By Kyle Knebel
April 2022 Consultants Corner
What is this mysterious “Everyone” group? Every repository comes with the “Everyone” group, but did you know this group can help every Laserfiche Administrator manage everything from repository access rights to security features?
In this month’s Consultants’ Corner, we’ll provide some insight on what you can do with the “Everyone” group and show you some powerful and dynamic settings that can help you form a properly functioning repository.
What is the “Everyone” group and what does it do?
If you are a Laserfiche Administrator and have glanced at the Administration console, you’ve probably seen this item under Users and Groups (shown in the image below). The “Everyone” group is a permanent feature that cannot be deleted and is built into every Laserfiche repository. However, the “Everyone” group is unique to each repository and can be customized to best suit your company’s needs.
How does the “Everyone” group work?
As the name would suggest, everyone or every user added to your Laserfiche system will automatically be added to this group. That would be any Laserfiche trustees (users), Windows Active Directory trustees (AD), and LDAP trustees (but not many people use anything other than Windows AD accounts these days).
Note: LDAP is the communication protocol used over networks to query for information and user credentials in Active Directory, Lotus Notes, Novell eDirectory, Linux, Unix, and other “directory services.” Laserfiche focuses on Windows AD support, hence the “Windows Account” node, but they also support other non-AD directories via the “LDAP Management” node.
The “Everyone” group does not behave like other groups you might have created. One handy feature of this group is the ability to set overall basic security for all users who would be accessing the repository. For example, if you set the authentication setting to Trust: allow access (shown in the image below), any Windows user or LDAP user account would be able to log in. On the other hand, if it is set to Deny: deny access (shown in the image below), then no Windows users can log in to the repository even if they were added under the Windows Accounts node and granted the Trust access.
Now, let’s take a look at the Rights tab on the “Everyone Properties” page (seen in the image below). Here you can assign fundamental feature rights or administrative privileges to all users instead of giving rights individually. However, you can still assign more specific rights and privileges to individual users and groups. In those cases, the rights set in the “Everyone” group will combine with the rights assigned at the user or group level to give the effective and specific rights you are looking to provide.
Another function the “Everyone” group provides is the Auditing settings (see image below) for those who have the Laserfiche Audit Trail module. When Audit Trail is licensed, the system can immediately begin tracking events happening in the repository. Any selected events in the “Everyone” group will be tracked for any user using the repository. As a side note, individual users or groups can be set with more specific audit settings if needed.
The “Everyone” group: security and inheritance to folders.
When first installed, the Laserfiche repository is bare-bones and unsecured. This basic setup is by design since you haven’t created a folder structure, metadata, or created users and groups. As a Laserfiche Administrator, your first job is to secure the repository. A folder structure is usually built out using the Windows or Web Client during the initial implementation phase. However, in many organizations, it may be easier to give all users the ability to create and navigate to all folders that are needed in the repository during the design and build phase.
The “Everyone” group is assigned with certain limited rights (like Browse and Read) at the root level of the repository and are inherited down to all new folders you create. You may need to grant, modify, or remove some of these starting rights to fit your security model. In many cases, it is more advisable to remove the “Everyone” group from the top level and start using specific groups instead.
Note: If you do remove the “Everyone” group from the Access Rights on the root level or any folder, you cannot add it back into your Access Rights list.
What is that Bypass Browse privilege and what does it do?
Laserfiche includes two privileges in the “Everyone” group that allows users to bypass specific security settings. The most important one is the Bypass Browse privilege. This privilege offers significant performance benefits and is granted to the “Everyone” group by default in a new repository.
The Bypass Browse privilege gives a user the ability to see the existence of all entries in the repository, regardless of the user’s Browse rights. This privilege can enhance your repository’s performance since Laserfiche does not need to calculate rights for each entry in each folder. It does not allow users to see the contents of a folder if they do not have the Read right on the folder.
Note: The Browse entry access right is not sufficient to open a folder or a document. The Read entry access right is also required. Attempting to open a folder to which a user has been granted the Browse right, but not the Read right, will cause that folder to appear empty. Attempting to open a document to which a user has been granted the Browse right, but not the Read right, will generate an error message.
As you can see, the “Everyone” group has quite a few powerful and dynamic settings that can significantly impact your repository access and security. Use the “Everyone” group with some of these concepts in mind and you’ll be rewarded with a smooth functioning repository.
Please do not hesitate to reach out to our CDI team or comment below if you have any follow-up questions!