WebDocs iSeries Edition Security
From Support
There are several ways to control security with WebDocs - iSeries Edition. Most of the settings are controlled at the user or user group level.
Contents
|
Security Overview
WebDocs - iSeries Edition security is controlled at two levels.
1.) Users are given access to specific document folders in the system with a selected level of permission for each folder. Users will only be able to see or access documents from folders for which they have been assigned security access.
2.) For a more granular security scenario, a user can be given access to specific folders as in the previous step, but a specific filter criteria can be set for each user as well to limit them to seeing only a selected subset of documents within the folders they have access to.
- Ex 1: You may want customers to log into the system and see only documents where the customer number matches their customer number.
- Ex 2: A corporation has multiple store locations and each store should only be able to see their own reports or documents.
See "Custom User Filter Criteria" section below to learn more about filtering based on specific criteria.
The custom user selection criteria can contain up to 2000 characters of SQL WHERE criteria to limit document access for a user.
User Authentication
Users can be authenticated by one of the following methods:
1.) They can be authenticated using only the WebDocs - iSeries Edition User ID and Password. This scenario is good for users who do not need access to any other iSeries functionality. Customers or Vendors accessing documents would be a good example of this.
2.) If a valid iSeries user id is added to the WebDocs - iSeries Edition User ID table with a password of: *AS400 or *as400, the iSeries security is used to validate the users password. If their iSeries password expires, so does their access to WebDocs - iSeries Edition.
3.) If a valid Windows user id is added to the WebDocs - iSeries Edition User ID table with a password of: *LDAP or *ldap, and a valid LDAP server has been set up, user authentication can be done via the LDAP server.
Using LDAP is a nice way to perform authentication via a Windows Active Directory Server or Lotus Domino LDAP Server or any other LDAP server available. Before using LDAP authentication, an LDAP host or IP server must be set up via the DOCLDAP command. (WebDocs - iSeries Edition V1.55 and above required.)
Before authentication to a Windows Active Directory Domain, the DOCDOMAIN command must be used to set the Windows domain after the DOCLDAP command is used to point to a valid Windows Active Directory Server. (WebDocs - iSeries Edition V1.55 and above required.)(Domain IS case sensative, you will need single qotes around the domain if there is lower case)
After setting up a valid Windows Domain, the DOCLDAPCHK following command can be used to test the Windows Active Directory setup.
- Ex: This example validates an LDAP user named TEST and will respond to the command line with no error if the user ID and password are valid. If not valid, an error message will be displayed:
DOCLDAPCHK LDAPHOST('servername') LDAPUSER('user') LDAPPASS('password') LDAPDOMAIN('DOMAINNAME')
Note: LDAP user ID's and passwords are usually case sensitive.
New User Setup
A new user ID is created by creating a new user entry on the "Edit User ID's" screen. Option 10 from the RJSIMAGE menu.
User ID
Enter the user ID info. User ID's can be a mixture of upper or lower case entry.
When entering the user info to log in via a web browser screen, the case must match how the user info was entered.
Password
Enter the user password info. Passwords can be a mixture of upper or lower case entry.
When entering the user info to log in via a web browser screen, the case must match how the user info was entered.
Password special values:
- *AS400 or *as400 - If this value is entered for the password, the User ID must be entered in upper case and must match an existing iSeries user profile name. When the user logs in, the password will be validated against the users iSeries password. If the users iSeries password is changed, WebDocs - iSeries Edition will user the new password right away.
- *LDAP or *ldap - If *LDAP is entered, the user profile and password can be validated against a Microsoft Active Directory Domain or a Domino LDAP server or any other LDAP directory. Many companies are implementing Microsoft Active Directory or LDAP servers for network user tracking and WebDocs - iSeries Edition can utilize these types of directory servers.
Enabled
N=User is not enabled for browser access. Y=User is enabled for browser access.
Description
Enter a text description for the user.
Email address
Enter a valid email address for the user. This setting will be used as the from address when documents are emailed from the web browser client.
User is Administrator
Y=User is an administrator. N=User is not an administrator.
Note: This setting currently determines if the user can access the audit log information. This settings usage will be expanded as we add a web based administration client.
User can upload
Y=User can upload documents via the web browser. N=User cannot upload documents via the web browser. The document upload option will not show in the web browser.
