Consultant's Corner: Best Practices for System Administrators
Welcome to the November Consultant’s Corner. For this month’s issue, we sat down with Kyle Knebel, from Cities Digital, to discuss best practices for Laserfiche Security, Back-Up, and Volumes; as well as address a variety of questions regarding configuration and setup.
Below Kyle provides further insight into methods for user and group management; which can save you time, help you gain solution confidence, and become even more efficient throughout your workday.
Laserfiche offers three authentication options, can you describe these methods?
Kyle outlines the following three available authentication methods:
Laserfiche Password – Allows a “Repository Named User” to log in to a repository on the Laserfiche Server; having authenticated directly with the repository.
Windows Domain Authentication - Allows a “Repository Named User” (Avante) or a “Directory Named User” (RIO), to login to one or more repositories; having already authenticated to the Windows Domain Controller using their Windows account credentials.
LDAP Directory Authentication - This allows a “Repository Named User” (Avante) or a “Directory Named User” (RIO), to login to one or more repositories; having already authenticated with their Light Weight Directory Protocol (LDAP) account.
Which of the methods above would you recommend?
An LDAP service is used to provide a place to store usernames and passwords, allowing applications and services to validate users against the list of stored users. Novell eDirectory, OpenLDAP, or OpenDJ are some examples.
The best practice, according to Kyle, “is to use Windows Domain authentication where available. If users are connecting to Laserfiche from outside the corporate network via Laserfiche Web Access (the Web Client), we recommend creating a Laserfiche User with an optional Windows Domain link. In this way, the user can log in with either a Laserfiche Password when outside the office, or use Windows Authentication when at the office.”
When creating user and group accounts are there recommended best practices for setting permissions?
Kyle shares that the recommended best practice “is to use Groups to set Feature Rights and Privileges, then add users to the groups. The User will inherit the rights assigned to the group.”
He explains the difference between feature rights & assigned privileges:
“Feature Rights are those functions that a user can do while logged into a Laserfiche client. For example, can the user Scan, Import, Search, Email (export), Move, Delete, etc.”
“Assigned Privileges are administrative level functions that allow a user to create new Users and Groups, create Fields and templates, enable and set Recycle Bin options, and set other administrative level options. “
He also says that “for most users, they will only need Feature Rights to be assigned. Laserfiche Administrators will probably need most, if not all, Privileges. Power users may get a mix of both. And Records Managers will need the ‘Records Management’ privilege.”
How do you set up users and groups so that maintenance is manageable?
The best method according to Kyle, “for ease of maintenance, is to create groups, even if there is only one user in that group. Groups are often based on a role or department, and make managing user’s rights and entry access very easy, compared to managing security only by users. Administrators can easily assign entry access on a folder for that Group. If the user leaves the organization, a new user can be added to the Group via the Administration Console and they immediately gain access to the folder. Group access saves the effort of having to set new user security on all the folders to which that user had access.”
Are there benefits to applying security to documents and folders vs. users and groups?
Kyle says, “We can, and do, apply entry access security to folders and documents by assigning users or groups to an entry. Again, the best practice is to use Groups. Functional user rights come from the user’s Feature rights, like Scan or Search. Alternately, users gain folder or document Entry access either by group membership or giving the user’s account explicit rights to the entry. The best practice is to assign one or more groups to a folder and use ‘inheritance’ to provide security to the documents and folders below that folder level. However, Laserfiche is very flexible in its security methods to allow for virtually any security model you desire.”
What are effective permissions and is it possible for users to inherit security from groups?
Kyle describes “Laserfiche security is very ‘conservative,’ it will only allow a user the minimum rights set on the entry. When a user is a member of a group, and a Laserfiche entry (folder or document) is configured to allow access to that group, the user gains access, as well. In fact, in the Administration console, users can be added to a group and inherit the Feature Rights and Administrative privileges of that group. Also, effective permissions at the entry level are calculated by Laserfiche, according to the settings assigned.”
He shares how several entry access rights can be assigned, as shown in the steps below:
Add the desired Trustee (User or Group)
Set their desired “Scope” (level of access from this entry)
Assign the user’s access rights
If desired, reset security by undoing the “inheritance” checkbox and set new access rights at this level, to prevent inheriting rights from a parent folder, as well.
What are some common considerations for a template or field security?
Field and template security can be valuable to users. Kyle discusses some common considerations for each:
Consider Field security when you need to handle the following three situations:
Allow users read-only views of field values, no matter what.
Allow users to create a new entry and assign field values at the time of creation, but read-only after that point.
Allow users to view and edit field values at any time.
Consider Template security when you want to:
Provide Full access to read, assign and modify templates on entries
Allow read-only access to a template
Hide a template completely from users or groups
Why should administrators consider limiting volume size?
“A volume is just Laserfiche’s term for the location of stored images and files.” Mike Richardson Cities Digital's Director of Support shares, “ that limiting the volume size allows an administrator to break up the volume locations so that a single logical volume can have it’s sub volumes stored in different path locations instead of having one large ever-growing volume that must be maintained in its entirety. If the volumes outgrow the capacity of one location, you can update the path of the logical volume so that it will roll over to a new location without having to move any of the other fixed volumes. The default size of a logical volume is set to 20 GB in size but can be changed to any size that might be deemed necessary for compliance to a standard. An example of such compliance would be a requirement to maintain the volumes on a write once read many (WORM) media which have a maximum capacity of 4.7 GB (A DVD). You can set the rollover size to be 3.5 GB so that they can be placed onto the WORM media.”
What is a volume rollover, and would you recommend implementing it?
Kyle explains, “You can set the maximum folder size for a volume, such that a new folder is created for more document storage once the preceding volume reaches its pre-defined size limit, termed a ‘Logical Volume.’ Alternately, volumes can also be on a roll-over schedule. We recommend using rollover volumes because smaller volumes are easier to move to portable media for archive purposes. It also makes them easier to back-up.”
A System back-up is critical, how do you choose the frequency and method of back-ups?
Mike shares that “the Laserfiche architecture is based on two data points working in tandem to create one coherent system. The database (SQL) contains all of the metadata, file pointers and other information about the documents within the system and the volumes contain the actual files themselves. Backing up the Laserfiche system requires that you backup both SQL and the volumes at approximately the same time to keep them in synchronization."
"At the very least," Kyle says, "we recommend performing a daily differential or incremental backup and a weekly full backup. The idea is to perform a backup as often as your Laserfiche data is added, updated, or deleted. For example, if you are making nightly incremental backups, can your organization afford to either lose all of today’s data or spend another day re-scanning everything? If yes, then this backup plan is sufficient. If not, we suggest a backup be performed more than once a day.”
Maintaining a secure repository can be achieved when administrators can effectively manage Laserfiche authentication, templates, fields, users and groups. Also, following recommended best practices for volume control and backup methods can be beneficial to ensuring a compliant solution.
If you have any questions regarding these Laserfiche System Administration best practices, be sure to contact the Cities Digital support team for further assistance.