Chapter 10 - Security
- 1 SECURITY
- 1.1 Security Set Up
- 1.2 Windows Active Directory Integration
halFILE provides multi-level security that includes:
- Restricting users from accessing selected image databases
- Restricting users to certain actions such as scan, index, archive, search
- Password control
- System Administrator identification
Security Set Up
To set up security, select Configure-Security and click the Enable Security sub-menu in the Administrator. This places a check mark on the sub-menu and tells the system that system security is enabled. If you click this sub-menu when it is checked, the security system is disabled and the check mark is removed.
Immediately after enabling security, you must define at least one user with System Administrator privileges. This will prevent you from being locked out of the system.
Security is based around users. When security is enabled, a user must provide a user id and a password to gain access to the system. Once he gets into the system, the databases that can be accessed and the features that can be performed depend on his user profile.
At least one user must be set up as a 'System Administrator'. The System Administrator is the only person who can turn security on/off and define user profiles. When passwords are entered, the data is replaced with asterisks on the screen to prevent others from viewing a user's personal password. This is also true when the System Administrator defines user passwords. Therefore, if a user forgets his/her password and the System Administrator does not have a record of the password, the System Administrator would have to remove the user from the system, then re-add the user to set up a new password.
If you are locked out of the system because you do not know a password, call Technical Support.
To set up users and designate restrictions and privileges, select Configure-Security-User Profiles. This displays a screen similar to the following.
Adding a new user
- Click the add button to display the User Parameter screen.
- All the databases are listed (see the sample screen below) with no access to any database. The first column named Access gives a user rights to use a database.
- For each database that you give the user access to, check the privilege boxes to allow the user to perform an activity (scan, search, index etc.).
- When a database row is clicked, the "extended settings" box in the lower left is updated to show additional security settings for this user and database. This is used to enable/disable menu selections in the system such as deleting documents and performing image annotations.
Deleting a new user
To remove a user, highlight the user and select File-Delete.
Editing an existing user set up
- Double click the user id, or highlight the user and press the edit button to view the User Parameters as shown below. This shows all the databases that the user can access as well as the privileges allow for each database.
- Set up the user privileges as described under ‘Adding a new user’ above.
Windows Active Directory Integration
Windows Active Directory is a powerful tool for maintaining network users across multiple servers and domains. halFILE and e.halFILE can be configured to integrate with Windows Active Directory. This lets you set up Windows Active Directory Groups containing users that have similar security properties in halFILE. Then in halFILE, you do not need to set up each individual user, only the groups that match the Windows Active Directory Groups. When you add a user to a Windows Active Directory group, that user automatically inherits the privileges of that group when going into halFILE. Furthermore, no login to halFILE is required. The user is automatically logged in under the network user id.
Why use Active Directory Integration?
- Administer users from one place, Windows Active Directory.
- No halFILE security setup is required when a new employee is hired that needs to use halFILE. Set up the person's network user id, put him in the appropriate Active Directory Groups and he should be able to get into halFILE with the correct security.
- Easy to remove users when employee turnover occurs. If an employee leaves, you delete him from Windows Active Directory and he/she no longer has access to halFILE.
- Quickly change halFILE roles for users. If a user is promoted to a new job requiring different halFILE privileges, then move the user from one Active Directory Group to another and those privileges automatically flow over to halFILE security.
Before you start
Before you enable the Active Directory Integration feature in halFILE, you should spend some time planning your groups. These groups will be used to assign User Privileges (Configure-Security-User Profiles), Custom Search Settings (File-Database Custom Search button) and User Features (Extended Settings behind the database privileges in Configure-Security-User Profiles).
halFILE Active Directory Integration Set Up Procedure
- Set up a Windows Active Directory Group for each type of User that you would have in halFILE. For example, if I have Search only users, Search and Index users and Admin users, I would set up 3 Active Directory Groups as follows:
- HFAD_User_Search – for users with Search only privileges.
- HFAD_User_Index – for users with Search and Index privileges.
- HFAD_User_Admin – for users with Admin privileges.
- Add the Network users into the appropriate HFAD_User group(s).
- Set up a Windows Active Directory Group for each type of Custom Search you require. For example, if you have a Custom Search for Public users and a second Custom Search profile for Employees, then you would set up the Active Directory Groups as follows:
- Add the Network users into the appropriate HFAD_Search group(s).
- Change halFILE to use Active Directory Integration. In the Administrator, this is under Tools-Options / Security/Versions tab. Check the "Use Active Directory Integration" box. Note: You must check the "Use halFILE Integrated Security" box to enable this check box.
- Set up a single User and Custom Search in halFILE for each Windows Active Directory Group, using the same name as the Windows Active Directory Group. So using the above examples, set up users named HFAD_User_Search, HFAD_User_Index and HFAD_User_Admin. Set up all the features as needed including Extended Settings and Group/Document Level Security. Then, set up Custom Search Profiles named HFAD_Search_Public and HFAD_Search_Employee.
- Now, when a user goes into halFILE, they are automatically assigned their Network user id. halFILE looks up the user id in the Windows Active Directory Groups to determine which groups the user belongs to. Then, the user's profile for halFILE security is created for the user.
halFILE Active Directory Integration
Once the setup is complete, you should run HFWAD32.EXE to login to halFILE using Windows Active Directory Integration. This program determines what groups the user belongs to and set up the halFILE security privileges accordingly. Then it continues on to the halFILE Manager (halfile.exe).
e.halFILE Active Directory Integration
e.halFILE uses the same security setup as halFILE. However, there are some special set up requirements in Microsoft Internet Information Services (IIS) that need to be configured as follows:
- Create a folder under the ehalfile folder named Login and copy hflogin.asp, hflogin.dll and halweb.ini into this folder. You will need to register hflogin.dll.
- Create a virtual directory called "login" in your website and set Directory Security to disable Anonymous Access and enable Integrated Windows Authentication behind the Directory Security tab.
- Change the login button or link on your website to go to …/login/hflogin.asp. This will ask the user to login to Windows and perform the halFILE Active Directory authentication before proceeding with the next web page.
Active Directory Integration - Behind the Scenes
New tables in the HFWParams database are used to store the above information including:
ADUsers ADUserFeatures ADCustomSearch
When a user logs in, halFILE queries Windows Active Directory to determine which Active Directory Groups he/she belongs and dynamically builds the security system for that user in halFILE according to the settings for matching group names set up in halFILE.