Permission and Role Considerations for Enterprise Workspaces
This topic discusses the security aspects related to workspace access, permissions, and roles that you need to consider when implementing enterprise workspaces.
Workspace permission policies determine the different levels of access to a workspace. Workspace managers must consider the nature of the content in the workspace and make sure that all of the workspace members are authorized to view or access this content.
When a module template is made available in enterprise workspaces, its underlying application becomes exposed to all users who have access to the workspaces. Certain applications, such as SAP back-end applications, perform their own permission checks and deny access to unauthorized users, but this is not the case with all applications.
If you have accidentally created a module template that exposes sensitive content to all users, delete this template to ensure that the module is not used in any workspace.
To control exposure of sensitive content, define the users who can add this module to workspaces, and instruct these users to restrict access to their workspaces.
The operations performed by workspace administrators are similar to those performed by portal administrators and thus require the same level of permissions. Some of the operations, such as transport or service configuration, require permissions of a portal system administrator. Therefore we recommend to assign workspace administration roles only to users who have the respective portal administration roles.
Workspace roles and personas define the permissions and activities of the workspace members.
When reassigning workspaces, the workspace owner must make sure that the new owner has the required permissions to access the content of the workspace.
When a workspace is reassigned to a new owner, the previous owner and all workspace managers receive an e-mail notification regarding the new assignment. This is done to ensure that a potential unauthorized ownership change does not go undetected.
-
When a user performs search, the search results include only the content for which the user has permissions.
-
All workspace content is stored in the search engine (TREX) in a textual format, therefore TREX administrators can see the content, even though they do not have permissions for it.