IBM Enterprise Records, Version 5.1.+              

IBM Enterprise Records security roles

IBM® Enterprise Records supports the security roles that come with the product by default and no additional security roles can be added. Each role defines the functional access rights for the user.

The access rights granted to users in these roles vary slightly based on the data model. You assign groups (and possibly users) to security roles as part of configuring each FPOS in your environment. For more information about setting security roles, see the related links.

To plan for security:
Carefully identify the groups that should be assigned to each role before you install IBM Enterprise Records. When you set security roles, the security of all of the classes that are related to IBM Enterprise Records in the FPOS is updated. After you set the security roles, you can later update the security classes by reconfiguring the security roles. However, reconfiguration does not update the security for record objects already created. Making sure the updated users have the proper access to previously created record objects is difficult because of interdependencies. This need to be completed using IBM FileNet® Enterprise Manager.
When you assign the roles in IBM Enterprise Records, ensure that users roles are not duplicated when you select groups and users for each role. If a user is assigned more than one role, unexpected behavior occurs when the permissions of one role conflict with the permissions of another. For example, do not assign #AUTHENTICATED-USER to the Records User role because it negates the permissions that are needed by users assigned as Records Managers, Records Reviewers, and Records Administrators. Those users would not be able to access, create, delete, or change records.
Keep track of the users and groups that you assign to each role as described in the following table. You need this information when you make changes in the security role mappings in the future. A security role planning table enables you to manage your role assignments.
Table 1. Security roles
Security role Applicable data models Required? Functional access rights
Classification Guide Administrators DoD Classified No Functional access rights for Classification Guide Administrators:
  • Control update access to the Classification Guides
  • Add Classification Guides to classified object stores
Records Administrator All Yes Functional access rights for Records Administrators:
  • Set up IBM Enterprise Records (includes installing and configuring IBM Enterprise Records components)
  • Set up security
  • Create users and groups
  • Assign permissions to users and groups
  • Define and modify security markings
  • Configure auditing
  • Delete file plans, categories, and records
  • Import and export records
  • Back up and restore file plans and records

In addition to the functional access rights described for Classification Guide Administrators, the Records Administrator role has the same functional access rights as the Records Manager role, except for folder deletion.

Records Manager All Yes Functional Access Rights for Records Manager:
  • Create and modify file plans and levels of hierarchy such as record categories, folders, and volumes that are used to classify records.
  • Create other associated objects such as naming patterns, record types, actions, phases, and holds.
  • Define and maintain disposition schedules to control the retention and destruction of entities.
  • Allocate disposal schedules to record categories, record folders, and record types.
  • Perform records management activities such as relocating records, setting vital records, and activating records.
  • Delete file plans, categories, folders, and records.
  • Initiate, approve, and reject the disposition actions for entities.
  • Run reports.
Records Reviewer PRO Yes Functional Access Rights for Records Reviewer:
  • Review entities due for disposition.
  • Search and display records, folders, and categories.
  • Declare records.
  • Perform basic record-related operations such as file, move, and copy records.
Records Privileged User Base, DoD, and DoD Classified Yes Functional Access Rights for Records Privileged User:
  • Review entities due for disposition.
  • Search and display records, folders, and categories.
  • Declare records.
  • Perform basic record-related operations such as file, move, and copy records.
Records Users All Yes Functional Access Rights for Records Users:
  • Search and display records, folders, and categories.
  • Declare records.
  • Perform basic record-related operations such as file, move, and copy records.


Feedback

Last updated: August 2011


© Copyright IBM Corporation 2011.
This information center is powered by Eclipse technology. (http://www.eclipse.org)