Role Required To Manage Physical record security you need to be assigned to the Application Administrator or the Records Manager role.
Securing physical records is a key requirement for most organizations that have a decentralized approach to their records management practice. It allows physical content to be segregated such that departments within an organization only see their relevant content; in addition, it prevents other departments from inadvertently accessing private content.
A typical example of this may be that HR department has it own types of artefacts, which carry specific metadata appropriate to their business unit. These artefacts will also need to be secured in a consistent manner, such that only the HR department can access it. Through the creation of a HR specific physical profile, the metadata and security can be managed and visualized from a unified view.
For scenarios where you have content that should be made available to all your Records365 users, Records365 still gives you the flexibility to desable trimming and make content globally available.
Enabling Security Trimming
Records365, through the use of physical profiles, allows organizations to create metadata templates to enforce consistency on how different physical asset types are managed. See Physical Profiles for more information on creating and editing physical profiles.
Leveraging this approach, access can also be trimmed at the physical profile level, allowing all associated content to inherit the access controls applied to the physical profile.
- Create or Edit an existing physical profile, see here for more information on managing physical profiles
- Once the profile pane has opened, there is a Security section, whereby you can control who can access to this profile.
- To enable security trimming on a physical profile click the Security Trimmed slider into the enabled position. By default, security is disabled for a physical profile, this means all registered users can access ALL physical assets related to this profile.
- With security enabled, Azure Active Directory groups can then be added to the profile, using the + Add Group button. Entering at least 3 characters will search for groups in your associated directory by name or email address starting with those characters. Records365 supports AAD groups of type Office, Security and Distribution to restrict access. Records365 only supports AAD groups to secure content.
- To remove a Group from a Profile, click the icon next to that group.
- Click ‘Save’. Saving will update all of the items related to this physical profile with the appropriate security information. Once complete they will only be accessible by the appropriate groups and their members.
Physical profiles by default have security disabled, when a physical profile has security disabled all Records365 users can access the related physical assets.
Once a physical profile has had security trimming enabled, disabling it will prevent the profile from having security enabled in the future. Please be aware of this behavior before proceeding with disabling security for a physical profile.
- Edit an existing physical profile, see Physical Profiles for more information on managing physical profiles
- Once the profile pane has opened, the Security section defines who can access this profile and all of its related content.
- To disable security trimming on a physical profile move the Security Trimmed slider into the disabled position.
- Click ‘Save’. Saving will update all of the items related to this physical profile with the appropriate security information. Once complete all of the related content will be accessible to all registered users of Records365.
This process can take some time depending on the number of physical assets using the physical profile.
Records, Folders and Boxes Inheriting Security
Security access for physical records, folders and boxes is defined at the physical profile level. This means security for a record, folder or box is assigned when a particular physical profile is selected. All changes made to security at the physical profile level will then be propagated down to all of the related content.
Security trimming in the various pages in Records365 only applies to Record Visitor roles. Record Managers and Record Administrators will continue to have access to all content in Records365.
- Create or Edit an existing physical item see Physical Records for more information on managing physical records
- Once the New or Edit pane has opened, the Security section articulates the permissions for the physical item being created. All users in the listed AAD groups can access this item.
- By adding a large number of groups to a physical profile a performance degradation may be experience when searching for items. So, it is important to plan out Records365 security in coordination with Azure Active Directory management to get the right balance of groups and access controls.
- A physical profile can only have security enabled once, so please confirm before disabling security for a profile.
- With security trimming applying to physical records please be aware that trimming will also be applied to electronic content such that record visitors will not be able to access any of the electronic content from Records365.
- Security information for users is cached for 30 mins, so changes may not be reflected instantly.