Administration

OptiDoc2™ Administration Module

This documentation is technical and is intended for systems administrators and installation specialists. If you need assistance, or additional training, please contact

Advanced Technology Services, Inc.
Atlanta, GA at 770-698-0130.

Introduction

This application program manages and maintains the OptiDoc™ database as well as manages and maintains the hierarchy of security objects, secure documents, secure users, and their relationships. Secure users are added, modified, and removed using this module. Administrative groups and document security levels are added, modified, and removed using this module. You must have an administrative password to use this module. Setup of user rights, and certain global indexing modes such as autopopulation based on lookups are managed with this application. The integrated audit reporting and tracking functions provides administrators with detailed monitoring, logging, and reporting capabilities. Flexible database setup and organization of dual and redundant storage makes use of current technology, such as optical, NAS, SAN, jukebox, magnetic, WORM. Dual and redundant data paths, as well as rules for storage and recall ordering of digital documents are controlled by the aministration module.

Security Model

The security model is composed of two main systems that are explained independently.

Security Objects

The first concept is the idea of a security object. A security object has security properties and is attached to many objects in the database. This relationship restricts or to allows access to that database element. In other words, a security object points to many objects in the database. For example, some security objects in the OptiDoc™ database are the security group of a user, or the rights of a storage group, or the priviledge hierarchy in a document group.

Security Properties

The second concept is that of a security property. Security properties apply to objects such as users or collections or storage routes. For example, a security property might apply to a single database object such as a single user or a single document, or it might apply to an entire class of database objects, such as a user group, or all of the documents arriving from a specific feed. Security properties can control access to sets of documents or sets of users but are specific to that object.

Panels Either Configure Security Objects Or Security Properties

Some panes in the administration application provide a way to add, delete, modify, and manage the objects and security objects themselves. Other panes provide a way to create, mange, and maintain the relationships between these objects. Once you undestand this essential idea the OptiDoc™ system and security model is easy to understand and to work with.

The Application Of Changes

This security administration application program is designed to be intuitive and user friendly. It is also designed to function very quickly. As an administrator you can log into the security application and begin to make changes to any user interface panel. However, it is only when you press the Update button that changes are actually written to the database.

Admin User Requirements

In order for a user to be considered for authentication as an administrative user, the chosen user must have administrative rights in some user group that the user is a member of. The user group "optiadmin" has the administrator right permanently assigned to it. Also, the user "optidoc" is a permanent member of the "optiadmin" group. The "optiadmin" group name cannot be changed, or deleted. The admin right of the "optiadmin" group cannot be changed. In addition, the "optidoc" user cannot be changed or deleted. Because of these restrictions, an administrator cannot inadvertently lock himself out of being able to administer the database. For security reasons it is important to change the default password for the "optidoc" user right away.

Requirements

  1. An operating system better than Windows 2000.
  2. Read/Write access to the folder within which the application is installed.
  3. This application program should be run locally. If you need to run this application on a particular workstation, then this application should be installed on that workstation.

Authentication

The Authenticate Tab provides an administrator with the ability to log into and to establish a connection with the database. One must first log into the database as an administrator in order to make any changes to the system or to the security. This application program cannot be accessed without an administrative login. In order to make an administrative user, the admin right must be turned on for some user group attached to the user. Every OptiDoc™ database system has a default administrator account. Every OptiDoc™ database system as a default administrator use group. There are two methods of authentication available for logging into the database.

Windows Integrated Authentication

No password is required. The user name is automatically obtained from the Windows session login name. If the user name is valid, then access to the SQL database is automatic granted. This is a proprietary feature of the Windows Operating Sytem, SQL Server, and Windows Active Directory. Although this mode requires less typing, it is less secure and is not the recommended authentication method.

SQL Server Authentication

A user name and a password are always required. The user and password are submitted to SQL server for authentication and validation. If the SQL server validates the user and password then the OptiDoc™ database attempts to validate the user. Although this method requires a little more typing, it is a more comprehensive and secure authentication method.

