Setting up users and groups
The software has multiple ways of ensuring user authentication and authorization of resources:
Authentication identifies a user based on username and password.
Authorization uses the authentication information to grant the appropriate level of access control to the content and other tools.
Multi-factor authentication with Duo.
Granular roles-based security allows the System Administrator to quickly control the exact level of access a group of users will have to FileHold. For example, a group of users may be restricted to 'Read Only' access for one type of file yet have full access to another document type. Security can be configured at multiple levels so documents can even be stored in the same folder yet carry differing permissions of access.
There are two types of user accounts: Locally Managed Users and Active Directory Synchronized Users. Both types of accounts can co-exist on the same FH Server.
A Locally Managed User is an account that does not authenticate or synchronize against Active Directory systems. This allows System Administrators to setup and manage users without involving complex IT deployment scenarios. This is suited for a non-technical System Administrator in a smaller organizational environment. Administrators can quickly create user accounts in mere minutes OR activate user self-registration. This allows users to register themselves in FileHold for an initial period of time. These users can enter their full name, user name, and other contact details (which is optional). Unlike regularly registered users, self-registered users are placed into a temporary area where they are assigned to a group that has no permissions or rights. The administrator re-assigns these users to a group that provides them with the access they need.
NOTE: If you are self-registering a group of people that have identical permissions and content access requirements internally then this temporary security precaution can be skipped entirely.
Active Directory Synchronized Users are users that called FileHold Domain Users. Groups synchronized with Active Directory are called FileHold Domain Groups. The users and groups behave the same way as locally managed users when interacting FileHold. The difference is that the properties (contact information, passwords etc) associated with domain user/groups are managed externally in Active Directory and not through the user properties of the document management system. When importing Active Directory groups into FileHold, you have the option to bring just the group name or all the users within the group. Benefits of using Active Directory are: single sign-on, synchronization of FileHold with the domain, and the use of Active Directory groups with FileHold Groups. See the following diagram for a high level overview of the process.
Managing user and group access in FileHold
Users are placed within FileHold Groups. Groups are created by System Administrators and given a specific name and permissions (role) to system functionality. Roles give users specific functionality throughout the system, however, groups can have their roles restricted at the cabinet, folder, or schema level.
Groups and users are given access via membership to FileHold cabinets, folders and schemas. These permissions provide control down to the document level. The degree of access users have to content is determined by their role.
The following flowchart depicts how users and groups are set up in the system.