Planning for IBM Enterprise Records security

Before you install and configure the IBM® Enterprise Records environment, review your site security requirements for records management. Security administrators must decide which users and groups must have access to certain records management functions, folders, and files.

To provide a secure and reliable environment for storing, accessing, and disposing of records, IBM Enterprise Records uses the security features in FileNet® P8, FileNet P8 uses security roles provided by IBM Enterprise Records, default instance security, security inheritance, and security markings. FileNet P8 is set according to the security roles.

Typically, you must plan for and implement the following tasks:

Determine what roles to assign to users and groups.
Decide what entities require security markings. For example, decide whether you must set up additional groups if the Classified data model is used. This decision is important because specific roles are required when you use the Classified data model. You can create markings in any data model. The DoD classified data model has some built-in marking sets for typical classifications such as Secret and Confidential.
Plan security markings propagation. Objects inherit security markings from their containers. You can set propagation to none, folder to record, or record to folder. The default setting is no propagation.

In general, assign security settings to groups rather than individual users. Putting people into groups and assigning security settings to the groups is easier to manage. Adding or removing a person from a group is easier when they join or leave the company.

Important: Assign IBM Enterprise Records security before you use your IBM Enterprise Records environment. Adjusting the default security settings after the system is in use is complex because assignments are not retroactive. You must go to each of the previously created items and change their access security individually.

Users, groups, and roles
IBM Enterprise Records provides common security roles. However, no other security roles can be added. Each role defines the privileges for the user. You must plan which users and groups belong to specific roles and decide which privileges to grant to each role.
Security markings for your entities
When you create a marking set, you define a set of values for the marking. Each marking value can then be applied to an entity such as a folder and a document. In order to access that entity, you must also be assigned access to that marking.
Security markings propagation
Before you install IBM Enterprise Records, decide which security markings propagation option that you want to set for objects. By default the system is configured to No propagation.

Parent topic: Planning for IBM Enterprise Records installation

Related reference:

Planning for Secure Sockets Layer (SSL)

Related information

IBM Redbook: Understanding IBM FileNet Records Manager