ApplicationXtender’s Security Module is one of its best features and separates it from other Electronic Content Management solutions. This blog provides both summary and detailed descriptions of ApplicationXtender (AX) security features.
The ApplicationXtender (AX) suite provides a wide range of security and auditing features, allowing for flexible protection of electronic documents and data. The AX Audit Trail records such events as login, document viewing, emailing, printing, and numerous other events are tracked.
One of its most powerful features is Document Level Security. This controls if a person or a user group can or cannot view a record based on its metadata.
To further increase the power of AX’s security you can acquire ECM Toolbox’s AX and WF User Security Module – go to this page to view a great short VIDEO that demonstrates these reports. This module provides you a powerful and clean view of your users’ permissions and access. If you have ten or more AX Concurrent licenses you really should be using this module.
ApplicationXtender Security
Application-level security grants group access to AX applications, which can also be referred to as Electronic Filing Cabinets (EFC). You can develop various EFC’s for each business area based on the assessment of needs for storage, security and retrieval. For example, a specific AX application can be built to store the Human Resources department images. One or more groups can be granted access to this EFC using application-level security. Profiles are created to grant access to specific applications or to all applications.
Global security profiles can be established to automatically assign a uniform set of access privileges for a group each time a new application is created. When a global profile exists for groups, the privileges assigned in that profile are automatically assigned for each application created.
Application security profiles, like global security profiles, allow you to grant a particular set of privileges to a group. You can define different privileges for each application. One group may have full privileges in a human resources application, for instance, but only display privileges in a payroll application.
Application-specific security settings override global security settings. For example, if a group of users has privileges to create documents in their global profile, and an application-specific profile is set up (for this group) that does not have create document privileges, the users will not be able to create documents in the specific application.
Functional Security
Within each security profile, you enable privileges to perform AX functions. You can control the activities of users within applications by granting privileges only for the functions needed. Each security profile contains privilege settings for a variety of user functions, such as creating, modifying, and deleting applications, and scanning and printing documents. There are also settings for accessing commands on certain menus, such as Image Enhancement. For example, if a group cannot delete documents, the privilege to use this feature remains disabled in the security profile.
Document Security
With the Document Level Security feature, AX administrators can protect particular documents in an application from access by unauthorized users or can allow users access to only particular documents in an application. AX uses a document’s index values to achieve this protection. You can mark particular fields in an index as Document Level Security fields when an application is built. You can mark particular values in those index fields as inaccessible or accessible to groups of users. If a marked value is found, AX either grants or denies access to the document with that index value based on the settings configured in the Document Level Security function.
In order for Document Level Security to be used for a field, you must enable the Document Level Security field flag during the field definition portion of application creation. To assign secured values, you form an association between a particular Document Level Security enabled field and a particular group of users, and then assign values for that field that either allow or deny the particular group of users access. Document level security can be used to prevent a user from viewing certain documents in an application, assuming they have display privileges in that application.
Security Limitations
Maximum Groups per database is 250,000
Maximum Users per database is 250,000
Implementing Security in AppXtender Admin
The ApplicationXtender (AppXtender) system provides a range of security features, allowing for flexible, easy-to-administer data protection. AppXtender Admin allows you to specify credentials for various AppXtender server authentication accounts, specify a security provider for each data source, change encryption, and configure timestamps for digital signatures. Using the User and Group Security functions in the AppXtender AppGen module, you can define global or application-level security settings for individual users or for groups of users. These security settings, called privileges, govern the ability of a user or group of users to access functions in AppXtender.
Through the Document Level Security function in the AppXtender AppGen module, particular documents can be made accessible or inaccessible to groups of users based on index values attached to the documents. Annotation groups allow you to control users’ access to specific annotations.
Using Directory Services for User Authentication
The AppXtender software has two pre-packaged security providers for authentication, CM and Windows, which allow you to import users and groups from Windows. You can also create a directory service security provider that allows you to import users and groups from an LDAP directory service.
Implementing Group Security
An AppXtender system administrator can create or import a group of users to grant the same security settings to all of the members of the group. Groups can be used to assign global and application-level security settings (by configuring group security profiles) or to protect documents from access at the document level.
Group security, like user security, uses profiles to assign privileges in AppXtender, but privileges assigned to a group apply to all members of the group, rather than a single user. The privileges to perform functions in AppXtender, such as adding documents, printing, and creating and modifying applications, are assigned in security profiles. By creating group security profiles, you can easily assign the same privileges to all of the members of a group.