Once the administrator has authenticated against the database, the main panel will show various properties of the database, such as the database version, and other configuration parameters. Before the administrator has authenticated against the database, all of the tab panels are empty and all of the controls in those panels are disabled.

Document Security Tab

The Document Security Tab provides an administrator with the ability to manage and maintain a low level and document specific security feature of the OptiDoc system. This is a granular safety control mechanism that is applied at the document level.

The functionality of this feature is as follows. A document security is a named security object. If the document security for a user is not set, that is, no document security objects are attached to that particular user, then the user is restricted to being able to view only those documents that also have no document security objects attached to them.

In other words, if a user has no document security objects attached, and a database document has some documents with attached document security objects, then those special documents will not appear to the user as the result of any possible search.

However, if a user has a certain document security object attached to it, then that user is able to see all those documents that have no attached document security objects, as well as being able to see those documents with matching document security objects.

Many To Many Relationship

Multiple document security objects can be attached to a single user, and multiple document security objects can be attached to a single document. If there is a corresponding match, between the document security objects, then the user will be able to view the document. Document security objects are global in nature, and are applied across all users and collections, and are not undone by any other security.

Maximum Size

There can be a maximum total of 32 possible document security objects.

When an administrator first enters the document security pane, the names of all of the defined document security objects are shown on the left side. The administrator can click on the name of a document security object to view or change its properties.

Add/Remove

To remove a document security object, click on the name of the document security object and then click on the remove button. To add a new document security object, type in the name of the new document security object and then click on the add button. To modify the name of an existing document security object, click on the name of the object, then change the name in the properties section, and then click on the update button. Remember that when you make a change, you have to click on the update button.

Dangling Document Securities

For several reasons, it is possible that document security objects attached to documents within a database do not match up with the table of current document security objects. For example, it is possible that certain document security objects are attached to documents that do not have analogous objects in the document security list. There are two choices for how to handle this situation.

  1. One possibility is to recover "lost" document security objects. In this case click on the recover button. This will cause a process to uncover any of these lost document security objects and to make them reappear in the list of document security objects. Recovered document security objects come back with the name "RECOVERED ###".
  2. The other possibility is that we want to "clean up" document security objects from documents that are not defined by the list. In order to remove all document security objects from documents that are not in the document security list, click on the clean up button. This action will spawn a process that will remove any document security objects from documents that do not appear in the list of document security objects. For example, after deleting a document security object from the list, it might be a good idea to clean up any document security objects that are still attached to the documents.

Please note that anytime a long running operation is in process, and you want it to stop, press and hold the ESC key.

Users

The Users Tab provides an administrator with the ability to manage and maintain the user objects of the OptiDoc system. In most cases, the name of an OptiDoc user must match a user name on the SQL server for secure authentication. Since the passwords are managed using the SQL server, no passwords are stored inside the OptiDoc system.

When an administrator clicks on the Users panel he sees a list of every OptiDoc user on the left most side of the pane. When an administrator clicks on a user, then the properties of the user appear in the center of the pane, and the operations that can be performed on these users appear along the right most side of the pane. When an administrator selects a user, the user name property is filled in, and the collections the user has access rights to are populated in the list of the default collections, and the views that user has access rights to are also populated in the list of default views.

Default Collection

The list of default views depends on the chosen default collection. In this way, a default user collection and a default user view can be chosen in such a way that they do not conflict. When the user first connects with the OptiDoc system, the default collection, and default view are automatically selected.

There can be a total maximum of 4,294,967,295 OptiDoc users.

Synchronize OptiDoc With SQL Users

The green checkmark next to the user indicates that the OptiDoc user is a valid SQL user. If you press the "Scan SQL Users" button, then each OptiDoc user will be checked against the existing set of SQL users and SQL logins. If the system finds a match, then the green checkmark will indicate that there is a match between the OptiDoc user and the SQL user. If the system does not find a match, then the green checkmark will change into a red "x" indicating that there is a mismatch between the OptiDoc user and the SQL user. Using the scan function is an easy way to insure that all of the OptiDoc users coincide with actual SQL users. If you need to fix up any differences, then click on the user that has the problem and then click on the "Modify Password…" button. Enter in a new password for the user and this action will automatically fix up the OptiDoc user so that there is a matching SQL user and SQL login.

