After you configure the object store, you must set the IBM® Enterprise
Records security on the file plan
object store (FPOS). This task assigns IBM Enterprise
Records security roles to users
and groups and updates the default instance security on the IBM Enterprise
Records objects.
About this task
When you assign the roles in IBM Enterprise
Records, ensure that users roles
are not duplicated when you select groups and users for each role.
If a user is assigned more than one role, unexpected behavior occurs
when the permissions of one role conflict with the permissions of
another. For example, do not assign #AUTHENTICATED-USER to
the Records User role because it negates the permissions that are
needed by users that are assigned as Records Managers, Records Reviewers,
and Records Administrators. Those users cannot access, create, delete,
or change records.
- In general, assign security settings to groups rather than individual
users; this practice makes your system inherently more maintainable.
- Assign security roles only for the FPOS, not for the ROS.
Important: After a successful login, you are prompted to run
the security script wizard for the file plan object store you are
attempting to access. This prompt is only seen if the security step
is not already completed. If you rerun the Security Script wizard,
after assigning security roles, the wizard:
- Removes the previously applied groups from some classes that are
installed as part of the data model. Some security appends to existing
securities.
- Updates the default instance security settings. Any existing user
rights are replaced with the rights defined by the latest run of the
Security Script wizard.
Procedure
To assign the IBM Enterprise
Records security
roles:
- Access the checklist that you filled out before starting
this installation for the values you need.
- Verify that you configure your object stores as described
in the Configuration Manager sections.
- Sign in to IBM Enterprise
Records as
a GCD Administrator and Object Store Administrator for the object
store you are configuring.
Tip: If you rerun
the security script with insufficient rights to update certain previously
updated folders, the security script fails and returns an insufficient
security error.
- Select the Configure tab and click Object Store
Configuration.
- Run the security script on your object store. From
the list of object stores configured for IBM Enterprise
Records, right-click the FPOS
you want to set security on, and select Run Security Script.
Tip: The Security Script Run Date displays the date the security
script was last run on the object store. If no date is displayed,
security is not set.
- Select a role and click Add New Members. The Set Security window displays
with the names of the IBM Enterprise
Records security
roles applicable for the imported data model.
- Use the Select Users/Groups window to select a user or
a group to be assigned to the role and then click Accept.
- Assign users and groups to all of the security roles by
repeating Steps 6 and 7.
- Verify that users assigned the Records Administrator role
have object store administrative rights on the FPOS.
These
privileges allow such users to complete workflows on the FPOS.
When
creating new object stores, add the users and groups assigned Records
Administrator role to the object store administrators group.
- When all security roles are set, click Finish. IBM Enterprise
Records displays
a wait screen while it applies the specified security. When security
is set, click OK.
Important: After
clicking Finish, wait for the confirmation
screen to display before proceeding.
- Record the security roles assignment information.
Important: When assigning the IBM Enterprise
Records roles, verify that you
see no overlapping of users when selecting groups and users for each
role. If a user belongs to more than one role, unexpected behavior
occurs where the permissions of one role conflict with the permissions
of another. This behavior includes assigning #AUTHENTICATED-USER to
the Records User role.
- Modify security to allow users assigned the Records User
role to create a version of a document version declared as a record
by another user with the same role.
Important: The
Default Instance Security on the Record class is set to give the Records
Manager User group rights to Minor/Major Versioning. This setting
defines security on the record itself. Users who cannot browse to
the document due to container (folder) security can still access the
record through search or reports.