What are the recommended settings for allowing users to mover documents between containers RM 8.1

RM 8.1.1.7919

We have a number of datasets with varying configurations and we are trying to find the best generic configuration of user permissions to allow records coordinators to move their documents to other containers where needed but have so far found that giving administration access and unticking pretty much everything else is the simplest solution

Are there any guidelines of how to do this effectively it seems to be amazingly complicated opaque and frustrating 

Parents
  • I've always recommended keeping it as simple as possible. No security on anything without a demonstrated business need. It's a double-edged sword with HPRM - the ability to configure it to satisfy pretty much any security/access requirements an organisation may dream up, and hence the temptation to want to use all the options it provides and make it 'amazingly complicated, opaque and frustrating'. Moving documents between containers is one of the more complex scenarios and hence to the untrained eye can seem overly restrictive, but that depends largely on your configuration. At the core of HPRM's business rules in this scenario is the need to prevent circumvention of the security/access restrictions imposed by the organisation. If a document's access is controlled by the container into which it's put, then moving a document to a different container can result in access to that document changing. So the user attempting to make the change must have permission to do so. Other records management rules also come into play here, such as the user's permission (or lack thereof) to 'Destroy' the document based on access controls. Again, if being a little over-prescriptive with the document's access controls (rather than trusting the user permissions to take care of this), it will complicate things further. The best approach begins with deciding what's the simplest way to apply security levels/caveats/access control to your records to achieve the desired result. Once you've done that, you can make decisions on how to permit moving documents between containers.
  • Thanks Neil 

    I think you have summed it up well. Our datasets have become somewhat complex and subject to many different interpretations on how best to use security and apply access controls. We are embarking on the process of trying to impose some common structure across all of these so that things can be made simpler in the long run.

    So any observations around how best to approach making thing simpler and easier to maintain in the long term would be welcome to hear

Reply
  • Thanks Neil 

    I think you have summed it up well. Our datasets have become somewhat complex and subject to many different interpretations on how best to use security and apply access controls. We are embarking on the process of trying to impose some common structure across all of these so that things can be made simpler in the long run.

    So any observations around how best to approach making thing simpler and easier to maintain in the long term would be welcome to hear

Children
  • I guess what I was really after was a check list of all the things that mean that a user will not be able to move a document from one container to another so for example given the default user permissions of the Records Co-ordinator which has the 'Change Container' permission then what would prevent me from moving a document from one container to another

    Security Levels and caveats 

    Access Controls directly restricted for this user on the Document or its Container 

    If I have a document that gets it's access control based on Container and these are all set to everyone

    and I can see the document and it's container so security isn't an issue

    then if the Owner location for the Container of the document I want to move is not one I am a member of then I still won't be able to change its container.

    So really the simplification here would be to set all records Default Owner location to be the Top Level organisation that all others descend from. Would this work to prevent this happening (except explicitly for those records that we don't want them to move). Would I inherit the ability to move records if I were a Member of a sublevel of this Top Level. Or do I have to explicitly make all (these) users a member of the Universal owner location? and what would be the implication of that?

  • Verified Answer

    One thing to remember is to look at Details - View Rights when you come across a situation where a user can't change a document's container. This will show the reason or reasons why it's not allowed. The user attempting to make the change needs to satisfy all the current access control restrictions on the document they're trying to move to a different container. Importantly, the access controls on the destination container are not taken into account, i.e. it doesn't matter if they're set to 'Everyone' on both (such a comparison test would add an extra processing overhead and is an enhancement under consideration for a future release). As long as you're a member of the nominated organisation/group/position or one of its sub-locations you should have that access control permission.
  • Hi Gunjo, I don't know if this helps.  For one record type we set the default Owner Location to our organisation, so that all users can change the container (if they have the necessary access permissions, security caveats & permissions).  No user is a member of the organisation directly but everyone belongs to sub-group that is a member. 

    It works well most of the time, but people can't change from one container to another unless they have suitable access controls on both.  

    The record type we do this for is used for incoming correspondence where its not 100% clear who will ultimately deal with it.

    However for the rest of our record types users can't change the container unless the Owner Location is explicitly set to their business unit.  That works fine because of the way the relevant business processes work.