Page 1 of 1

Time based security access privileges

PostPosted:Thu Jul 14, 2016 8:13 am
by creya
What would be a good way to design access to document for a certain duration only?

e.g. give access on a file or folder to a user or role, then have the system automatically remove the given access privilege in, say, 7 days...

I am thinking about designing an interface that gives the privilege then at same time adds a cron job which reverses the privilege after a set number of days. But, with so many files/folders, there would be tons of cron jobs which could adversely impact performance. Also, in case the user changes the privileges again, it would be very messy to change the existing cron jobs related to the same file or folder.

Did anyone try something similar? any ideas? thank you all.

Re: Time based security access privileges

PostPosted:Fri Jul 15, 2016 7:12 am
by jllort
First of all should make some preliminar considerations:
It affects all the repository or only some folders and documents into ?
Secondly affects all users or only an small group ?

And about crontab job, should only be needed one crontab job, and probably use in combination with activity log ( registering security changes ).

Re: Time based security access privileges

PostPosted:Fri Jul 15, 2016 10:22 am
by creya
Thanks Josep... Let me provide some more details:

suppose we have 100,000 folders where each contains the medical files of one patient. These folders will not be accessible to anyone, except admin.

When a patient comes to the hospital, a few doctors and a few nurses will need access to his files for a few days. So, the administrator will give access to say 5 people to access them by adding their user (or can be done by role), and then access should be revoked later on.

To manually revoke access each time would be too much work. A better solution is to give access to a folder for a specific amount of days, at the end of which access should be revoked automatically.

About 2% to 3% of all folders should be available for viewing (accessible to dr. and nurses) at any day i.e. 2000 to 3000 folders.

What would be a good strategy to handle this scenario?

Re: Time based security access privileges

PostPosted:Tue Jul 19, 2016 11:24 am
by jllort
In your scenario I will create an extra table with columns ( folder_uuid, date_to_revoke, granted_user, granted_role ) -> take it as an initial aproach.

With crontab task, can schedule daily the permissions you must remove, based on the table log you have created.

Create a minimal application ( jsp or application.war connected to openkm with sdk4j, or .net application, see our sdk's from docs.openkm.com ) logged as administrator. From there modify grants and also add the changes in the extra table. This application should:
-- search for a specific folder ( patient ), when found:
-- apply security changes and log into the extra table

Hope it could be used by you as an starting point. Really is not much complex feature. I also suggest make daily reports of added and removed grants and always take control on possible error during the process. The most important thing is controlling errors.

Re: Time based security access privileges

PostPosted:Wed Nov 11, 2020 9:06 pm
by az123
hi creya ,

does this scenario implement?

because I need

Re: Time based security access privileges

PostPosted:Sun Nov 15, 2020 7:24 am
by jllort
These scenarios are always customizations because standard solution never will fit the requeriments.

Re: Time based security access privileges

PostPosted:Sun Nov 15, 2020 12:40 pm
by az123
what solution

Re: Time based security access privileges

PostPosted:Sat Nov 21, 2020 6:47 pm
by jllort
When I talk about "standard solution" I mean none solution will fit with your needs, that's why we do not have implemented any approach because at the end nobody will use it and should be implemented something that exactly fit your requirements.

I suggest investigate:
* https://docs.openkm.com/kcenter/view/ok ... ontab.html
* https://docs.openkm.com/kcenter/view/ok ... ption.html
* https://docs.openkm.com/kcenter/view/ok ... #grantUser
* https://docs.openkm.com/kcenter/view/ok ... executeSQL