Julia Urquijo Reguera
4. descriPción de la ProPuesta de valor
Only authorized users can perform records management functions and features. Before the system can determine whether a user has right to perform any task, it has to authenticate the user. Users must have proper user IDs in the records management system and have rights either explicitly assigned to them or to the groups that they belong to in order to perform records related tasks.
In this section, we discuss different types of users and user groups specific in IBM Records Manager system.
Chapter 4. Security 51
4.2.1 Local and host users
IBM Records Manager supports two types of users: local users and host users.
Local users
Local users
are user accounts that are created within IBM Records Manager and are used exclusively for IBM Records Manager. Local users can only access the IBM Records Manager system and they do not access the other applications. Local users are maintained by IBM Records Manager. Authentication of these users is executed by IBM Records Manager.Local user accounts are created for those users who need to perform records management related tasks. Typical users include (terms might vary from company to company and industry to industry):
Records Technical Administrator
This person usually performs the following tasks: – Back up and maintain database.
– Address performance issues. – Add indexes.
– Schedule tasks
– Create and maintain style sheets for generating reports (using XML)
Records Manager
This person usually performs the following tasks: – Prepares and runs reports in IBM Records Manager – Links retention rules to file plan components
– Initiates suspensions (audit, compliance, legal, or tax holds)
– Executes life cycle management functions, including record dispositions
Records Administrator
This person usually performs the following tasks: – Create file plan structure.
– Create file plan components.
– Maintain and assign function access rights and permissions to users. – Apply changes to user group definitions.
– Perform audits.
Compliance Officer
This person usually performs the following tasks: – Maintains auditing.
Special user: Administrator
During the installation of IBM Records Manager, one local user account is always created. This user has all the rights assigned to it and is called
administrator
. The administrator user ID cannot be deleted nor can its pre-assigned rights be modified.Host users
Host users
are the users of the content repository system that store documents created by a host application. In order for the host application to support records management functions, it is configured or integrated with IBM Records Manager. Host applications can use different content repository to store documents. The users who have accounts in the content repository are considered as host users to IBM Records Manager.Host users are created originally in the host application’s content repository system. They must be imported to IBM Records Manager for IBM Records Manager to assign appropriate rights to them.
Unlike local users, IBM Records Manager does not authenticate host users. IBM Records Manager relies on the host application (for example, IBM Content Manager) to perform user authentication.
Host users access IBM Records Manager in one of two ways:
Through the host application (for example IBM Document Manager or IBM Content Manager).
Through logon to IBM Records Manager system directly
Only users who have user accounts in IBM Records Manager can access IBM Records Manager system and perform records-related functions in the host applications. When designing your solution, determine which users perform
Note: IBM Records Manager can be configured to work with the following
products:
IBM Document Manager
IBM CommonStore for Lotus Domino
IBM CommonStore for Exchange Server
IBM Content Manager
Because all these products store their documents in IBM Content Manager system when they work with IBM Records Manager, the content repository of the host application in this case is IBM Content Manager, which means that host users are IBM Content Manager users.
Chapter 4. Security 53
declare and classify records
and
those who have rights to search, retrieve, and view declared records. You must import them (from IBM Content Manager for example) into IBM Records Manager and assign appropriate rights before they can perform any records management tasks.Host users can also perform IBM Records Manager administrative tasks as long they are granted with proper rights.
Special users: Operating system users
There are special users who are necessary for the IBM Records Manager system to operate behind the scene from the technical perspective. We include their information here. You might want to revisit this section before and during your system installation and configuration.
IBM Records Manager needs an operating system (Windows) user account to manage its database. This user ID can be the same system administrator user ID for the content repository or a different one. In the case of using IBM Content Manager as the content repository system, by default, this user ID is
icmadmin
. This ID should be imported from IBM Content Manager.IBM Records Manager is an application, and it is also an
engine
that, when configured with an application, enables the application to provide records management functions. IBM Content Manager Records Enabler is a software component that provides the integration needed for an IBM Content Manager content repository system to configured with IBM Records Manager to provide this records management capability. IBM Content Manager Records Enabler requires an operating system (Windows) user account. Usually, this user ID isCMREID
and it has to be able to communicate with IBM Content Manager which means this user ID should also be an IBM Content Manager user ID.In an environment where the connection factory (required to access a connection instance) is used, the system requires a Windows user ID to authenticate with the connection instance. Usually, this user ID is called
IRMWAS
.None of these special operating system users have any or require to have any user function within IBM Records Manager. Nevertheless, it is important to
Notes: Always remember to include user accounts in the host application that
perform specific services and tasks behind the scenes. For example, for IBM Document Manager system, you must include the user ID that is used by Document Manager Designer to log on to the libraries (DDMService) and the user IDs that are used by the life cycle services and automation services if these services are set up to perform records declaration automatically.
understand what these user IDs are for proper system installation, maintenance, and troubleshooting.
4.2.2 Local and host groups
Users who require same access rights and perform similar tasks or have same job responsibilities can be grouped together to a user group. Similar to users, there are two types of user groups: local groups and host groups.
Local groups
The grouping of users can be done in many ways. Groups which are created in IBM Records Manager and are only known within IBM Records Manager are called
local groups
. Local groups can include local users and host users.Special groups: Public and Administrators
There are two special local groups:
Public
After IBM Records Manager is installed, a special local group,
Public
, is created by default. It contains all users defined or imported to IBM Records Manager. It includes both local users and host users. This group can not be deleted. Administrators
After IBM Records Manager is installed, a special local group,
Administrators
, is created by default. It has all the function access rights assigned (which we discuss later). This group can not be deleted, nor its assigned rights can be modified.Host groups
User groups from the host environment can be imported to IBM Records Manager. These groups are called
host groups
. Host groups can only contain host users. Importing host groups to IBM Records Manager does notautomatically import the host users within the groups into the system. We recommend import all the host users first before importing the host groups.