AS/400 User ID
This setting can be used to associate a WebDocs - iSeries Edition user ID with an existing iSeries user profile if the main user ID does not match an existing iSeries user profile. This setting should only be used if it's absolutely necessary to have the WebDocs - iSeries Edition user profile and the iSeries user ID for the user be different.
Group Security Profile
Enter a valid Group ID which will be used as the user's Primary Group.
- NOTE: With WebDocs 3.x and above, it is recommended that the groups be set from the Group option in the menu and not here.
Printer Path
If using the RJS Document Imaging viewer and the iSeries Office Integrator products to automate document printing, the printer path can hold a default setting for a users default network or PC printer.
Miscellaneous 1 - 3
These fields can be used to hold miscellaneous information about a user ID that is not related to the imaging system.
Custom User Filter Criteria
This 2000 character field can be used to hold custom SQL criteria to further define or limit the documents a user can gain access to.
The first level of document access is always given by adding the user to a "Group Security Profile" or by giving them access to specific individual folders by creating entries in the "Edit Folder User Access" table.
To further define a users document limits, a SQL where statement can be entered in the Custom User Filter Criteria. The WHERE statement is always implied to be there so it does not need to be entered.
Any of the key fields in the DOCS00 table can be used in a SQL WHERE statement. Some of the main keywords are listed below.
Standard Document Search Fields
DOCID - Document ID
TITLE - Document Title
DOCTYPE - Document File Type - (TIF, PDF, DOC, etc.)
DOCTYPE2 - Document Type - (A/R, A/P, Orders, etc.)
CHKDATE - Document creation date.
FOLDER1 - FOLDER3 - Folder levels 1-3.
KEYWORD1 - KEYWORD10 - Search keywords 1 - 10.
iSeries report Search Fields
DCSPOOL - Spool file name.
DCDATE - Spool file date.
DCUSRDTA - Spool user data.
DCUSRDFN - User defined data.
DCUSERID - Spool user ID.
DCFORM - Spool file form type.
DCJOB - Spool file job name.
DCOUTQ - Search output queue.
DCOLIB - Search user defined data.
- Simple example to specifically limit a customers view to their own orders and invoices based on their customer number: 123456 only in KEYWORD1:
(KEYWORD1 = '123456')
- Example to specifically limit a customers view to their own orders and invoices based on their customer number: 123456 in field KEYWORD1 and document type = ORDERS and INVOICES:
((KEYWORD1 = '123456' and DOCTYPE2 = 'ORDERS') and (KEYWORD1 = '123456' and DOCTYPE2 = 'INVOICES'))
- Example to specifically limit a customers view to their own orders and invoices based on their customer number: 123456 in field KEYWORD1 and document type = ORDERS and INVOICES and folder name = CUSTOMERS:
((KEYWORD1 = '123456' and DOCTYPE2 = 'ORDERS') and (KEYWORD1 = '123456' and DOCTYPE2 = 'INVOICES')) and (FOLDER1='CUSTOMERS')
Folder Access Permissions
When a new user is added to the system, they have no access to documents by default. In order to have access to any documents, a user must be:
1.) Given explicit access to folders by creating folder access entries from the "Edit Folder User Access" option 12 on the RJSIMAGE menu. When a new user access entry is created for a user, the administrator can determine what level of document access they have by enabling one of the following options:
Allow checkout/changes - Enabling this setting allows a user to check out documents and make changes and then check in changes. Document keywords can also be updated by the user if they have this level of authority.
Allow checkin/create - Enabling this setting allows a user to add new documents to the system and create documents in the selected folder. Users with scan workstation access must have this setting enabled to be able to scan and store new documents in the system.
Allow email - Enabling this setting allows a user to email documents if their email address is set up in their user ID.
Allow delete - Enabling this setting allows a user to delete documents. When a document is deleted it is simply moved to the Deleted folder. This is similar to the Windows recycling bin. An administrator with access to the Deleted folder can then restore a deleted document to its original folder if it was inadvertently deleted. There is also a purge process command (DOCCLRDEL) that can be used to delete, deleted document indexes and IFS files permanently.
Note: Administrators should only be given delete permissions.
Allow notes - Enabling this setting allows a user to create and view notes associated with a document.
Allow move - Enabling this setting allows a user to move a document to a different folder.
2.) The user can be added to a user group by specifying an existing user ID in the "Group Security Profile" field from the "Edit User ID's" option on the RJSIMAGE menu.
Note: In WebDocs 3.x and above, if a user is added to a user group, specific folder access entries for this user will override the securities inherited from the Group Profile.
