Restrict a particular Business Workspace in ECM to a specific user even though his role has access

We have a requirement to restrict a particular Business Workspace in ECM if an Entity is restricted to a specific user by the Admin. For this requirement, we tried

  1. Add/Update Access for the User to restrict access to that particular Business Workspace. But,
    1. when we did that, the user could still access the Business Workspace because the Role assigned to the User has access to the Business Workspace. 
    2. Also, we cannot restrict the owner of the Business Workspace, if the owner himself is blocked access by the Admin.
  2. Use Supplemental markings on both User and Business Workspace Folder. But, 
    1. The Supplemental markings work when both the User and the Business Workspace folder has the same marking, So if we have COI for a User(who is a Manager) we will have to add the markings to all the users in the Manager Role except for the COI User and thereby restrict the user. But even here we will have the same problem, where a new user is added to the Manager Role, they would still not have access as the new user is not marked with Supplemental markings.
    2. We will have to Add/Remove Supplemental markings to Folders and Users on the Fly which would need ECM services that don't seem to be available in the Document.
    3. The Owner of the Business Workspace cannot be blocked - So, if the Entity is blocked via COI/Ad hoc to the one who created the Entity, it wouldn't work.

Is there an easier way in ECM, where I can restrict a particular user even if his role has access to the Folder?

Comments

  • Hi Sreeram.

    Are you looking to block access to a specific folder in the workspace(s), irrespective of if the user is a member of a role allocated to the workspace and folders?

    Should the user see the folder, but be blocked from accessing it, or are you looking to hide the folder completely from that user?

    Regards,

    David.

  • Hi David,

    We have Business Workspace(Folder) in ECM created for each entity instance in Appworks.

    We have by default given access to Manager and Staff roles to these business workspaces. Now when a super admin user decides that user 1(who is part of the manager role) shouldn’t have access to Business Workspace(example: BW-000021) How can we remove access to User 1 in BW-000021 but still maintain access for the same folder for manager role.
  • Sreeram,

    Extended ECM has no concept of deny access available out-of-box. As you've observed, supplemental markings can be used, but would require you to manage these at the individual workspace (and/or sub-content level) as well as users. As you point out, that can get cumbersome depending on your security and workspace model.

    There are however some add-ons available that may assist you.

    Fastman (full disclosure, I am the product manager @ Fastman) provide two extensions that may be of interest to you. Firstly, Permissions Manager - which provides a comprehensive dashboard and administrative interface for managing permissions, role/group allocation. This also includes search facilities, so you can find all workspaces that a specific user has access to (via their group/role membership).

    The second extension is Access Manager. This provides means to deny functions based upon rule driven configuration. For example, I can configure a rule that denies the ability to open a specific workspace, or descendants of it. (I use open as an example, but any function registered in OpenText xECM can be blocked). I can also configure rules based on a standard classification - e.g. apply a classification to specific content I want to block.

    These rules then are associated to a group of users, such that only users belonging to the configured group (for the rule) are blocked. Multiple rules can be configured.

    Whilst this does not hide the content (as security clearances/supplemental markings would), it does allow you to block content, without having to modify permissions - e.g. it does not matter if the user is a member of a role/ACL on the content, these rules apply regardless. This has the advantage that if "blocking" needs to be removed at a later date, you don't have to reinstate/modify permissions on the original content.

    If you'd like further information and/or demonstration, please let me know best way to contact you and I'll have one of our team reach out.

    Kind regards,

    David Henshaw

    VP Products/CTO

    Fastman Pty Ltd.