Group security profiles, like user security profiles, can be used to grant privileges to all applications in the data source, or to assign privileges to a specific application. A global security profile allows the members of the group to access the AppXtender functions enabled in the profile in all AppXtender applications. An application security profile allows the members of the group to access the functions enabled in the application to which the profile applies.
Groups are also used when assigning Document Level Security (DLS) settings. You associate a group with an index field and assign values for that field that either grant or deny access to documents.
| This privilege | Grants This Ability | Required Co-Privileges |
|---|---|---|
| Scan/Index | The user can perform online indexing of scanned documents. | Add Page |
| Enhance Pages | The user can perform image enhancement functions such as deskew, inverse text correction, and dot shading removal. | Add Page and Display |
| Batch Scan | The user can perform batch creation functions, and use Batch Create and Batch Import. (The Batch Scan and Add Page privileges are both necessary in order to perform these functions in AppXtender Document Manager. Only the Batch Scan privilege is necessary in order to perform batch creation functions in AppXtender Image Capture). | |
| Batch Index | The user can perform batch indexing. | Add Page |
| Modify Index | The user can modify the document indexes. | Display |
| Display | The user can display documents. This privilege also allows ODMA users to open documents in read-only mode. | |
| The user can print, fax, email, or export pages or documents in AppXtender Document Manager (and can print and fax pages in AppXtender Image Capture). The user can also cut pages, copy pages, or copy text from documents. (The Print and Display privileges are both necessary in order to email, export, copy pages, or copy text. The Print, Display, and Delete Page privileges are all necessary in order to cut pages). | ||
| Configure WS | The user can access all tabs of the AppXtender Document Manager or AppXtender Image Capture Configuration dialog box. (The user can always access the View, Display, Fonts, and Scan tabs of the AppXtender Document Manager Configuration dialog box and the View, Display, and Scan tabs of the AppXtender Image Capture Configuration dialog box). | |
| Delete Doc | The user can delete documents in the application, including those marked as final revisions. This privilege also allows ODMA users to delete document revisions. | |
| Delete Page | The user can delete pages in the document. This privilege also allows ODMA users to check in and replace the current document revision. (The Delete Page and Display privileges are both necessary in order to perform these functions). | |
| Add Page | The user can add pages to documents in the application. (The Add Page and Display privileges are both necessary when adding pages to existing documents). This privilege also allows ODMA users to check in, check out, and save documents. | |
| Create App | The user can create new applications. | |
| Modify App | The user can modify existing applications. | |
| Delete App | The user can purge or delete applications. | |
| Migrate App | The user can perform application migration. | AppXtender Adminstrator |
| COLD Import | The user can perform COLD/ERM extracts. | |
| COLD Import Maint | The user can maintain COLD/ERM extract definitions. | COLD Import |
| Cold Batch Extract | The user can perform COLD/ERM batch extractions. | |
| Administrator | The user can: • Access ApplicationXtender Administrator • Change the license configuration in Application Generator • Access in AppXtender any applications with names that begin with an underscore (_), such as _FORMS or _RSTAMP. • Reset a batch in AppXtender Document Manager or AppXtender Image Capture. • Create, modify, or delete custom data types and custom data formats. • Use the Archive Wizard or AppXtender Migration (The Migrate App and AppXtender Administrator privileges are both necessary in order to perform this function). • Use the Full Text Indexing Wizard. • Delete documents filed for RM retention. Documents filed for retention cannot be deleted until the retention period has expired. | |
| Multiple Logins | The user can log into AppXtender from different workstations simultaneously. | |
| DLS Maint | The user can configure the Document Level Security tab for an application in AppXtender AppGen. | |
| Key Ref Maint | The user can configure the Key Reference File Setup tab for an application in AppXtender AppGen. | |
| Auto Index Maint | The user can configure the Auto Index Import Setup tab for an application in AppXtender AppGen. | |
| User Security Maint | The user can maintain user security. This privilege is required to access the Users, Groups, and Annotation Groups nodes in AppXtender AppGen and to change the security provider. | |
| Key Ref Import | The user can import Key Reference files. | |
| Auto Index Import | The user can import Auto Index files. | |
| Index/Image Import | The user can configure the Index/Image Import Setup tab for an application in AppXtender AppGen, and can import Index Image files. | |
| Create Annotations | The user can add annotations. | Display |
| Edit Annotations | The user can edit, delete, or hide the annotations created by the same user. | Display |
| Create Redactions | The user can add redactions. | Create Annotations and Display |
