more ad-hoc manner than the security level and caveat security system enables them to do. This may be the case when a project team is composed of people in different organisational sections or when a document is developed and gradually more and more people are granted access to it.
Most organisations have a concept of information owners and therefore often want them to be the only people initially to be able to change Access Controls for new records.
In larger organisations, there is also a need to be able to sub-divide control tables such as Classifications, Workflow Procedures and Record Types to enable a user to work within the confines of their responsibilities in a large organisation. This is often the case for reasons of usability, rather than security.
For example, nobody wants to scroll through a list of one thousand Workflows to find the one that is relevant for their task.
Access Controls are easy to assign, configure and maintain. They are clearly visible to minimise the chance of people being inadvertently excluded from information.
Access Controls can be assigned when creating items and each time the item is edited to assist with a gradually increasing build/share process of information.
From the perspective of user management, multiple individuals can be assigned access to items, in which case they are listed as names.
Another more streamlined method of assigning Access Control is through the use of a group of users, in which case all members inherit access from the group.
An example to outline the importance of Access Control by inheritance is the one of Human Resources files.
Typically, Human Resources files can be accessed by the Human Resources department, the staff member the file is about and the supervisor of the staff member - for this example, the Finance Manager.
When a new Finance Manager starts work, it would be too cumbersome to change the Access Control of each individual in the Finance department from the previous manager's name to the new manager's name. It is much easier to assign Access Control to the Finance Manager role and change the name that works in this role.
From the perspective of the items to be protected from access, it makes control easier if Access Control can be set as a default by copying it to the item at creation time.
Even more streamlined is the implicit inheritance of Access Control, without ever copying it to the individual item, but by referring back to a central control object.
This could be a group of documents in a folder or a group of folders assigned to a Classification or Record Type.
The advantage of implicit inheritance is that a change to the central control object takes effect on all items referring to it.
This can also be a disadvantage when the implicit inheritance is not immediately visible.
For user convenience, an additional access tool called View Rights is available to display the current user's permissions for the currently selected item.
See View Rights command.
You would use Access Control to assign control over specific items to specific users.
Access Control does not define who does not have access, but who does have access to certain objects and certain tasks.
You can grant access to any Content Manager Location - these include Positions, internal Organisations (Units), external Locations, Groups and more.
However, Access Controls only makes sense for people who can log in to Content Manager.
You can issue a login and a login profile to any Location.
Access Control is not only based on the login, but all the other Locations a user is a member of.
For example, if a Location of type Person belongs to the default organisation Location Finance and Finance has access to certain objects, then the person inherits these access permissions.
In Content Manager, a Location of type Person can be a member of many Locations of type Organisations and Groups.
When a record's Access Control Modify Record Access is set to Unrestricted, only users who are part of the Owner Location of the record can assign or modify Access Controls for that record.
When a record's Access Control Modify Record Access is set to specific Locations, only users who are part of these Locations can assign or modify Access Controls for that record.
Related information