Sep 02, 2019 Fastman

Does Permissions Explorer really do everything I need?

As you may already be aware, OpenText recently included some new permissions tools into their Content Suite and Extended ECM platforms. Going under the name of “Permissions Explorer“ it provides a familiar looking permissions dashboard. But as I’ve highlighted before, this is nothing to do with Permissions Manager from Fastman.

Over the last couple of months, I’ve heard many people asking about how Permissions Explorer compares with and whether it replaces Fastman Permissions Manager. Let’s be very clear – the answer is a definite no.

In this post I want to take a closer look at why Permissions Manager remains the only permissions tool suitable for organizations that are serious about the security of their Content Suite information.

What is Permissions Explorer?

In several conversations of late I have heard that OpenText is advising customers that Permissions Explorer is the only tool that they need for managing their information security. As those that have tried to use it in anger will attest to, Permissions Explorer is a very feature-light permissions viewer and editor; useful for generic and uniform permissions review and changes but of little use for the real world situations so many of our customers experience.

In the real world that system administrators and business users operate within, Content Suite permissions are a complex area of the system. By design they are extremely rich and flexible and it is this complexity that leads us to needing the more complete solution that Permissions Manager is – and has provided for over 10 years.

Why do I need Permissions Manager?

Think of Permissions Explorer as Permissions Manager Light. It’s a free tool for doing simple bulk changes, where as Permissions Manager is about managing and ensuring the security of your enterprise information.

Permissions Manager is designed to allow Content Suite users to deliver good information management practices, such as ISO 27000, within their organization. These practices following three distinct processes:

  • confidentiality
    ensuring that only the right people have access to information
  • integrity
    ensuring that no unauthorized changes can be made to information
  • accessibility
    ensuing that information is readily available to those that need it

Good practice demands that you implement tools and processes to ensure the above “reviewing” capabilities are in place. But it also requires that you have tools and processes to ensure that if any discrepancies are detected you are able to fix, or “repair”, them in a structured and controlled manner. Permissions Manager is the only solution for Content Suite or xECM that delivers this.

Why would I use Permissions Manager instead of Permissions Explorer?

So, that’s the theory, but the question remains, why would you want to use Permissions Manager and not just use the out-of-the-box tools that OpenText provides?

Surely, Permissions Explorer should be able to do everything you need to implement best practices and stay secure.

Ah, no it doesn’t…

How do I know What access rights a user/group actually has?

As your Content Suite repository grows, so does the number of users and groups that are used within its permissions model. These quickly become complex, and in the real world managing group memberships is not easy. So what happens when you suddenly find that a user is able to see content that they shouldn’t? How do you know which group is giving them access, and who else may also be able to see content they shouldn’t?

Option 1 is to user Permissions Explorer to find out what users and groups have been given access to a specific object. And then to trawl back through all the individual groups to find out whether the user you wish to check is part of one of those groups.

Option 2, is to use Permissions Manager. Through its permissions filter and effective permissions view, Permissions Manager shows the permissions that are really being applied to any and every user. Just browse to the folder or item that you want to check, select the user from the user-picker and check the effective permissionsoption.

The folder list will update to show the actual access rights that your chosen user has on the selected item and its sub-contents. No need to worry any longer about object rights and group memberships.

Does a user have access to certain content? If so, how are they being granted access?

In a related example, I am often asked by information managers or system administrators how they can verify whether a certain user/group has access to specific content. If so, what access do they have and how are they getting those permissions?

As an example, the board wants to assure that all their members have access to minutes of the meetings, but no-one else in the company is able to see them. Permissions Manager enables this to be quickly verified and, if issues are found, quickly rectified.

Fastman Permissions Manager’s virtual permissionsmode allows full comparison between existing permissions and a template permissions model. The system administrator can define a template set of permissions and quickly highlight items that vary from the required permissions model – effectively demonstrating situations where a higher level of permission has been granted.

Similarly, how do you fix the problem when a member of your team comes up and says that they have access to an item, but their colleague is the same department doesn’t. Why would that be?

Often this is a result of the two users being members of different groups; using the Permissions Manager compare groupsfunction these differences can be quickly found and rectified. Many customers use this function as part of their user on-boarding and off-boarding processes.

How can I find items that have specific permissions?

Here’s one that has likely come up before and you’ve wondered how on earth you can achieve this without a substantial amount of manual work. The Human Resources department has said that nothing in there area should have Public Access enabled so they they can ensure that personal information does not leak.

The question is, without opening each and every item, how do you check that?

Using Permissions Manager’s permission search capability you can quickly check everything to ensure that nothing has public access set. A click on the permissions search icon opens a familiar looking advanced search interface. From here you can select the required search options; for example all documents that have Public Access enabled. Permissions Manager quickly checks to see if any items meet the search criteria provided and returns a set of results, including the location of each matched item.

All being well, in this example the result set is empty. But in the case that it isn’t, you can quickly update the erroneous items directly from the search result set.

How do I safely and intelligently bulk update permissions across the system

So what happens in the event that you do find problems with any permissions or access rights within your repository? Yes, you could go into each item individually and fix the issues if there only a few issues. But what if you find issues scattered broadly around your system? It’s highly unlikely that you will want to just bulk update a whole folder hierarchy.

If you want to change multiple items across the system, Permissions Manager provides the ability to modify permissions on collections of content, search result sets, and folders. For example, say that you have a standard folder structure for each project that your company works on. An organizational change means that the “Customs Documentation” folder within each area needs to have its permissions updated to allow a new department to access it.

By performing a search for “Customs Documentation” within the projects area you can quickly locate each folder, and then send the result set to Permissions Manager to adjust the access rights on each folder and it’s immediate children. Similarly, individual items can be added into Collections within Content Suite and there permissions can be quickly and accurately updated in one action.

How can I undo an incorrect permissions change?

Another very common scenario that I am frequently asked to help resolve is where permissions have accidentally been changed. Devolving permissions management to trusted end-users is often a best practice, but when a user selects to update the permissions on a folder and its children without realizing that a couple of levels down there were some very explicit access rights set, how do you fix thing back up?

With the out-of-the-box tools, there is no “undo” button to hit. However, using Permissions Manager rolling-back erroneous changes is just that simple. Reverting permissions to a previous state is just a question of selecting the the problematic object, then clicking the “rollback permissions” button. You will be presented with a history of changes, and can select how far back you want to go. You can also select to apply the rollback to just the current item, or to children.

What’s best of all though. Even if you didn’t have Permissions Manager installed when the problem occurred, you can install the module afterwards and then use it to restore. No longer do you need to panic. Just give us a call…

Permissions Manager is the only way to guarantee your information is secure

On the surface, Permissions Explorer imitates the user experience of Permissions Manager with its dashboard style interface. But as the examples above have shown, in reality its functionality remains limited to basic permissions viewing, a slightly more visual approach to bulk updates, and simple parent/child comparative checks.

If you or your organization care about the security of your information, Permissions Manager remains the only viable information security solution. If you’re being told otherwise, or just want to learn more about information security best practices and how Permissions Manager supports them, then get in touch with us today.

Published by Fastman September 2, 2019