| Edit Redactions | The user can edit, delete, or hide redactions created by the same user. | Edit Annotations and Display |
| Global Annotations | The user can add annotations; can edit, delete, or hide annotations created by other users, and can view the text of text annotation icons created by other users. In addition, if Edit Redactions is selected, the user can add redactions and can edit, delete, or hide redactions created by other users. | Edit Annotations and Display |
| Full Text Index | If the Allow full-text option on the AppXtender Document Manager Configuration dialog box Full Text tab is enabled for the workstation, the user can submit documents in the application to the AppXtender Index Server for full-text indexing. If you enable or disable the Allow full-text option, you must restart AppXtender Document Manager for the change to take effect. | |
| Full Text Query | If the Allow full-text option on the AppXtender Document Manager Configuration dialog box Full Text tab is enabled for the workstation, the user can perform a full-text search for documents in the application. If you enable or disable the Allow full-text option, you must restart AppXtender Document Manager for the change to take effect. (The Full Text Query and Display privileges are both necessary in order to view the results of the full text search). | |
| OCR | If the Allow OCR option on the AppXtender Document Manager Configuration dialog box OCR tab is enabled for the workstation, the user can process documents in the application with optical character recognition (OCR). If you enable or disable the Allow OCR option, you must restart AppXtender Document Manager for the change to take effect. | |
| PAL User | Public Access Licenses are used when you are using ApplicationXtender Web Access in combination with AppXtender Desktop to make AppXtender documents available over the World Wide Web or over intranets. If this privilege is enabled, the user’s privileges are restricted when using ApplicationXtender Web Access. The user can only access AppXtender documents in read-only mode using the AppXtender Web Thin Client. (A user with the AppXtender Web PAL User privilege cannot log into any other AppXtender component, regardless of the other privileges in the user security profile). | |
| Report View | Allows the user to query AppXtender applications specifically for and view reports generated by AppXtender Reports Mgmt. | Display |
| Retention Administrator | Enable and configure retention, either AppXtender software-based or EMC Centera, for an application. In addition, if retention is enabled for the AppXtender application, the user can perform the following retention-related tasks: • File a document for retention using any policy defined for the application. • Place and remove a retention hold. • Manage expired documents under Retention. | Display Delete(delete expired documents) |
| Retention User | If retention is enabled for the AppXtender application, the user can file a document for retention. | Display |
Implementing Document Level Security
ApplicationXtender offers a powerful security feature, called Document Level Security (DLS), which pinpoints user access within an AppXtender application. With DLS, you can deny a group of users access to any classified or sensitive document(s), without restricting access to other documents in the application. DLS can also be configured to grant a group of users access to only a specific set of documents in an application. In AppXtender, documents are catalogued for retrieval at the time they are stored by attaching an index record containing values for each of the application’s index fields. Document Level Security is implemented by creating an association between an index field and a group of users and then creating a list of secured field values that are either accessible or inaccessible to that group of users.
When a member of the group searches for a document in the application, AppXtender checks the search criteria values against the secured values in the list and grants or denies access based on whether or not the values match. Document Level Security can also be implemented using wildcards and keywords.
Implementing Annotation Groups
You can use privileges to apply annotation-related security measures. However, if you want to control users’ access to specific annotations, you must use annotation groups. Annotation groups allow you to create associations between users, groups, and specific annotations. You can specify which users and groups can view or modify specific annotations, and which users and groups can hide or modify specific redactions.
| To Give the User This Ability | Enable These Options |
|---|---|
| View all annotations in the current annotation group | Annotations > View |
| Create annotations | Annotations > View Annotations > Create |
| Edit one’s own annotations in the current annotation group | Annotations > View Annotations > Edit |
| Edit all annotations in the current annotation group | Annotations > View Annotations > Edit Global Edit |
| Hide all redactions in the current annotation group | Redactions > Hide |
| Create Redactions | Annotations > View Annotations > Create Redactions > Hide Redactions > Create |
| Edit one’s own redactions in the current annotation group | Annotations > View Annotations > Edit Redactions > Hide Redactions > Edit |
| Edit all redactions in the current annotation group | Annotations > View Annotations > Edit Redactions > Hide Redactions > Edit Global Edit |