Layer 1 - Global
The discussion around vault security is always interesting. I say that vault security is layered. Let me explain why I use that analogy. The security model within vault is administered in several places, and each part of the security model works with the other parts to provide a resulting set of permissions for a given situation. When I say ‘a given situation’, I mean that a user’s permissions may be different when considered at a different point in time, or location. Let’s begin to look at the security model, starting at a high level and moving down to the lowest levels.
At the highest level, a user is assigned a role through their account. This can be assigned directly to that account, or it can be ‘inherited’ by the account being a member of a group, and the group has the assignment(s). I use the possible plural here because it is not unusual for more than one role be assigned to that account or group, but I will clarify the right and wrong ways to do this further into the blog. Below is an image of the roles available within Vault Professional. Vault Workgroup will not have the roles for Change Order, Custom Object, and Item. Vault Basic will not have those and will not have Document Manager roles.
Let’s talk about the use of multiple roles. These roles can be partially grouped, based on the privileges they provide. For example, the roles of document consumer, document editor level 1, and document level 2 should be considered a group, with document consumer having the least number of privileges and editor level 2 having the highest. Document consumer is for the read-only users. They can’t edit anything, only view and print files. I refer to this role as ‘Search, View, and Print’. The editor level 1 role can edit files, but can’t move them, whereas level 2 can move files and folders around (with some possible other restrictions applying). I won’t go into all the individual details, but the other groups I use are Change Order Levels 1 and 2 as a group, Custom Object Consumer and levels 1 and 2 as another group, Document Manager levels 1 and 2, and lastly Item Reviewer with Item Editor levels 1 and 2.
Each of these groups offers a particular set of privileges, but an account or group should not need more than one role per group. If you assign Document Editor levels 1 and 2, you essentially have assigned them to have Document Editor level 2, since it has all the privileges from level 1 plus extras. The other unique role is that of Administrator. It includes all privileges, so it is unnecessary to assign any other role in addition to the Administrator. So, a little homework for those of you that have vault implementations in place: go through your users and groups, looking for those duplicate roles and remove the lower ones that aren’t giving you any value.
I will also offer another suggestion to better manage this level of security. If at all possible, only assign roles to groups and put the users in those groups. A user account can be a member of more than one group, which benefits us later in things like the lifecycle security, but it we can confine the role assignments to groups only, it becomes much simpler to manage. I would rather modify 5 groups’ role assignments versus 50 users’ assignments.
In my next article, I will look at the second layer, the lifecycles within Vault.