System Options Security page

IMPORTANT: If your organization or service provided has opted to use the Content Manager Administration client, not all Security options will be available in the Content Manager client. Options marked with a * will only be available in the Content Manager Administration client.See the Content Manager Enterprise Studio - Dataset setup and maintenance - Content Manager Administration client help for further information.

The Security page options affects the security features of Content Manager.

  • Prevent retrieval of records that have a higher security profile - applies to metadata.

    Select to turn on the security functions for searching. It is selected default.

    NOTE: When this option is turned off, users with lower security will be able to find records of a higher security but only get limited access to update metadata or attached documents.

  • Prevent viewing or editing electronic documents for records that have a higher security profile - applies to attached documents.

    Turns on the security functions for searching.

    It is activated by default but is dependent on users having access to viewing the metadata of a record.

    It enables a more detailed definition of what users are allowed to do when the previous option is turned off.

    NOTE: When this option is not selected, then users - who can already view the metadata of records with higher security than they have - will be permitted to view or edit the attached document.

  • When evaluating the 'From Container' access control, also check the security profile of the container - enabled by default. When a record has the access control 'From Container' selected, the records that are contained with folder will inherit the container's security, therefore, if the user does not have the required security permissions they will not be able to find the container or its contained records.
    Clear this option if you have a requirement to allow users to find records that are contained within a container they do not have security permissions to access.
  • When updating record owner, update any access controls that are based on the owner - when enabled if the owner location of a record is changed and the record has access controls that are based on the record owner the access controls will also be updated to reflect the new owner location.
  • Apply client record security, access and exclusions to all records for a client - all records for a client will inherit the client security and access control settings.
  • Apply matter record security, access and exclusions to all records for a matter - all records for a matter will inherit the matter security and access control settings.
  • When executing a record search, prefetch the result count - enable this option to automatically display the total number of records found in a search in the search title bar when the search is complete without having to use the Count option.
    • Also prefetch an unfiltered result search count, allowing users to be aware of the number of records they cannot access - when this option is enabled users will see the total number of records count as well the number of records that are "locked', that is, the number of records they do not have access to.
  • When changing Assignee, Home or Owner for a Record to a less secure Location - set the method of Location change when a selected record has a lower security classification than the Location.

    See also Security breaches.

    The options are

    • Ignore
    • Display Warning - default
    • Prevent
  • When counting search results, ensure full security filtering is applied when displaying totals - this may result in a slower display because Content Manager will download the entire search result and will detect if more than a single level of View Metadata access control is in operation. Filtering will then be applied to obtain the final count.

    • NOTE: When this option is selected, Web Client users who do not have Bypass Access Controls permissions will see a "Get Count" option on a search result list rather than the "x-y of z" count that is usually displayed.

  • Scan incoming email messages for a security annotation - If the subject of a checked in email contains a security annotation e.g. [SEC=TOP SECRET, CAV=PERSONNEL], an attempt is made to match it to the security level and caveat settings defined in Content Manager. If no matching security level or caveats are defined in the database, Content Manager will simply ignore them
        • NOTE:
      • Content Manager also recognizes DLM (Dissemination Limited Marking), Accessibility or ACCESS as an alternative to CAV (CAVEAT). The EXPIRY and DOWNTO markups are not supported.
      • Security Levels and Caveats are matched either using its full description or abbreviation.
      • Only a single Security Level is supported but multiple Caveat values are supported.
      • If no matching active security levels or caveats are defined in the database, Content Manager will ignore them, that is, no security will be applied to the record.
      • Checking in emails that have the Email protective marking standard - Emails that have the Email protective marking standard issued by the Australia Government, for example, x-protective-marking: VER=2012.3, NS=gov.au, SEC=Protected, CAVEAT=HRDocs, ORIGIN=toni.port@abc.gov.au will be checked into Content Manager with a Security Level of Protected and have the HRDocs Caveat applied. If there is no marking in the email header but the email subject includes details such as [SEC=Protected, CAVEAT=HRDoc] the security level and caveats will be assigned from the email subject instead. If both an email has both the x-protective-marking and it's subject includes security details, the x-protective-marking security annotations takes precedence.
      • Scan incoming email messages for a security annotation should not be enabled when the feature Classified Security is enabled. See US DoD 5015.2 Chapter 4 classified security standard
  • Scan documents for AIP security markings - select this option to scan all documents being checked into Content Manager for Azure Information Protection (AIP) security markings. When enabled, if a document with an AIP sensitivity label attached is checked in, then a search for a Content Manager Security Level with the same name is done, if a match is found, it will be applied to the document automatically at the time of check in. If a matching Security Level is not found, then a search for a matching Security Caveat will be done, if a match is found, it will be attached to the document.
    If no matching Security Level or Security Caveat is found to match the AIP label then the default Security/Access settings will be applied to the record.