As you select different users, different user properties will appear in the properties pane in the middle. For example, the user name is one property, the user default collection is another property, and the user default view, is another property. Any of these properties can be changed. Once you have made a change remember to press the update button to set the changes from the display screen into the internal memory structures of the security application program, so that they can later be applied to the database.

Add User

To add a new user, first select a similar user from the left side of the pane, or just type in the name of the new user. Sometimes, in order to save key presses you may want to choose an existing user whose properties are similar to the new user that you want to add. This will cause the default properties to automatically load into the center pane, so that you do not have to type all of the default properties all over again. Finally, type in the new user name and click on the add button. There are a few simple restrictions. A new user name must be unique, non-empty, and it cannot be the name "optidoc". If the new user name is acceptable, a password dialog will appear. This dialog will ask you to enter the new password two times. Asking for the password two times is simply a way to insure that the administrator is entering the password that he expects to enter. This will cause a new SQL user, a new SQL login, and a new OptiDoc user to be synchronized and added into the system.

Change User

To change a user property, first click on the user in the left side of the panel, and then change the property from the middle panel, and then click on the update button from the actions pane.

Please remember , you cannot change the name of any existing user to "optidoc".

To delete a user, first click on the user from the left most side of the pane, and then click on the delete button. Rember, you cannot delete the "optidoc" user. When you delete an OptiDoc user, only the OptiDoc user is removed. The SQL user, and the SQL login, remain intact. If you need these items removed as well, please contact your database system administrator for details.

Change Password

To change a user password, first click on the user from the left side of the pane. Then click on the Modify Password button. This action will bring up a password dialog. You will be asked to enter the password two times. This is done to insure that the user is entering in the password that he intends to enter. The password will then be changed for this user.

User Groups

The User Groups Tab provides an administrator with the ability to manage and maintain the features and functions of sets of database users as a group. A user must belong to one user group on a collection by collection basis in order for that user to have any rights within the collection. For each collection a user must have a single user group attached to it. The user group provides rights based on the properties of the user group. One property of a user group is the name of the group. The group "optiadmin" is a special group that cannot be renamed or deleted. The admin right cannot be removed from the "optiadmin" group. A user group provides eight general rights:

  1. display documents themselves, in addition to just being able to see their index data
  2. print documents to network and attached printers
  3. mail documents using an e-mail client
  4. delete documents from the database
  5. update index information on documents
  6. insert documents into the database
  7. export documents out of the database
  8. admin functions allow users to log in to administrative applications.

Manage Annotations

A user group also manages how annotations are managed for the attached user. Annotations can be additions to documents, such as notes, pictures, or lines and arrows, or they can be redactions that cover things up. Because there are distinct ways for using annotations, there end up being four logical annotation modes that are needed.

  1. can edit and view This mode provides the user with the option of editing and viewing annotations. A user can apply an annotation or a redaction, and can look at the document with or without the annotation present. This is the most powerful mode.
  2. can view This mode provides the user with the option of viewing annotations. A user can look at a document with or without annotations, but cannot make any changes to those annotations.
  3. always view This mode forces the user to always view documents with annotations in place. This mode might be used for allowing a person to view financial documentation where salaries have been redacted. In this mode, the user can still see the information that is needed, but is not allowed to see redacted material.
  4. never view This mode forces the user to always view documents without any annotations. This mode might be used for allowing a person to review documents that have been annotated with special annotations, like salary or review information. In this mode the user can see all of the information on the document, but cannot see any additional comments or annotations.

Please note there can be a maximum total of 32 user groups.

Remember to press the update button after you have made a change to a User Group so that the information is moved from the screen into the internal memory structures that will eventually be applied to the database.

Tokens

The Tokens Tab provides an administrator with the ability to manage and maintain the features and functions of a type of security object that can be attached to sets of database users as a unit, much like a User Group. However, a token is more far reaching in the type, kinds, and numbers of possible permissions that are available. A token is a string value that is interpreted and applied in a certain way. There a a number of possible token types.

