Time based security access privileges

Nous essayons de faire OpenKM aussi intuitif que possible, mais tout avis est bienvenu.

Moderator: dedisoft

Forum rules
Avant de poser une question, merci de regarder la documentation du wiki ou d'utiliser la fonction recherche du forum. Et rappelez vous que nous n'avons ni boule de cristal ni possibilité de lire dans les pensées, aussi pensez à spécifier quelle version d'OpenKM vous utilisez ainsi que la version du navigateur web et du système d'exploitation. Pour de plus amples informations lisez Comment reporter un bug efficacement (anglais).
Post Reply
creya
Fresh Boarder
Fresh Boarder
Posts: 12
Joined: Thu Jun 16, 2016 9:16 am

Time based security access privileges

Post by creya » Thu Jul 14, 2016 8:13 am

What would be a good way to design access to document for a certain duration only?

e.g. give access on a file or folder to a user or role, then have the system automatically remove the given access privilege in, say, 7 days...

I am thinking about designing an interface that gives the privilege then at same time adds a cron job which reverses the privilege after a set number of days. But, with so many files/folders, there would be tons of cron jobs which could adversely impact performance. Also, in case the user changes the privileges again, it would be very messy to change the existing cron jobs related to the same file or folder.

Did anyone try something similar? any ideas? thank you all.

jllort
Moderator
Moderator
Posts: 9119
Joined: Fri Dec 21, 2007 11:23 am
Location: Sineu - ( Illes Balears ) - Spain
Contact:

Re: Time based security access privileges

Post by jllort » Fri Jul 15, 2016 7:12 am

First of all should make some preliminar considerations:
It affects all the repository or only some folders and documents into ?
Secondly affects all users or only an small group ?

And about crontab job, should only be needed one crontab job, and probably use in combination with activity log ( registering security changes ).

creya
Fresh Boarder
Fresh Boarder
Posts: 12
Joined: Thu Jun 16, 2016 9:16 am

Re: Time based security access privileges

Post by creya » Fri Jul 15, 2016 10:22 am

Thanks Josep... Let me provide some more details:

suppose we have 100,000 folders where each contains the medical files of one patient. These folders will not be accessible to anyone, except admin.

When a patient comes to the hospital, a few doctors and a few nurses will need access to his files for a few days. So, the administrator will give access to say 5 people to access them by adding their user (or can be done by role), and then access should be revoked later on.

To manually revoke access each time would be too much work. A better solution is to give access to a folder for a specific amount of days, at the end of which access should be revoked automatically.

About 2% to 3% of all folders should be available for viewing (accessible to dr. and nurses) at any day i.e. 2000 to 3000 folders.

What would be a good strategy to handle this scenario?

jllort
Moderator
Moderator
Posts: 9119
Joined: Fri Dec 21, 2007 11:23 am
Location: Sineu - ( Illes Balears ) - Spain
Contact:

Re: Time based security access privileges

Post by jllort » Tue Jul 19, 2016 11:24 am

In your scenario I will create an extra table with columns ( folder_uuid, date_to_revoke, granted_user, granted_role ) -> take it as an initial aproach.

With crontab task, can schedule daily the permissions you must remove, based on the table log you have created.

Create a minimal application ( jsp or application.war connected to openkm with sdk4j, or .net application, see our sdk's from docs.openkm.com ) logged as administrator. From there modify grants and also add the changes in the extra table. This application should:
-- search for a specific folder ( patient ), when found:
-- apply security changes and log into the extra table

Hope it could be used by you as an starting point. Really is not much complex feature. I also suggest make daily reports of added and removed grants and always take control on possible error during the process. The most important thing is controlling errors.

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest