1. Home
  2. OpenKM 8.1
  3. Setup
  4. Security configuration
  1.  

OpenKM 8.1
Hardware and software requirements
Installation
Setup
Antivirus configuration
Cleaning older activity log data
Configuring Apache HTTP Reverse-Proxy
Configuring Apache HTTPS Reverse-Proxy
Configuring Nginx HTTP Reverse-Proxy
Configuring Apache HTTP to rewrite old OpenKM URL
Configuring Lucene Analyzer
Configuring CADViewer
Configuring OCR engine
Configuring OpenSSL
Configuring mail
Configuring Tomcat memory utilization
Configuring Tomcat port
Configuring Tomcat session timeout
Configuring Tomcat timezone
Configuring openkm.xml
Configuring jBPM
Configuring ONLYOFFICE
Configuring Collabora Online
Configuring safe trash purge
Configuring search highlighter
Configuring Tomcat to work behind an Internet proxy
Configuring VidSigner
Change repository home
Change default role names
Enable extensions
LDAP configuration
Log configuration
LibreOffice configuration
Security configuration
Configuring Two Factor Authentication
Configuring document expiration
Configuring CIFS
Cache configuration
Configuring email digital signature
Configuring anonymous user
Prometheus configuration
Troubleshooting
Administration guide
User guide
Update guide
Development

Security configuration

OpenKM can work with several security managers. Depending on the selected value, the manner in which the result is evaluated differs. This application has separate managers, one for the search engine and another for the rest of the application.

Search engine managers:

  • lucene
  • am_more, am_window, or am_limited

The fastest one is lucene, because it is the Lucene search engine which restricts the search results based on the node security. The others are am_more, am_window, and am_limited, which make use of the AccessManager - security.access.manager value - to restrict the search results. These will reduce OpenKM performance (at least in search) but will match customer requirements. The performance can be improved by customizing the com.openkm.cache.parentNodePermissions cache.  

Rest of application manager:

Access manager works with a plugin architecture.

 

TypeNameDescription
Default com.openkm.plugin.access.DbSimpleAccessManager

Default OpenKM security manager. Analyzes only the current node, not the entire hierarchy.

Recursive

com.openkm.plugin.access.DbRecursiveAccessManager

Analyzes the entire hierarchy.

Analyzing the entire hierarchy will take more time and may cause performance issues.

Read recursive

 com.openkm.plugin.access.DbReadRecursiveAccessManager

Analyzes the entire hierarchy (only for read access).

Analyzing the entire hierarchy will take more time and may cause performance issues.

Default file plan

 com.openkm.plugin.access.DbFilePlanAccessManagerWrapper

Analyzes based on document type and file plan restrictions.

Should only be enabled when the file plan is enabled.

The Default option only evaluates the selected node. With recursive, the security is evaluated starting with the selected node up to the repository root (so, evaluating from bottom to top). The "Read recursive" is used to prevent showing documents in search results when any folder in the path doesn't have read access for the user who ran the query. It should be used in combination with am_more.

The application is configured by default with:

Field / PropertyTypeDescription

security.access.manager

 String

com.openkm.plugin.access.DbSimpleAccessManager

security.search.evaluation

 String

lucene

Differences between simple and recursive

  • okm:root
    • level-1a
      • level-2a
        • level-3a
          • alpha.doc
          • beta.doc
          • gamma.doc
        • level-3b
    • level-1b
    • level-1c

When using simple, if you revoke permission from the level-2a folder and the user tries to view the level-3a folder, OpenKM will still show the documents to that user. When the user performs a search, OpenKM will return these documents as search results. However, the user can't access the documents because when OpenKM tries to access a document, it will open every path location and will fail to open level-2a because the user has no rights. But these documents can be accessed using the API. You need to revoke permissions recursively to prevent the user from seeing these documents, so they won't be shown in the search results.

When using recursive, if you revoke permission from the level-2a folder and the user tries to view the level-3a folder, OpenKM will report an error because Access Manager also evaluates the permission of the level-2a ancestor node. When the user performs a search, OpenKM won't show these documents in the search results. Keep in mind that this Access Manager implementation is slower because it needs to evaluate more nodes: the deeper the node, the more parent nodes need to be evaluated.

Extending security

You can use extended security to download files, start workflows, add, remove, or modify property groups (metadata), or compact history. To enable extended security evaluation, you must change the value of the security.extended.mask parameter.

After the value is changed, refresh the browser to take effect in the user's view.

Values:

  • DOWNLOAD = 1024;
  • START_WORKFLOW = 2048;
  • COMPACT_HISTORY = 4096;
  • PROPERTY_GROUP = 8192;

For example, to enable download and property groups, you should use the mask 9216 (1024 + 8192).

Field / PropertyTypeDescription
security.extended.mask Integer

9216

Configuration for security changes which take a long time

By default, when you change the security of a node in standard view, every time you click to grant or revoke a permission the action is performed by OpenKM. This means that if you want to change the security of 10 users, 10 commands are sent to the server. This becomes a problem when every change affects several hundred (or even thousands) of nodes. There's an alternative security configuration parameter named security.mode.multiple that enables multiple changes at a time, making it much faster.

Field / PropertyTypeDescription

security.mode.multiple

 Boolean

true

Some security changes can take a long time to complete because they affect a lot of nodes. It's good practice to run them as background tasks. To support this, there's a configuration parameter named security.live.change.node.limit used to set the limit of nodes that can be changed in "live" or "realtime" mode. By default, this value is set to 100, which means that any change that affects more than 100 nodes will automatically be done as a background task.

Field / PropertyTypeDescription

security.live.change.node.limit

 Integer

100

To check the progress of these pending tasks, go to Administration > Statistics > Pending task queue.

© OpenKM kcenter v.1.0.0 (build: d51a7b0). All Rights Reserved. Documentation license