    NOTE: The following are the file types and scenarios where this process does not work:

    • Mail files, e.g. *.msg and *.eml formats
    • Password protected documents
    • If the AIP label was created with the option Encrypt files and emails enabled.
    • If documents created using an AIP label that has limited access to the document to specific users or groups.
    • This matching process is only applied for the first check in of the document. If the document is checked in again, the record's Security will not be updated automatically. If there is a requirement to modify the security for subsequent check ins, it will need to be done manually.

  • Security annotations on outgoing email subjects - some organizations have a policy of including the security level and/or caveat in the subject of an email sent from Content Manager.

    This option only applies when sending one record per email and does not apply to email sent by the Workgroup Server.

    • Disabled - default - Content Manager makes no annotations to an outgoing email subject line
    • Security Level - Prefix - inserts the security annotation at the beginning of the subject line
    • Security Level and Security Caveats - Prefix - inserts the security and caveat annotation at the beginning of the subject line
    • Security Level - Suffix - inserts the security annotation at the end of the subject line
    • Security Level and Security Caveats - Suffix - inserts the security and caveat annotation at the end of the subject line
  • Insert security annotations to email headers of outgoing email - select this option to include the Security Annotations within the email/Internet headers of outgoing email.
  • Suppress the display of SQL inside client interfaces* -this will stop the SQL being displayed in error messages and hides the Database tab from the Activity log.
  • Hide Records and Record Types for customized SDK applications from standard Content Manager interfaces* - select to enable an SDK developer to set a unique external ID on a Record Type, which will make this Record Type and all records created from it completely invisible in the Content Manager user interfaces.

    This enables third-party developers to create applications that use Content Manager for the storage of their records and Record Types without a user being able to circumvent their application's special business rules by making changes through a Content Manager interface.

    TIP: Additional information on the SDK can be found:
    SDK Documents - https://content-manager-sdk.github.io/Community/
    Samples - https://github.com/content-manager-sdk/Community/

  • Create login and logout events when connecting from a web service* - not selected by default - determines whether logged on and logged off events are created when running within a Web Service.

    For more information about Content Manager's Web Service capabilities, see CM23.4_WebService.pdf.

  • Digital signature hashing algorithm* - the cryptographic message digest algorithm requirements that W3C (World Wide Web Consortium) recommends compliance for.

    See CM23.4_Spec.pdf in the Content Manager installation folder for details about message digest algorithms:

    • Secure Hash Algorithm - default - SHA is a one-way cryptographic function which takes a message of less than 18 quintillion (18,446,744,073,709,551,616) bits in length and produces a unique 160-bit fingerprint or message digest of the input
    • Message Digest 5 - the algorithm takes as input a message of arbitrary length and produces as output a unique 128 bit fingerprint or message digest of the input
  • Default declassification period (years) - sets the default period for items to be declassified. Only displays if US DoD 5015.2 compliance is enabled. For more information see System Options Compliance page