Security Managers

Use

In Knowledge Management, security managers ensure the protected access of repository content.

If you specified a security manager when configuring a repository manager, permission checks take place when users access folders and documents. A user who does not have the requisite permissions cannot access the objects in question.

Integration

You can specify a security manager when you configure a repository manager .

Features

The following security managers are contained in the standard delivery.

ACL Security Manager
Manages the ACLs for resources in the database and can be used for all repositories.
Archiving Security Manager
Manages access to the data stored in the KMC archiving store.

The Archiving Security Manager is preconfigured in the standard delivery. It provides super administrators and content administrators with read access to archived KMC data stored in the archiving store. To modify the default configuration, specify the roles for which you want to provide read access to the archiving store in the Roles with Archive Access parameter field. The role specification must be formulated as follows: <Location>/<Role_ID>

Use this security manager for archiving file system repository managers and archiving WebDAV repository managers.
Attachment Security Manager for Collaboration and Collaboration Security Manager
These are enhancements of the ACL Security Manager that create specific limitations for access permissions to collaboration data stored in the repositories /attachment and /collaboration.
- A portal user has the same access permissions for attachments as for the original resource to which the attachments apply.
- The access permissions for collaboration data are set as follows: A portal user with read permission for the original resource has write permission for dependent collaboration data. A portal user with write permission (service permission Collaboration) for the original resource has administrator permissions for the dependent Collaboration data.
Collaboration Security Manager Restricted
Used on a project basis for virtual rooms.

The security manager is used for limited access to collaboration resources (discussions, comments, and feedback) with the service permission Collaboration (see Defining Service Permissions ). Only users with this service permission can delete Collaboration resources.
BW Document Security Manager
It establishes a connection to the BW system and checks whether permissions for displaying or changing documents exist.
BW Metadata Security Manager
It establishes a connection to the BW system and checks whether permissions for displaying metadata.
Reporting Repository Security Manager
Used by the reporting repository manager /reporting.

This security manager does not check access permissions itself; it passes on this task to the security manager entered in the configuration of the CM repository /reporting_backend.
Task Security Manager
Manages access permissions for tasks (in the CM repository /tasks) within and outside of Collaboration rooms. Portal users that use tasks outside of Collaboration rooms have full access permission as the owner or assignee of the tasks in question. This means that they can create, edit, and delete tasks. The access permissions are set as follows for tasks in Collaboration rooms: Room members who are owners or assignees of takes have full access (creating, editing, deleting). Room members who have no involvement in the tasks have only create and delete permissions. This means that tasks can also be processed in cases of absence.
WebDAV ACL Security Manager
Security manager used for the ACLs of the remote server.

It should only be used for WebDAV repository managers for which the remote server is also a portal with KM installed.
Web Security Manager
If a Web site is accessed using a Web repository, the Web server carries out the permission check. However, text snippets in the search results list and HTML preview of documents are located outside the Web server in CM. When a security manager is being used, users without permission to read a document cannot see text snippets in the search results list or the HTML preview for the document in question.

It should only be selected for Web repository managers whose content is indexed and can be searched. This security manager should not be implemented in scenarios in which searching in Web repositories is not planned.

Note
Using this security manager can considerable hamper performance, since additional requests are sent to the Web server. You should therefore check that you need to use it and only implement it if the additional security really is required.

W2k Security Manager

This security manager uses ACLs from WINDOWS^→ NTFS. It can be used for file system repository managers and CM repository managers that use the FSDB persistence mode.

It can be implemented alongside the following versions of the WINDOWS^→ operating system:

Windows Server 2003
Windows XP
Windows 2000

If using a portal on UNIX, you have to store a document in the configuration of the security manager, containing the following domain information for all WINDOWS remote servers that you access using file-system repository managers:

Parameter	Required	Description
Domain File	No	Specifies a text file containing the name of domains and IP addresses of relevant domain controllers. It contains information on every domain in which remote servers that you access using file-system repository managers are being used. These specifications are necessary so that permissions of users that exist on the WINDOWS remote servers are taken into account in the UNIX system. The entries must have the following syntax: <name of the domain>=<IP address of the corresponding domain controller> The file can be stored under any name in any directory on the UNIX portal server. For example: /files/companydomaincontrollers.txt The following entries are contained in the file: COMPANY_DOMAIN_A=192.168.32.51 COMPANY_DOMAIN_B=192.168.70.12 COMPANY_DOMAIN_C=192.168.86.16

Parameter

Required

Description

Domain File

Specifies a text file containing the name of domains and IP addresses of relevant domain controllers.

It contains information on every domain in which remote servers that you access using file-system repository managers are being used.

These specifications are necessary so that permissions of users that exist on the WINDOWS remote servers are taken into account in the UNIX system.

The entries must have the following syntax:

The file can be stored under any name in any directory on the UNIX portal server.

For example:

/files/companydomaincontrollers.txt

The following entries are contained in the file:

COMPANY_DOMAIN_A=192.168.32.51

COMPANY_DOMAIN_B=192.168.70.12

COMPANY_DOMAIN_C=192.168.86.16

The configuration of some security managers contains the following parameter for the JAVA class used for displaying permissions:

Parameter

Required

Description

Permission Rendering Class

Yes

Specifies the Java class used to render the window in which the permissions are displayed.

To call up this window, choose Settings → Permissionsin the Detailsdialog box for a resource.

Activities

To call up the configuration of the security manager, choose System Administration → System Configuration → Knowledge Management → Content Management → Repository Managers → Show Advanced Options → Security Manager.