  1. JavaScript This type of token takes the form of a JavaScript that is injected into the web page when connecting to the OptiDoc WWW server. The web browser must support JavaScript in order for this feature to function. The JavaScript must be a valid and correct in order to execute properly. How this script is invoked and what it does is entirely up to the script programmer. When using any scripting option, it is best to debug the script completely, before injecting the script into the token security system.
  2. VBScript This type of token takes the form a a VBScript that is injected into the web page when connecting to the OptiDoc WWW server with a Microsoft Internet Explorer browser. Since VBScript is a particular Microsoft scripting language, the browser must be Microsoft Internet Explorer, or some other browser that supports VBScript. The VBScript must be a valid and correct in order to execute properly. When using any scripting option, it is best to debug the script completely, before injecting the script into the token security system.
  3. SQL Where Clause This type of token takes the form of an SQL where clause. This clause must conform to standard transact SQL syntax. This clause is placed in conjunction with any other clauses that may be in effect for a user and a collection. Therefore, multiple SQL clauses are AND'ed together to form the overall, more restrictive clause. Do not include the word "where" at the beginning of your clause. The word "where" is always implied. When you choose to create a token of this type, two drop down menus directly above the token value edit field become available. The drop down menu on the top is a sorted list of collections. Once a choice has been made from the top drop down menu, the lower drop down menu is populated with values. These values are the SQL field names that are associated with the selected collection plus additional useful values. These additional values are specific to Microsoft SQL server, and provide templates for their use. When you choose a value from the lower drop down menu, that value is automatically written into the token value field at the cursor location. By making selections in the token value field, and then choosing values from the second drop down menu, the selections are replaced with new values. The additional values are templates for managing additional features, dates, times, user names, string and date, manipulation.

For example, you can cause a user to only be able to see records which contain the value 3 in character position 4 of a numeric field that is called "test_field". This type of restriction might be used to grant or deny access to records that have a relationship with a special purpose coding system.

convert(char(10),test_field) like '???3%'

Or, as a very simple example, an SQL Where clause might be used to restrict access to records that match a certain character valued status field,

stats_flag = 'DONE'
  1. HTML Message This token takes the form of any HTML message. This message is presented to a user when a user connects with the assigned collection on the OptiDoc WWW server. A notification token might be used to advise users of available updates, or to broadcast simple text messages to groups of users. An HTML message can be simple text, or it can be any HTML code. Here are some examples of possible HTML message strings:

For example this simple string creates a message that appears after the user has logged in and chosen a collection,

hello, you have an important message

Or, an HTML message might include a graphic image that you want users of a group to see,

<img src="c:\localhost\group.gif>

Or, an HTML message can include a banner that scrolls from left to right across the screen,

<marquee>This is a scrolling message</marquee>

Or, you can change the colors, and fonts,

<font size=5 color=red>This is a red message</font>

Or, and HTML message can contain links to other web pages,

<a href="http://www.somewebsite.com">See this site</a>

HTML Message strings can contain any HTML code that the browser can interpret.

There can be a maximum total of 8,192 tokens.

Create A Token

To create a new token, type in the name of the token into the token name edit field, choose the type for the token by selecting one of the available token types from the bank of radio buttons, and then click on the add button.

If the information is acceptable then a new token identifier will be generated, and the new token will be added to the system. A new token name must be unique, and not empty. The scrolling edit box in the center properties pane is where the actual token text is stored. You can enter the values of the transact SQL where clause directly into this box or use the helper drop down menus located above the scrolling edit box. For example, if you are building a token that will apply to fields within a particular collection, then you can choose the collection from the collection drop down menu. This action will populate the values drop down menu with the SQL field names for the available fields for that collection. The values that you see in this list are not dependent on any user view that may be in effect, allowing you to build rules that apply to fields that the user cannot even see. Any valid SQL syntax can be accepted in this manner, including calls to stored procedures, or queries involving the SQL user environment.

page_revision: 23, last_edited: 1222209125|%e %b %Y, %H:%M %Z (%O ago)
EditTags History Files Print Site tools+ Options
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License