Thanks, but this user does not have that option checked in his profile

Just one user?

CHeck the right mouse click > security and access and see if they have access to copy the document.

If that doesn't make things clear you should log a support case for investigation 

Thanks,

well, all users with that user type profile (I tested it with my other colleague) , and they do have right to COPY document (Right click view access rights) ... How we can determine from which permission (feature) this permission to COPY record came so that we can turn it off?

Regards

Also, i checked the settings in Production environment, (TRIM 8.3 records manager) and that user type also does have the - right click view access options thing and COPY permission is there, but, but, when i wanted to do the same thing , e.g. to find the protected document where on a double click i can only see the metadata and then do the select document - New - Copy records, i could not copy that record and electronic document, the error popped up saying you do not have the right to view that document .....!!!

Then I checked the CM9.3 testing environment and realise the difference:

In PROD 8.3 we have a TRIM Corporate FILE/Container with access settings without me/that user there and the same access is replicated on the ALL documents within that restricted File

On the contrary, although in CM9.3 dataset we have a TRIM Corporate FILE/Container with access settings without me/that user there and the same access is NOT, NOT replicated on any of documents within that restricted File/Container ....

The 4th category of access level settings "Update Records Metadata" on a restricted File/Container is set to a certain group of users , but on the documents within that restricted file the "Update Records Metadata" is set to UNRESTRICTED?????? to all documents ....

How is that possible?

I thought, this is an isolated case, but all our restricted files that are copied from PROD into the test environment now have documents with the 4th category of access level settings "Update Records Metadata"   set to UNRESTRICTED?????? 

Security Level Filter conversion?

Or what is aheppening here? is this the reason why these users can do the COPY of the electronic docs from restricted files to unrestricted?

Any comments appreciated.

Did you run the Security Filter Conversion on the CM 9.3 test environment post schema upgrade?. 

I think my colleagues are running it now ...thanks... We shall see if that will fix the situation....

There is a database timeout at the moment, can't connect to the dataset.... SQL state consequently HYT00,0

Hi, some updates, but not as expected ...

the security filter conversion process failed after 15 hours :

SecurityFilterConversion(containersStage): (SERVER ADDRESS here)  Tuesday, 12 February 2019 at 18:08:06 GMT (Wednesday, 13 February 2019 at 02:08:06)
18:08:06:502       CC  3420                 5792    46683789             SecurityFilterConversion(containersStage) Consumer thread processing stopped after 893970 items were processed, **** failed with error: Content Manager Workgroup Server on 'wgs server xxxxxxx' reported an error. The SQL Dataset has reported a timeout.
Details: [Microsoft][ODBC SQL Server Driver]Query timeout expired
SQL state and native error code are consecutively  HYT00 , 0

-

Also, i have checked the situation in our other DEV environment CM9.3.1.300 where, as i had information the security filter conversion has been done successfully , and the results are also not good, the average TRIM user can copy secured document into the unsecured file together with electronic document and then see it...

so, maybe, the issue is in some other permission ...?

I'm getting this behaviour, too, in CM 9.2.  It would appear that a user with the Create Record permission (in other words, any user above Inquiry level) has Copy Record access. 

We control this by applying access controls which prevent unauthorised users from viewing the metadata of any restricted record.  Our reasoning is that unauthorised users can deduce a fair amount just from the title of a record without viewing the actual document e.g. misconduct investigations, etc.   Therefore, for security purposes, we don't even let them know that the record exists.

Thanks, it looks like that ..........., the logic seems to be on your side 🙂

However, in our production system which is still 8.3 patch 2 when i try to replicate the situation (as I was concerned whether that case / behaviour exist already) and the results are negative, the error popped up saying that the protected document cannot be copied as the user does not have the "View document" permission .... so i could not make a copy (including the electronic document) of secured document into the unprotected file/container, as expected.

Obviously, the user does not have the view permission in that secured file / secured document.... user can only see the metadata ....

Somehow, in CM 9.3.1.300 or even before as you indicated, that error / warning popup is not happening for some reason...

The Micro Focus developpers are currently investigating the support case we made yesterday, and in the same time, I am also doing additional checks to see what is changed from 8.3 to 9.3 ...

Regards

Hi - is this a security bug in CM9.3.1.300? Thanks.

Yes, you can say that, but there are few hotfixes that have resolved this issue, I can confirm it.

cheers

We're on 9.31 build 300 and not going to 9.4 (I've read about deployment issues).  I'll check w/ support. Thanks.