Skip to main content

Hi, I am very interested in how to control access to restricted documents in IFS, particularly ITAR. We are on IFS Version 10, UPD7 and use Active Directory Federation Services to connect users to their Active Directory accounts for login.  We have multiple companies and sites across a number of countries.   I am quite familiar with Document Access and Document Class Management using assigned person groups. However, the loophole is that a Document Control rep at one of our sites with access to Document Basic Data can inadvertently add a unauthorized person to a person group that is assigned to a restricted Document Class. I am also interested in the best approach in terms of the Doc Vault. We presently use Shared Files. Storing document files in the database is not feasible given the impact to system performance with the volume of documents in use across all of our sites. We are at the point of removing the restricted documents completely, storing the files in site specific file servers with server access controlled at the site level and using hyperlinks from a dummy document object to retrieve the restricted document file outside of the IFS Document Management module for those you are granted access at the server level. 

 Also is there a standard for moving obsoleted documents into a separate vault/server or deleting them?

Thanks,

Steve O’Steen
 

Quote:

I am also interested in the best approach in terms of the Doc Vault. We presently use Shared Files. Storing document files in the database is not feasible given the impact to system performance with the volume of documents in use across all of our sites.

 

This is the reason we moved the documents off to an FTP server altogether.

 

Quote:

However, the loophole is that a Document Control rep at one of our sites with access to Document Basic Data can inadvertently add a unauthorized person to a person group that is assigned to a restricted Document Class.

 

If your permissions allow this admin to also add restricted users, then I’m not sure how you can further control it.  The ability to add and update users to person groups is restricted to IT ONLY for us, and the IT Admins have to control this function.

Could you keep the restricted documents (or the class(es) really) in the database repo and the rest on FTP or Shared repos?

I’m afraid there is no easy way to sync Docman with any external AD or similar.

 

What we ended up doing is:

  1. Changed the Document Class on affected documents
    1. Identified all existing documents that required additional restricted access.
    2. We then paid an IFS developer to move specified documents to newly specified document classes.  The existing approvals, history and current responsible person are brought over to the newly created document classes and the new restricted access templates are applied.
  2. Set up Custom User Groups and Custom Events - we consulted another IFS developer/analyst to get started on this process
    1. We set up custom user groups - Approved Users Per Class and Approved Users Per Group. We restricted access to these tables to only the ERP Admin team
    2. Added custom events to prevent business document management personnel from adding users to specific “restricted" access templates, documents or person groups.  If new users need to be added, we use a change process that requires site export admin approval before we add the user to the custom tables we created.

In summary, the solution adds an extra layer of security on top of the existing document management access functionality managed by the local Document Control groups.  The added layer of security only applies to those document files that are in the Restricted Document Classes and persons in the Restricted Person Groups.  Thus far we have one of four site completed with the functionality working quite well. 

Reply


Terms & ConditionsCookie settings