06-24-2012 05:57 PM
I am trying to find some documentation to explain how or if Sharepoint honours TRIM Access controls and security levels/caveats on files and documents exposed via the Sharepoint 2010 TRIM 7 integration.
I found the TRIM7.21_SPIntegrationConfiguration.pdf which doesn't mention it! and the TRIM7.21_SPIntegrationInstall.pdf which doesn't mention it but TRIM7.21_SPIntegrationDevelopersGuide.pdf and TRIM7.21_SPIntegrationUserManual.pdf are both 5 pages of gumph that tell you to go to the web site for the lates manuals - where you get another 5 pages of gumph... bum.
06-24-2012 06:47 PM - edited 06-24-2012 07:17 PM
EDIT: Getting SP team to clarify in more detail. :)
NOT A HP EMPLOYEE
06-24-2012 07:33 PM
Thanks grundy - obviously it's a major design issue for TRIM sites that are as **bleep** about access controls as we are. oops! did i really say that :-)
06-24-2012 07:39 PM
The SP devs are going to clarify all this exactly.
However, the basic rule is, if someone 'exposes' an item, it would be like a staff member pulling out a document and pinning it to a board in the break room.
Anyone with access to that room will see the document!
Will wait and get something formal together and we'll have a meeting internally soon so everyone's on the same page.
NOT A HP EMPLOYEE
06-25-2012 02:53 PM
I can imagine if a document is extracted (like an email) it is no longer under TRIMs control, but the Sharepoint integration talks about documents being "Managed" in TRIM - surely that means the document is stored and secured in TRIM and sharepoint is essentially just the Client - if not why is the setup so complex requiring TRIM workgroup server install on the Sharepoint Server and no end of moving parts with special serv ice accounts and default record types etc?
06-25-2012 05:46 PM
Whilst the team are clarifying the security stuff, can they also comment on the Audit Logs,
is everything logged up the credidentals of the person extracting the document, or is it logged as the service account ? This this apply to all flavors of integration in sharepoint ?
06-25-2012 05:51 PM
Really good point Rich - we were discussing that yesterday too and I forgot to ask. Without those things I don't see much future for "integration" - except there might be a sales opportunity for those of use that can code!!!!
06-25-2012 06:20 PM
Just to follow up, everything I stated originally was correct, except that EDIT permissions are still completely controlled by TRIM.
So to cover the basics again:
- Any live access to TRIM, either via a federated search, finding records to expose etc, editing/check-out and check-in is all security controlled by TRIM, since all these actions directly interact with TRIM.
- If you 'Expose' an item into Sharepoint, then the TRIM security no longer applies and Sharepoint security takes over. This is the same as if someone emailed it, printed it, copied it to a network drive etc, TRIM is no longer directly involved in 'VIEWING' the item.
The integration is always evolving and open to enhancement requests.
The developers are actually very keen for this levle of feedback, so if you have any ideas on how you think it could be improved (pending limitations of the Sharepoint/TRIM platform), then please log them with the support team. :)
As for Audit logs, I havn't checked personally, but I can look at this in our test environments next time I'm using them.
For now, the product management team and SP integration devs are working on a formal write-up of the security/access questions above, since you're not the only ones asking this question.
NOT A HP EMPLOYEE
06-25-2012 06:43 PM
There are multiple ways to use the TRIM sharepoint integration. Here are two:
1) Exposing records via container is as Grundy described - any records (already in TRIM) that the "trim privileged" account can access can be exposed. Once they are exposed, the only security control you have is within the Sharepoint user management. This is very dangerous, and not well understood by HP salespeople!
Another point to note on this is that when records are exposed in this way, they actually are copied into sharepoint, and can be accessed without using the TRIM backend. This is both good and bad.
2) "Managing" records takes content that already exists in Sharepoint (or is being created / collaborated within Sharepoint) and saves it into TRIM. The security of the record is typically based on the TRIM container that it is being stored into. The TRIM user mapping carries through for this content.
Happy to be corrected on any of this! I don't want to spread incorrect information.
There seems to be a general lack of good documentation on the integration, and for some reason, a large part of the useful documentation in the 7.1 releases has been removed from the 7.2 releases. (??)
06-25-2012 06:59 PM
Another thing: if you're a site that allows view meta-data but denies view document... Disable expose! Otherwise users can see the meta-data in a search result and then expose it where ever they like.