What is it?
The Security actions allow you to set permissions on the folders in SpringCM to control and manage access by the SpringCM users in your account.
When is it used?
Security is applied at the folder level in SpringCM, and is inherited by the documents within that folder. As you create and manage your folder structure in SpringCM, you will need to determine which users should have access to each folder, and what that level of access should be.
How is it used?
- Select GOTO then Documents from the menu bar.
- Navigate to the folder for which you want to define access.
- Check the folder to select it.
- Select Manage then Security from the menu bar.
- Set the desired access rights for each role.
- If you want to add any other candidates, type the first few letters of the user or security group name in the field provided, and when the name of the user or security group appears in the drop down, click on that name or highlight and select it to add it to the candidate list.
- Set the desired access rights for each candidate added to the list.
- Click the Save button to save your changes.
When apply security to a folder or document, you can specify that security based on a user role, an individual user or a group of users. Each of these eligible candidates are described below:
User Roles - The default layout allows you to grant or revoke access based on the user role. Only four user roles are candidates--user administrator, full subscriber, limited subscriber, and guest. Super administrators have access to all documents and folders by default.
Users - If a specific user needs explicit access granted or revoked, that user can be added to the list of candidates, then assigned the desired security setting.
When applying security you can set the following access rights to each candidate or candidate group:
No Access - prohibits the user from accessing folders or documents. This is the default setting for all content in SpringCM.
View - permits users to view folders and documents (via preview mode or download)
View & Create - permits users to view the folder, upload new content and to revise the content of a document, but they cannot edit the attributes of a document.
View & Edit - permits users to view, revise, share and upload new content, but they are not allowed to delete either the folder or the document, nor grant access.
View, Edit, & Delete - permits users to view, revise, share, upload new content, and delete documents and folders, but they are not allowed to grant access.
View, Edit, Delete, & Set Access - permits users to grant or revoke access to folders and documents in addition to full privilege for view, edit, share, upload and delete.
Unless otherwise specified, documents and subfolders inherit the security settings established at the parent folder. When viewing the security settings of subfolders or documents, you will see that most, if not all, security settings are noted as (Inherited) (e.g.., Guest - No Access (Inherited))
(Inherited) indicates that the No Access security setting for the Guest role is inherited from the parent folder. Settings not noted as (Inherited) mean that the setting has been explicitly set at the subfolder or document level.
Use Explicit settings for specific subfolders that require different security settings than those established in the parent folder.
Click the View Permissions for All Users checkbox to see all the users who have access to a specific folder or document. This feature functions as a convenient way to double check who will be able to see the folder, and that all the appropriate users have the proper security settings. This page returns the first 1,000 results. If you have more than 1,000 users with permissions on a specific folder, please use the search field to locate users.
Security settings can be established using different group, role and user settings. Use the following to determine the order of precedence for interpreting a user's access rights.
- Check to see if the user is a Super Administrator. Super administrators have access to all folders and documents, thus need no explicit or effective security settings. If the user is NOT a super administrator, proceed to the next step.
- Check to see if the user has explicit settings. If yes, the user's security settings have been established at this level. If the user does NOT have explicit settings at this level, proceed to the next step.
- Check to see if the user is a member of a security group with explicit settings. If yes, the user's security settings have been established at this level. If the user does NOT have explicit security group settings at this level, proceed to the next step.
- Check to see if the user is a member of multiple security groups with explicit settings. If yes, the least restrictive group (i.e.. - the one that provides access to the most folders and documents) takes precedent. If the user is NOT a member of multiple explicit security groups at this level, proceed to the next step.
- Check to see if the user's user role includes explicit settings. If the user's user role includes specific security settings, the user's security settings have been established at this level. If the user's user role does NOT contain explicit security group settings at this level, proceed to the next step.
- Move up one folder level and perform steps Steps 2-5. Continue moving up one folder level if none of these steps reveal a user's security settings.
Administrators can allow access to your SpringCM environment to only certain IP addresses or IP ranges. Or you can deny or exclude specific IP addresses or IP ranges. This action is taken in the PREFERENCES tab - Security.
- On the Preferences - Security page, you will be given a choice (radial button) to Allow or Deny. You can only choose one.
- Once selected, the field immediately below the selections will allow you to enter the specific IP addresses, or IP ranges. The input field is a comma separated list of RegEx patterns, which are matched against the IP a request (web, sftp, api,...) is coming from.
Here's an example for an input:
The first one matches any IP starting with 192.168.100, and a single digit for the fourth part. The second would only match 192.168.200.1 You may notice in the first one the dot is escaped with a \. The second one the dot is not escaped. In RegEx the dot means any character, so by coincidence it happens to match the actual dot in the incoming IP address. So for exact IP addresses it just works. But the correct way is to escape it - "\.".
Here's another example that allows for any value on the last two parts of the IP address:
The above is equivalent to the standard 192.168.*. In the above "[\d]+" means one or more digits.
- Once you have entered all IP addresses or IP ranges, you will choose SAVE.
As a result, based on your choice of Allow or Deny and the IP addresses or IP ranges, your SpringCM environment will be accessible accordingly.