Meridian Explorer security is very configurable, flexible, and powerful. It uses some concepts that are similar to Meridian Enterprise vault security and some that you may not be familiar with:
It is important to understand that Meridian Explorer security is not applied to folders like Meridian Enterprise security roles or Windows access control lists. This is because Meridian Explorer relies less on the folder paradigm than Meridian Enterprise or Windows.
All Meridian Explorer security is defined using BlueCielo users and groups that are members of defined roles. The users and groups can be defined in Meridian Enterprise Server or they can be imported from Microsoft Active Directory as described in Importing users and groups from Active Directory.
The effective permissions for a particular user for a specific item are determined by:
User roles
A user role is a set of users or groups based on a functional role relative to the organization, for example, Contributor, Reviewer, and Document Controller. Some example roles and permission levels are predefined but you can edit and delete them and create others to meet your own requirements. A user role is assigned a permission level at a property value level of a property hierarchy, which is explained in the following descriptions. Unlike with permission levels alone, user roles give you another dimension of flexibility to assign security, especially in complex environments or with many users.
Note We recommend that you assign only BlueCielo groups to roles, not individual users. This way, users can be given access to the repository by virtue of their group memberships. Security can then be adjusted in the group memberships instead of in the repository.
Permission levels
A permission level is a set of permissions that can be assigned to a user role at a level of the property hierarchy, for example, Viewer, Manager, and Full Access.
Property hierarchies
A property hierarchy is how security can be assigned based on property values. Separate hierarchies can be defined for documents and for object tags. Each hierarchy can comprise multiple levels. Each level corresponds to one property. In this regard, Meridian Explorer property hierarchies are similar to the Meridian Enterprise Field-Path definition. That is, a document's folder location in the vault depends on its values for the properties that comprise the Field-Path definition. In a Meridian Explorer property hierarchy, a user's effective permissions for an item depend on its values for the properties that comprise the property hierarchy. One difference is that Meridian Explorer property hierarchies have no direct relation to folders, as previously stated. Therefore, they affect any navigation views that also use the same properties. This greatly extends the power of property hierarchies. Another difference is that security can be configured even more granular by assigning different permission levels to user roles for any number of values of the properties that comprise a property hierarchy. This allows you to configure a single security model made up of numerous rules that apply everywhere in the repository regardless of whether the documents, object tags, or property values already exist.
At each level of a hierarchy, you can assign a permission level to one or more user roles. You can also not assign any permission level to a user role, which basically prevents the users in that role from performing the activities that correspond to the permission level . Moreover, each level of a hierarchy can either have its own permission level assignments or it can inherit the assignments of its parent property in the hierarchy.
Global permissions
Global permissions are exceptions to the permission level assignments just described. These permissions do not involve user roles or property hierarchies. They control the same permissions (and an additional one) as property hierarchy assignments but override them. Global permissions can be granted to specific BlueCielo groups. This can be valuable so that some users (for example department managers and system administrators) can manage items in the repository regardless of where a document resides in the repository or its property values (which define the item level security). For that reason, global permissions should be assigned sparingly.
Project permissions
Projects in Meridian Explorer that were imported from Meridian Enterprise do not use a property hierarchy to determine their security. Instead, permission levels are assigned to user roles as the template for all new projects. These assignments apply to the items and to the subfolders within projects. This works similar to assigning roles to folders in Meridian Enterprise.
Following is an example scenario that demonstrates the application of all of the preceding concepts. For the sake of simplicity, this scenario only demonstrates the effective security for documents but it could be extended to include object tags. Likewise, only one group is assigned to each user role but multiple groups could be assigned. And role assignments are only shown for one value at each property level. In a production environment, different role assignments would likely be made for other values. The scenario also does not take into consideration the global permissions that may have been assigned to the groups shown here and that would override the property hierarchy assignments.
In the following figure, blue text indicates items defined in Meridian Explorer. Black text indicates the properties of each item.
Following are the effective rights for several of the users in this scenario:
Working with these concepts to configure repository security is described in the following topics.