Introduction
With Records365 connecting data, records and content from multiple sources and making it visible in a single user-friendly dashboard it is paramount that security is respected across all of these surfaces.
The security controls for content managed by Records365 is applied as a transparent layer between it and the source application where the content originated, allowing your business to benefit from a consistent end user experience when transitioning between applications thus ensuring a total in-place records management solution.
Who can access records within Records365
Security is applied at the role level in Records365, currently there are three primary User Roles available
- Application Administrator – security trimming does not apply to users assigned this role. This allows the group to have total visibility for triaging and managing the entire records corpus.
- Record Manager – security trimming also does not apply to users assigned this role. From a security perspective, users assigned this role will have the same experience as those assigned the Application Administrator role.
- Record Visitor – this is the most common role and gives general users access to Records365. At a minimum users can access the Browse and Search pages within the product. Items displayed in the Browse and Search pages will be subject to security trimming, such that only items that the user has access to will be displayed. Further users performing Disposal Approvals will be assigned this role, and so items are trimmed accordingly.
We acknowledge that not all Record Visitor users are created equal, and so through the use of Security Profiles a user can be elevated to perform additional operations like managing freezes, performing physical record scanning and the like. To make the most informed decision when performing these higher privileged operations it is important that all items are displayed, so in these areas items are not security trimmed. Not all users require this level of access, so we suggest that these operations be delegated through the use of multiple security profiles.
How it works
With item level security trimming being a transparent layer between the source application and Records365, items are only visible in Records365 when you have access to the content in the source application.
For SharePoint Online based records that would mean any of the below is true;
- In SharePoint Online the content has been shared with you or a group you are a member of, see the Microsoft article Share SharePoint files or folders
- In SharePoint Online you have been given access directly by user or group to the content, see the Microsoft article Customize permissions for a SharePoint list or library
- In SharePoint Online the content is inheriting permissions from a higher level object (Folder, List, Site) that you have access to, see the Microsoft article Permission Inheritance in SharePoint
For physical records created and managed by the Record365 Physical Records module,
- the content belongs to a physical profile that has an Azure Active Directory (AAD) group assigned that you belong to.
- the content belongs to a physical profile that does NOT have the Security Trimmed toggle enabled
For more information on physical record security see the Security Trimming page within the Physical Records section.
Elevating a users access
Role required
To elevate a users access you need to be assigned to either the Application Administrator or Records Manager role in Records365.
For users who require a higher level of control for managing all electronic and/or physical content in the Browse and Search pages, they will need to be assigned a security profile that has one or both of the following Permissions in the Access Control section
- View Electronic Records
- View Physical Records
Viewing the security information
With the Browse and Search pages filtering results such that users only see items that they have access, it is also important to understand to see who has access to the record. This gives end-users total insight as to who can access the record and its related content.
To view the security information for a record;
- Items can be accessed from many pages within Records365, one example is from the Browse page.
- Click the Security tab. Below shows an example of a physical record folder that can be accessed by users in the Finance, Accounting and Finance Admin groups. Given that physical assets are currently secured at the physical profile level, the Inheritance Source states the name of the physical profile where the access is defined, in this case the profile is called Finance Folders.
Below shows an example of a electronic record related to a SharePoint Online document that can be accessed by Joe Smith, and users in the Fairbanks Staff AAD group. The inheritance source in this is case is SharePoint Online.
A few things to remember when using the security features of Records365.
- Any content deleted/removed from the content source prior to enabling the security trimming features of Records365 will not carry the appropriate security information. This means that content will only be available for viewing/editing by those users assigned either the role of Application Administrator or Record Manager.
- Security changes in the associated content source are synchronized with Records365 on a scheduled basis, these changes will not be reflected instantly but should be available within 24 hours.
The security trimming for SharePoint Online feature is available on request. To find out more about the feature, please contact support to have the feature enabled.