One of the most important factors for any information management executive (or any executive for that matter) to consider is access control: who is authorized to access, edit and/or approve specific documents? These decisions impact content throughout its entire lifecycle – meaning that permissions can evolve and change over time, adding to the complexity.
While policies related to access permissions can vary depending upon your business, IT leaders today have found a measure of relief surrounding this challenging process with metadata, which can
be leveraged to create a smarter, more successful permissions strategy for ECM and other enterprise systems. Metadata has moved to the forefront of permissions control as it has become increasingly
clear that traditional approaches to managing access to content are often too restrictive and inflexible. In fact, today’s most advanced ECM systems offer new ways to derive access control settings from metadata, making the process of setting permissions for documents and other information both dynamic and automatic. Metadata-driven permissions and the associated audit trail and event log also help organizations prove that they actually follow the access control policies they have defined.
Information in traditional folder-based ECM systems typically inherits access permissions from the folder in which it resides within the ECM system’s folder hierarchy. An additional approach supported by traditional ECM systems is what is known as an Access Control List (ACL), which is basically a list of access permissions that can be assigned to a specific folder, which is then inherited by all the documents stored in that folder. These folder-based approaches are inherently inflexible and restrictive in that they rely on information residing in a single location, or folder, which presents a dilemma since information can only reside in one location, unless it is duplicated, and duplication creates new challenges associated with ensuring that all duplicates remain synchronized and up to date. This intractable problem simply can’t be effectively solved with folder-based approaches. It’s challenging enough when one is just classifying content, but the fundamental weakness of folderbased ECM systems becomes glaringly apparent with regard to access permissions.
Metadata can be leveraged to create a smarter, more successful permissions strategy for ECM and other enterprise systems.In a metadata-driven ECM platform, access to content can be controlled by a combination of object-specific permissions and ACLs that are automatically determined by its metadata. The idea is that instead of inheriting access control settings from a containing folder, a document should have its final access permissions derived from its metadata, so a single document could be accessible to members of a project team, a certain group of managers, all of management and accounting, only to employees with a certain security clearance, or any combination of these. Further, permissions could automatically change based on the state the document is in a particular workflow, whether it is in draft form and being reviewed, or approved and ready to be published. And simply assigning or changing the document’s metadata could automatically adjust permissions as appropriate.
For example, an employment agreement document may have its permissions derived from several pieces of metadata: the specified document class (“employment agreement,” in this case) may restrict access to the document to the HR department by default. Further, the employee field in the document’s metadata may expand access to the document by offering the employee in question the ability to view, but not edit, the document. And more, the supervisor of the employee may automatically be granted appropriate access to the same document, based on the metadata of the employee object. All of this is fully dynamic in a truly metadata-driven ECM solution, meaning that changes to metadata can be instantly and automatically reflected in document permissions.
In a similar manner, you can control the project documentation through one single project data object. You can specify the members of a project with metadata properties and force the ECM to inherit permissions of the documents related to a project from the project object itself. In this way, you can dynamically change the permissions of all objects related to the project by adding or removing project members in the project object. You can also implement role-based permissions in such a way that project managers have full access to all project content, and project engineers see just those document types that are relevant to their work.
Next time we look at how M-Files handles Metadata-Driven Navigation and “Dynamic Views”. Be sure to subscribe to the blog or email newsletter to get regular updates.
Laminin Solutions is all about optimising information management and connecting different solutions within a business. Through consolidating information and document flow with powerful easy to use and configurable software tools, Laminin Solutions sets the information in the business free from the boundaries of individual systems. Our focus is to improve the productivity of your business whilst reducing the cost to produce and use information.