Security configuration
OpenKM can work with several security managers. Depending on the selected value, the manner in which the result is evaluated differs. This application has separate managers, one for the search engine and another for the rest of the application.
Search engine managers:
- lucene
- am_more, am_window, or am_limited
The fastest one is lucene, because it is the Lucene search engine which restricts the search results based on the node security. The others are am_more, am_window, and am_limited, which make use of the AccessManager - security.access.manager value - to restrict the search results. These will reduce OpenKM performance (at least in search) but will match customer requirements. The performance can be improved by customizing the com.openkm.cache.parentNodePermissions cache.
Rest of application manager:
Access manager works with a plugin architecture.
Type | Name | Description |
---|---|---|
Default | com.openkm.plugin.access.DbSimpleAccessManager |
Default OpenKM security manager. Analyzes only the current node, not the entire hierarchy. |
Recursive |
com.openkm.plugin.access.DbRecursiveAccessManager |
Analyzes the entire hierarchy. Analyzing the entire hierarchy will take more time and may cause performance issues. |
Read recursive |
com.openkm.plugin.access.DbReadRecursiveAccessManager |
Analyzes the entire hierarchy (only for read access). Analyzing the entire hierarchy will take more time and may cause performance issues. |
Default file plan |
com.openkm.plugin.access.DbFilePlanAccessManagerWrapper |
Analyzes based on document type and file plan restrictions. Should only be enabled when the file plan is enabled. |
The Default option only evaluates the selected node. With recursive, the security is evaluated starting with the selected node up to the repository root (so, evaluating from bottom to top). The "Read recursive" is used to prevent showing documents in search results when any folder in the path doesn't have read access for the user who ran the query. It should be used in combination with am_more.
The application is configured by default with:
Field / Property | Type | Description |
---|---|---|
security.access.manager |
String |
com.openkm.plugin.access.DbSimpleAccessManager |
security.search.evaluation |
String |
lucene |
Differences between simple and recursive
okm:root
level-1a
level-2a
level-3a
alpha.doc
beta.doc
gamma.doc
level-3b
level-1b
level-1c
When using simple, if you revoke permission from the level-2a folder and the user tries to view the level-3a folder, OpenKM will still show the documents to that user. When the user performs a search, OpenKM will return these documents as search results. However, the user can't access the documents because when OpenKM tries to access a document, it will open every path location and will fail to open level-2a because the user has no rights. But these documents can be accessed using the API. You need to revoke permissions recursively to prevent the user from seeing these documents, so they won't be shown in the search results.
When using recursive, if you revoke permission from the level-2a folder and the user tries to view the level-3a folder, OpenKM will report an error because Access Manager also evaluates the permission of the level-2a ancestor node. When the user performs a search, OpenKM won't show these documents in the search results. Keep in mind that this Access Manager implementation is slower because it needs to evaluate more nodes: the deeper the node, the more parent nodes need to be evaluated.
Extending security
You can use extended security to download files, start workflows, add, remove, or modify property groups (metadata), or compact history. To enable extended security evaluation, you must change the value of the security.extended.mask parameter.
After the value is changed, refresh the browser to take effect in the user's view.
Values:
- DOWNLOAD = 1024;
- START_WORKFLOW = 2048;
- COMPACT_HISTORY = 4096;
- PROPERTY_GROUP = 8192;
For example, to enable download and property groups, you should use the mask 9216 (1024 + 8192).
Field / Property | Type | Description |
---|---|---|
security.extended.mask | Integer |
9216 |
Configuration for security changes which take a long time
By default, when you change the security of a node in standard view, every time you click to grant or revoke a permission the action is performed by OpenKM. This means that if you want to change the security of 10 users, 10 commands are sent to the server. This becomes a problem when every change affects several hundred (or even thousands) of nodes. There's an alternative security configuration parameter named security.mode.multiple that enables multiple changes at a time, making it much faster.
Field / Property | Type | Description |
---|---|---|
security.mode.multiple |
Boolean |
true |
Some security changes can take a long time to complete because they affect a lot of nodes. It's good practice to run them as background tasks. To support this, there's a configuration parameter named security.live.change.node.limit used to set the limit of nodes that can be changed in "live" or "realtime" mode. By default, this value is set to 100, which means that any change that affects more than 100 nodes will automatically be done as a background task.
Field / Property | Type | Description |
---|---|---|
security.live.change.node.limit |
Integer |
100 |
To check the progress of these pending tasks, go to Administration > Statistics > Pending task queue.