DrawMGT - Security Exceptions
2011.04.15, AH&TN
Contents
Introduction
DrawMGT Security Exceptions can be used to grant read access to comments/tasks and revisions, to users would not normally have access, given their normal user roles. Security exceptions must be used carefully, because they bypass the normal access rules.
The exact rules governing the comment/task types and link types to which security exceptions can be applied, are defined in the system configuration and are documented below.
The prerequisites for granting a security exception are:
- The target users, to whom access is to be granted, have valid logins in any contract
- The comment/task is not obsolete and has specific type
- The revision is linked, with specific link type, to a comment/task with specific type
- The user is on the subscriber list of the comment/task
The list of link types is defined in the system configuration. For the Linthal project they are:
Comment/task type: AUBE
Link type: all
User Procedure
Creating a Security Exception
There are two ways to create a security exception.
- Creating a security exception to grant access to a single revision:
In the Document Detail screen, push the button 'New Comment' at the bottom of the screen, then select appropriate link type, typically SecExp.
- Enter the new comment/task and assign appropriate type
- Add the desired users to the subscriber list of the new comment/task.
- Creating a security exception to grant access to multiple revisions:
- Place all the desired revisions in the document basket
- Create a new comment/task with the appropriate type (typically KOOR)
- Add the desired users to the subscriber list of the new comment/task
Link the document basket to the new comment/task, selecting the appropriate link type (typically SecExp)
How To Use Security Exception
If a user is granted access to comments/tasks or revisions via a security exception, he will not be able to view any of these items in search results or document or task lists.
The comments/tasks are visible to the user only via the URL contained in the automatically generated email sent to the user as a subscriber to the comment/task (Note: this statement must be confirmed).
The revision itself can only be viewed via the link in the list of documents attached to the comment/task.
System Configuration
The security exception configuration has two parts:
- Configuration of the list of comment/tasks types to which security exceptions can be applied
- Configuration of the link types to which security exceptions can be applied
The definitions can be configured include one, multiple or all types. This means that it is possible to completely disable security exceptions, or allow security exceptions to function over all comment/task and/or link types.
The Linthal project has a strict definition where one must define both a specific task/comment type (KOOR) and a specific link type (SecExp).
Configuring Security Exception Comment/Task Types
The setting $_CFG[ 'SecurityException' ][ 'CommentTypes' ] determines the comment/task types required for the security exception. E.g. the following setting allows only comment/task type "KOOR" involved in security exception:
$_CFG[ 'SecurityException' ][ 'CommentTypes' ] = array( CommentTypeRef_KOOR );
The default setting is an empty array, which means no security exceptions are allowed. The example above is from the Linthal project site settings.
Configuring Security Exception Link Types
The setting $_CFG[ 'SecurityException' ][ 'RefTypes' ] determines the reference types required for the security exception. E.g. the following setting allows only reference type "SecExc" to be user to grant security exceptions:
$_CFG[ 'SecurityException' ][ 'RefTypes' ] = array( ReferenceTypeRef_SecExc );
The default setting is an empty array, which means all link types allow security exception. The example above is from the Linthal project site settings.