General Policy Settings

To set up general security policy, use the General Policy tab in the Policies Editor section on the navigation panel.

General policy includes: administrator role separation, default settings, access protocol volume threshold values, identifier format for repository objects, limiting document loading to repository, object version control on update.

NOTE. When roles of information security administrator and application administrator are separated, the Policies Editor tab is available only for information security administrator.

The Information Security Administrator group of parameters contains information on separation of information security administrator (ISA) and application administrator (AA) roles. If role-splitting mode is not activated, click the Activate button to enable it; if this mode is activated, click the Deactivate button to deactivate it.

Click the Activate button to activate this mode. To deactivate the mode, click the Deactivate button.

For details about administration role separation, see the Administrator Role Separation section.

The Deny Access to Repository Objects to Users who have the "Changing Security Label and Access Control List for Any Object" privilege determines whether all users holding the same privilege as ISA are allowed to open repository objects. If the checkbox is selected, the fact that the user holds the Read and Write Permission for All Objects privilege is ignored, and the attempt to open a repository object brings up a message that the user has insufficient permissions to execute this operation. This checkbox is enabled only when administrator role distribution is not active.

The ISA can Apply User Permissions at DBMS Level checkbox determines whether the ISA is allowed to update users. When the checkbox is deselected, users can be updated only by application administrator; when the checkbox is selected, users can be updated by both administrators.

When roles are separated, the application administrator can access only the following security manager sections: Access Protocol and Users, however, the application administrator is not allowed to disconnect a connected user or change user password. The ISA has access to all sections, but he cannot create and update users in the Users section (if the ISA can Apply User Permissions at DBMS Level checkbox is deselected) and delete users.

If the security policy file contains any unsaved changes on the moment of ISA activation or deactivation, the system requests to apply these changes. Answering Yes saves changes in security policy and starts the process of ISA activation or deactivation.

Root Folder. Select one of the repository folders in the drop-down list of objects. The specified folder is used as the root folder of repository if logging by the user, who is not an administrator or ISA.
The root folder is not specified by default and a user has an access to an entire repository.

NOTE. To access to repository objects, the user must have the corresponding permissions.

Startup Object. Select repository startup object in the drop-down list of objects. This object opens automatically at login. An object available as read-only for the current user can be used as a startup object.
To have the entire repository (not an startup object) opened when logging into the system, hold down the SHIFT key while pressing the OK button in the login dialog box.

NOTE. A user startup object can be selected in addition to repository startup object. In this case during start a user startup object has a higher priority than repository startup object. Startup is not available in the web application.

When threshold values are reached, warning messages are shown to system administrator.

To set threshold values, select the Threshold Values of Access Protocol Size checkbox and enter required values of the first and second threshold values. The first threshold value must be less than the second one.

Each time a user holding the Clear Access Protocol privilege logs into the security manager, the system checks if the access protocol size has reached threshold value. If the threshold value is reached, the user is prompted to clear the access protocol. Answering Yes starts access protocol clearing.

The Identifier Format section is used to set a pattern, according to which objects' identifiers are to be formed. When a template is selected, a specified prefix or suffix is added by default to identifiers when objects are created.

A template may consist of the constant (prefix, suffix) and variable parts. Constant part is optional and consists of Latin characters and numbers. Variable part is obligatory; use the asterisk character * to specify variable part. For example: ADMIN_*. The asterisk * will be replaced with default identifier; this part can be altered.

When specifying format a string is checked for invalid data (lack of asterisk, Russian language, numbers used as the first characters, and so on). Invalid format is not saved when the policy is applied; it is not used on creating objects' identifiers.

This option is necessary to avoid identifier matching on updating repository objects. If different prefixes are set for different repositories, identifiers do not overlap during an update. This option additionally protects application system from incorrect update.

The Allowed Document Formats in Repository section is used to limit allowed formats of documents for loading and opening in repository. Enter file extensions, for example, XML, XLS, PDF to the List of Formats box. If allowed formats are set in the box, a message about security policy violation is displayed on an attempt to load or open the document that does not correspond with specified formats. By default, documents of any format can be loaded and opened.

Object version control on update enables the user to set a custom repository identifier that will be contained in the current object version. Version number with specified repository identifier is tracked for each repository object. On editing and saving an object, version number increases by one, repository identifier is replaced with the repository identifier specified in object version control on update, if it was changed.

NOTE. Object version control on update is available only in the desktop application.

Object versions are checked on update installation:

If repository identifiers for object versions in update file and in target repository do not match, a warning about the ability to abort the process or continue is displayed.
If identifiers match, version numbers are checked. For updated objects, the update file version must be earlier than the target repository version.
If versions of dependent objects, on which updated objects depend, in update file and in target repository do not match, a warning about ability to abort the process or continue is displayed. Versions of dependent objects are saved if they are created in update file.

To control object versions:

Select the Object Version Control on Update checkbox.
Set repository identifiers in the This Repository Identifier box.

The object properties take into account the specified repository identifier and version number in the Current Version box, for example, DEV: 15.

NOTE. If repository identifier is not specified, it is considered as empty.

NOTE. If section parameters have been changed, an attempt to go to another section of the security manager or to close it displays a request to apply changed settings.