CM for Multiplatforms 8.2.0.20
Solaris 8

Hi all,

After having contacted IBM on my issue, they have directed me here as
they can't help me.

Issue:

I need to be able to create a READ ONLY client user that doesn't have the
privilege to use the SHOW/HIDE button in the Windows Client. As an example,
I work for a county level government and as all our data is public
information, Joe Public can come in and ask for it. There are some obvious
issues such as SSN's on employee records OR account numbers for the various
bank accounts the county has. We obviously can use annotation to hide those sorts of sensitive things but I can't figure out (and IBM says it's not
possible) how to keep a READ ONLY client user from using the SHOW/HIDE
button so as not to expose that information. Any help would be greatly
appreciated.


THX

Ted H. Smith, Jr.
Information Services Department
Platte County, Missouri
tel: 816-858-1944
fax: 816-858-3390
teds@co.platte.mo.us

What is CM? Is this data kept in DB2 tables? If so, just use views.

Hi urqel,

CM is Content Manager, which I would say is the middleware I use to (amongst other things) set up users for our document imaging solution. Most of these users (employees) have full privileges insofar add/update/delete. My problem is that I have to create a user that ONLY has read privileges with even more limitations. The Windows Client is the front end on our solution that allows one to pull documents up once they've been scanned and indexed. The Windows Client has a SHOW/HIDE button that allows a user to either see/not see the annotations (stamps,circles,squares,sticky notes.......we use the square to block SSN). Since our data is in the public domain, we have to provide reasonable access to it in this case via the Windows Client. Senisitive information like SSN's etc. can NOT be made public for obvious reasons. All these privileges or privilege sets are controlled via CM and I'm at a dead end insofar as what to do. My last resort will be to have our IBM rep. make a request to the developers to make a change in the form of a future fixpack.


Ted

Urqel.........I didn't answer your entire question. Yes the data is kept in DB2.

Ted_smith,
You will have to create userid and grant read-only privilege (through ACL) for that user. All you can do through CM system Administration Client.
Read CM system Administration guide on controlling user access.

Kuckoo,

The Administration Client has privileges and privilege sets, none of which include the ability to turn off the show/hide. I've mixed and matched every privilege in CM and no success yet.

It looks like, you are right. How about eClient, Can you use eClient instead of Windows Client for read-only user, eclient is more flexible. Also, If you can customize windows Client then you may able to disable show-hide button, ask IBM on that.

Just Curious, can you create ACL that has only read-only priviledge on document and no access to annotation?

If I understood correctly, your requirement is that you want user to have read only access to documents (with annotation that hides sensitive data) but don't want them to HIDE annotations correct?

How about hiding sensitive data with other method like stamps? I think show/hide button is only for annotation.

Kuckoo,

I tried going the way of the ACL and that ends up hiding the annotations thereby rendering them useless. Unfortunately, stamps ARE part of annotations..........arrrgh!! I tried E-Client but no luck there either. Not only can a user access them (annotations) in E-client, but they can move them around. I'm not sure how I would go about customizing the Windows Client as I don't have access to that code. I'll keep digging around for a solution before I call up by IBM rep.. I appreciate your help on the issue none the less.

THX

Ted

This can be possible through eClient. You are assigning more privileges (more than read-only) to users. Try following

(1) Create new user group "grp1"
(2) Create new user "user1" and assign it to "grp1"
(3) Create new privilege set, lets say "ronlyset"
- Grant only connect,query and read privileges to ronlyset
(i.e. Read basepart,read annotation,read notelog etc.)
(4) on ACL, link "user1" or "grp1" with privilege set "ronlyset"
(5) Login to eClient/pclient with "user1" and test

You might have to test with differnet combination of privilege sets at step (3) until your scenario solved.

I'll give it a shot(s) and let you know what happens......

THX