Developing workspace folder permission policies

When you develop workspace folder permission policies for a HCL Compass environment, the most important considerations are who has authority to set policies for the entire installation; who can set and change permissions on individual folders; and what levels of access to set on different folders for different groups of users.

Workspace folder permissions are controlled by two types of administrators:
  • Security administrators, who set policy and have control over all folder permissions for all groups
  • Public folder administrators, who control folder permissions for groups to which they belong

These administrators can delegate permission control for specified folders for a specified user group by assigning the Change-Permission permission. Users in these groups can set permissions only on subfolders in their accessible folders.

Setting the overall policy: security administrator

The security administrator is responsible for managing folder permissions and setting up access control lists (ACLs) for the environment. The security administrator sets workspace folder permissions directly under the Public Queries folder to correspond to the needs of the user groups that access each folder.

Implementing policy: public folder administrators

The security administrator selects the public folder administrators to manage folder permissions for specified groups. Each public folder administrator might be a member of one or more functional groups. For example, a public folder administrator might be a member of the dev (development) group, as well as the subgroup dev-gui.

Each public folder administrator sets up the folder permissions for their groups. Public folder administrators have access to any folder under the Public Queries folder, but can assign permissions only for groups to which they belong. In this way, public folder administrators take on some work for the security administrator, by managing the folder permissions of their own groups.

Delegated permission setting: the Change-Permission permission

The security administrator or public folder administrator can grant the Change-Permission permission to a specific user group on a specified set of folders. This enables a small set of users to manage their subfolder permission hierarchy. Members of this Change-Permission user group cannot access or set permissions outside of the specific subfolder hierarchy that the security administrator or public folder administrator has established for them.

Factors to consider when setting folder permissions

When setting up folders and assigning folder permissions, the security administrator and public folder administrators should consider the following factors:
  • Which groups need access to a folder, and what kind of access do they need
  • Folder and subfolder permission inheritance
  • Group and subgroup permission inheritance
  • Which folders must be accessible to everyone