Topic
  • 11 replies
  • Latest Post - ‏2013-03-22T19:54:25Z by SystemAdmin
SystemAdmin
SystemAdmin
445 Posts

Pinned topic Teamspace Subfolder as Security Parent

‏2013-03-11T20:30:46Z |
Is there a (simple and supported) way to change the way security is inherited in Teamspace subfolders?

The default behavior is for all objects to get a copy of the ACL that is on the teamspace, so documents and folders under a folder that has been changed still get the ACL of the teamspace (not it's parent folder). This means that while a teamspace team member on the "no access" list for a folder would not see that folder, they could still access the documents in it via search or from a link someone sent them.

Thanks!
Updated on 2013-03-22T19:54:25Z at 2013-03-22T19:54:25Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    445 Posts

    Re: Teamspace Subfolder as Security Parent

    ‏2013-03-13T15:20:25Z  
    Which repository CM8 or P8?
  • SystemAdmin
    SystemAdmin
    445 Posts

    Re: Teamspace Subfolder as Security Parent

    ‏2013-03-14T13:40:07Z  
    Which repository CM8 or P8?
    I have the same question as the OP; my response would be P8.
  • SystemAdmin
    SystemAdmin
    445 Posts

    Re: Teamspace Subfolder as Security Parent

    ‏2013-03-14T15:12:06Z  
    I have the same question as the OP; my response would be P8.
    Mine is P8 as well.
  • SystemAdmin
    SystemAdmin
    445 Posts

    Re: Teamspace Subfolder as Security Parent

    ‏2013-03-18T11:21:03Z  
    Which repository CM8 or P8?
    jaajuanMike, did you have any ideas on this?
  • SystemAdmin
    SystemAdmin
    445 Posts

    Re: Teamspace Subfolder as Security Parent

    ‏2013-03-18T15:06:58Z  
    jaajuanMike, did you have any ideas on this?
    I"m investigating a workaround for the current design. I should have a response today.
  • SystemAdmin
    SystemAdmin
    445 Posts

    Re: Teamspace Subfolder as Security Parent

    ‏2013-03-18T15:32:09Z  
    I"m investigating a workaround for the current design. I should have a response today.
    On a P8 repository you can setup a method to ADD TO the security of the Teamspace by using Entry Templates (with or without a security policy) and the Entry Templates Folder Association features. You will need to setup this configuration from Workplace XT, but once setup, it will be honored from the ICN Teamspace. Understand that if you wish to restrict access for existing team members relative to their Teamspace role, you will need to setup explict deny on the rights in question.

    1) Determine if the security model you need can be handled with the Entry Template security, or if a Security Policy will be needed.
    2) Create the Security Policy if needed
    3) Create the Entry Template (Set the folder setting to just the object store, as this setting is ignored when using the Entry Template Folder Association feature.
    4) In the security step of the Entry Template, set the Security Policy or setup the Entry Template security. These security settings will be added to the Teamspace inherited security and the security with the highest level of access "wins" when a user/group is getting security from the class, teamspace and ET/security policy. To restrict access, you may need to set explictly deny the right.
    5) Once the Entry Template is created, from Workplace XT, you will need to search for the Teamspace subfolder that you wish to associate with the Entry Template.
    6) From the search results, select the folder, open the context menu and select the option Perferences > Associate Entry Templates. Select the Entry Template(s) you wished to be used when adding documents to this folder. By default this setting will be used for all subfolders as well.

    If you do not see this action, you are not a member of the Access Role with rights to this action. Contact the Workplace XT admin, and have them setup a non-admin access role, add you as a member of that access role and add that role to the Associate Entry Template Action.

    7) From ICN, add content to that folder and confirm that the Entry Template is used and that your security setting are performing as desired.
  • SystemAdmin
    SystemAdmin
    445 Posts

    Re: Teamspace Subfolder as Security Parent

    ‏2013-03-18T19:36:28Z  
    On a P8 repository you can setup a method to ADD TO the security of the Teamspace by using Entry Templates (with or without a security policy) and the Entry Templates Folder Association features. You will need to setup this configuration from Workplace XT, but once setup, it will be honored from the ICN Teamspace. Understand that if you wish to restrict access for existing team members relative to their Teamspace role, you will need to setup explict deny on the rights in question.

    1) Determine if the security model you need can be handled with the Entry Template security, or if a Security Policy will be needed.
    2) Create the Security Policy if needed
    3) Create the Entry Template (Set the folder setting to just the object store, as this setting is ignored when using the Entry Template Folder Association feature.
    4) In the security step of the Entry Template, set the Security Policy or setup the Entry Template security. These security settings will be added to the Teamspace inherited security and the security with the highest level of access "wins" when a user/group is getting security from the class, teamspace and ET/security policy. To restrict access, you may need to set explictly deny the right.
    5) Once the Entry Template is created, from Workplace XT, you will need to search for the Teamspace subfolder that you wish to associate with the Entry Template.
    6) From the search results, select the folder, open the context menu and select the option Perferences > Associate Entry Templates. Select the Entry Template(s) you wished to be used when adding documents to this folder. By default this setting will be used for all subfolders as well.

    If you do not see this action, you are not a member of the Access Role with rights to this action. Contact the Workplace XT admin, and have them setup a non-admin access role, add you as a member of that access role and add that role to the Associate Entry Template Action.

    7) From ICN, add content to that folder and confirm that the Entry Template is used and that your security setting are performing as desired.
    Thank you Mary. This sounds promising. I will give it a try.
  • SystemAdmin
    SystemAdmin
    445 Posts

    Re: Teamspace Subfolder as Security Parent

    ‏2013-03-18T19:38:33Z  
    I"m investigating a workaround for the current design. I should have a response today.
    Mike, I marked the question answered because of Mary's imput, but I would be interested in your response as well.
  • SystemAdmin
    SystemAdmin
    445 Posts

    Re: Teamspace Subfolder as Security Parent

    ‏2013-03-22T18:38:12Z  
    I"m investigating a workaround for the current design. I should have a response today.
    Mike and Mary, the proposed solution/ work-around is a good try, but what we really need is for the "overridden" folder to become the new security parent for it's contents and subfolders. Essentially, the override folder needs to "break" teamspace security inheritance and subsequent interference when Teamspace security is changed. The ideal solution would present the teamspace ACL when the override folder is created, but not be affected by the Teamspace ACL once the folder is designated as an override, and from that point on down the security parent of any item would be the override folder until another override folder is created under it. See the attached PDF for a visual.
  • SystemAdmin
    SystemAdmin
    445 Posts

    Re: Teamspace Subfolder as Security Parent

    ‏2013-03-22T19:18:15Z  
    Mike and Mary, the proposed solution/ work-around is a good try, but what we really need is for the "overridden" folder to become the new security parent for it's contents and subfolders. Essentially, the override folder needs to "break" teamspace security inheritance and subsequent interference when Teamspace security is changed. The ideal solution would present the teamspace ACL when the override folder is created, but not be affected by the Teamspace ACL once the folder is designated as an override, and from that point on down the security parent of any item would be the override folder until another override folder is created under it. See the attached PDF for a visual.
    Another way to look at it might be to imagine that the add subfolder dialog had a "Use Teamspace" security checkbox. If they un check it, they are taking over security from that level down.

    I'm attaching an updated diagram with ACL call outs.
  • SystemAdmin
    SystemAdmin
    445 Posts

    Re: Teamspace Subfolder as Security Parent

    ‏2013-03-22T19:54:25Z  
    Original Idea tested and did not solve the issue.