Extended annotation security model

You can use HTML parameters to provide extended security for the ViewONE Annotations Module. For example, you can give users control over the privileges that are assigned to annotations they create. In addition, you can provide separate privileges for modifying, deleting, and reading annotations.

The extended option relies on you using the userId HTML parameter and then adding the annotationSecurityModel HTML parameter with a value of "2" as shown in the following example:

<param name="userId" value="user1">
 <param name="annotationSecurityModel" value="2">

This code enables, as default, extended security options for each new annotation that is created by a user.

When the user saves annotations, extra properties are written to the annotations file, as follows:

SECURITYMODEL = 2 
READ = 1 
MODIFY = 1 
EXECUTE = 1 
PRINT = 1
DELETE = 1 
PASSWORDMODIFY = ****** 
PASSWORDSECURITY = *****
OWNER = Whoever
MODIFYSECURITY = 1 

There are separate privileges for read, modify, execute, print, delete, and modify-security. Each of these privileges can be changed by either the user or the server object that serves the file back to the user.

By default, the privileges are all set to 1 (enabled). The MODIFYSECURITY property indicates whether the user can edit these privileges by using the user interface. If MODIFYSECURITY is enabled, a padlock context button is displayed when the user selects the annotation. If the user click this button, a security dialog box is displayed for the user to change any of the security properties.

The owner of an annotation is the user that created the annotation and is identified by the owner property that is written to the annotations file. If this owner property matches the userId HTML parameter, then that user always has access to this security dialog.

Alternatively, you can specify the HTML parameter userAdmin. If you set this parameter to true, then irrespective of owner and user ID values, the current user is considered an administrator who can edit annotation security for any annotation.

To prevent other users, excluding administrators, from modifying an annotation, a user can clear the modify option in the Annotation Security dialog box. For example, other users cannot select the annotation or move it. If the user selects the modify option and clears the delete option, then other users can modify the annotation but they cannot delete it. If the user clears the read option, the other users are not able to see the annotation. If user clears the print option, then users are not able to print the annotation.

The EXECUTE option controls the action for annotation hyperlinks. For example, if an annotation has a hyperlink, but the EXECUTE option is disabled, then other users are not able to use that hyperlink.

If a document has existing annotations that were created by using the simple annotation security model, the extended options can be enabled on those annotations. The server object that is serving the annotations file must add the "SECURITYMODEL = 2" line to each annotation at retrieval time.

If the annotationEditPasswordModify parameter is set to true, then the user who creates the annotation can set a password that must be entered before a user can modify an annotation. If the annotationEditPasswordSecurity parameter is set to true, then it is possible to set a password that must be entered before a user can modify annotation security.

The passwords are saved in the annotations file by using the properties PASSWORDMODIFY and PASSWORDSECURITY. The passwords are private-key 32 bit encrypted so they are not viewable or editable except through IBM Daeja ViewONE. If an OWNER or an ADMIN user forgets a password that is assigned to an annotation, that user can clear and reenter a password. All other users cannot, unless they enter the correct modify annotation security password.

Passwords are not displayed anywhere. Asterisks (*) are displayed in the dialog boxes and in the annotations file.