Wednesday, February 16, 2011

Alfresco Test Day 7 - Authorizations - only authorized individuals can view portions, edit file plan and schedule

Today I test the authorization features of Alfresco, where users are given access based on their role. There's an instructional video in the Wiki under "Alfresco Records Management Administration Console", which I recommend to anyone with the Administrator role. In addition, "Try - Create Record Categories, Set Security and Configure Disposition Schedules" shows how to grant access to a category.

Individual series, categories, and folders can be configured to limit access. This allows business users to post their record content with the assurance that only those authorised can access the record. Here are the roles out of the box:

As a "Compliance Trial User" in the Alfresco cloud, I do not have access to the "Management Console"

  • I set up a new series and added permissions.

  • I added a new category under the series and gave a different permission to the category. I wanted to test what a user would view if they were NOT added to the series, but were added to the Category. I gave this user "Read and File priveleges".
  • When I opened the folder, I found the user had been given the same access rights as the parent category. This is good; it will save a lot of administrative time.
  • As a test user, I am not able to check if the users given their various access rights indeed only see what they are supposed to.

I rate this test as a conditional PASS
With my access rights, I am not able to test all access controls. The "Manage Permissions" feature was where I expected it to be and it performed as expected. It appears also that the Permission choices I am given are dependent on the role that is identified with the user.

Records Manager
  • If you have more than a hundred potential users, I recommend that access groups be set up to reduce the labour required to administer permissions (i.e. Science Faculty Group, Administrative Support Group, Human Resources Group).
  • I say potential users, because even if you roll out Alfresco to a pilot group at first, organization wide implementation may quickly follow and you don't want to be caught flat-footed.
Business User
  • Establishing access rights (permissions) lets you control who sees what, and who contributes where. 
  • Be prepared to list the initial categories/folders and the access rights required in your group and across the organization.
  • Controlling who has reading rights releases you to open files to viewing that can't be tampered with.
  • There are records that have corporate-wide value, so consider what folders you would grant read access across the business. 
  • Setting the controls and access in a structured system like this can reduce duplication and copying while improving security. Instead of sending a copy of a document on an unsecured e-mail system, you can provide a link. (The link is shown under the "Share" properties of every record.) The receiver must have the appropriate permissions, ID and password to access the document.
I tested compliance to features
  • DOD 5015.2 C2.2.1.1 to C2.2.1.6, C2.2.2.1, C2.2.8.1, C2.2.8.5
  • MoReq 3.1.4. 3.1.25, 3.3.6 , 3.3.7, 3.3.15, 3.3.16, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.4.6, 3.4.18, 3.4.19, 4.1.2 , 4.1.3 , 4.1.4 , 4.1., 4.1.10, 4.1.11, 4.1.12, 4.1.13, 4.1.14, 4.1.17, 4.1.18, 4.1.19, 4.1.20
  • and relates to the GARP principle of Integrity.