To avoid accidental data corruption HyperDoc implements the following mechanism. HyperDoc users need only read access to the HDocConfiguration table in the HyperDoc database. Users do not need any other rights in this table or any rights at all in other HyperDoc tables. HyperDoc logs in to the database using supplied user credentials. After logging in successfully, HyperDoc reads the account name and password of the special HyperDoc system account from the HDocConfiguration table and connects to database again using this account. The HyperDoc system account must have all the rights to all the tables HyperDoc uses, except for those data tables that are intended to be read-only. Since the password of the special HyperDoc system account stored in the HDocConfiguration table is encrypted, this mechanism prevents users from accessing HyperDoc data in any other way than through HyperDoc itself.

During the login to the database using supplied user credentials, HyperDoc checks if the user has the right to read HDocUserRights table. If so, the user is considered to be HyperDoc administrator, i.e. he can execute Logical Devices and Text Macros commands, he can view and assign user permissions with User Permissions command and security class permissions with Security Classes command. Ordinary user can only view his own rights in User Permissions and Security Classes commands. Both commands are available in HyperDoc and in HDAdmin utility.

There are five categories of HyperDoc database users:

1. Super User - the user who creates and configures HyperDoc database. He needs the right to create user accounts, to create tables, to assign database user rights and to read and write from all HyperDoc tables. 2. HyperDoc administrator - the user who assigns HyperDoc user permissions with User Permissions and Security Classes commands. By definition he has the right to read HDocUserRights table. He needs the right to read HDocConfiguration table. HyperDoc administrator can use HyperDoc and perform administrative tasks, like changing access rights, managing logical devices, text macros, etc. 3. HyperDoc system account. This user account needs the right to read all HyperDoc tables and to write to some of them, e.g. HDocParams, HDocDocSetObjects and so on. 4. Ordinary HyperDoc user - by definition he has the right to read HDocConfiguration table. 5. Foreign database user. He is a database user, who does not use HyperDoc. By definition he does not have the right to read HDocConfiguration table. He does not need any access rights to any HyperDoc tables.

Additional administrative utility HyperDoc Administrator (HDAdmin) is provided. Among other purposes, it can be used for HyperDoc system account management. If the password only has been changed, no other administrative tasks are needed, because HDAdmin makes password change known to the underlying database system (Microsoft Access, Microsoft SQL Server or Oracle Server). If the HyperDoc system account name has been changed, administrator must use appropriate administrative tools to make sure that this account exists. HDAdmin on start-up and on each system account change verifies if this account has all necessary rights to all HyperDoc tables. If these rights are not sufficient, it grants them automatically. The HyperDoc system account name and password are reserved for the system use and should be never used by HyperDoc users or administrators.

HyperDoc supports two login modes:

native database accounts mode using database list of logins (described above and used in most cases), proprietary user list mode using list of logins stored in HyperDoc configuration table HDocUsers. This mode allows many HyperDoc users share single database account and is available for ODBC databases only

HyperDoc on start-up, when configured for ODBC database, tries to find HDocCfg.DAT file in the following places:

- the directory where HyperDoc is installed, - the directory pointed by the HyperDocCfg environment variable, - the directory pointed by the HyperDocCfg key in the General section in the HDoc.Ini file.

If HDocCfg.DAT file is not found, then HyperDoc works in old native database accounts mode. Otherwise HyperDoc works in new proprietary user list mode: it connects to database using common login name and password read from the HDocCfg.DAT file. You can control HyperDoc login mode with HyperDoc Administrator utility.

HyperDoc security uses user and group definitions of the underlying DBMS system. It works on two levels: user-level security and document-level security. User-level security defines user or group rights for protected operations for all documents.

Document-level security uses concept of security classes. Each document has a certain security class. Each security class has an access control list defining user and group rights for all documents of this security class. Rights are defined in terms of protected operations (which are almost the same as in user-level security).

User-level rights are a logical sum of rights defined for the user and all groups to which this user belongs. To see the actual user-level rights check the Show Effective Rights box in the User Permissions dialog.

For a user to be able to perform certain protected operation on a given document he/she must have both user-level right for this operation and document-level right for this operation to the document’s security class. When the document has no security class assigned only user-level rights apply to this document. To see the actual document-level rights check the Show Effective Rights box in the Security Class Permissions dialog.

Access rights apply to a document as a whole; there are no specific rights for versions of the document.

The access rights defined in HyperDoc are as follows.

Right

Description

Access documents

Access documents

Modify documents

Modify documents

Delete documents

Delete documents

Add versions

Create new version of the document

Modify versions

Modify existing version of the document

Delete versions

Delete version of the document

Import versions

Import version of the document

Export versions

Export version of the document

Modify links

Modify links from spots

Modify document attributes

Modify attributes of the logical document

Modify object attributes

Modify attributes of business object

Access contents

View contents of the document

Modify contents

Change contents of the document

View external file formats in HIS

Allows working with external documents via HyperDoc Online

View system

View spots on system layers

Modify system

Modify spots on system layers

View foreign

View spots on other users’ layers

Modify foreign

Modify spots on other users’ layers

Enable modification**

Create or modify any spots

View system

View redlining on system layers

Modify system

Modify redlining on system layers

View foreign

View redlining on other users’ layers

Modify foreign

Modify redlining on other users’ layers

** - When a user does not have this right, he cannot create, modify or delete any spots. He cannot switch between Object Overlay and Redlining drawings. He can select vector entities on them both without switching between them. Any vector object he creates is created on the Redlining drawing.

We have implemented type of security classes that can be applied to designated document types.

By using this feature you can control user rights to see and perform various actions against type of documents, no matter where they are located in Database.

Configuration

Activation of this functionality requires database modification:

Using security class

New menu option has been added to Tools menu in HyperDoc - Security Classes for Types.

This option opens Choose Type to Assign a Security Class dialog where you choose document type for which the security class will be created.

Security class dialog of chosen document type dialog will appear.

Click New Class to create new security class for chosen document type.

By default permissions for new security class are blank so click Permissions...button to customize them.

Future managing the security classes for documents types is same as for normal security classes.

Described here is a simple scenario where we want to apply security for three groups of users:

For easier management it is recommended to use separate Security Classes for document types. You can use one SC per type, or for several types that need the same security settings.

  1. Setup user accounts

  2. Setup Security Classes using HyperDoc Tools\Security Classes dialog. Use New Class to create “Security Level A”. It will be used to secure objects of “blue” category

  3. Repeat steps for “Security Level B” that will be used to secure objects of “purple” category .

  4. To apply security class to all objects and documents (sub tree) use Security Class Clone add-in for HyperDoc.

  5. After completing above steps you have secured access to objects and connected documents. Next problem is the fact that Architects and Engineers will have access to all types of documents. To limit this access to specific types, follow instructions in next steps:

  6. DocType1_SC” will be used to define access to DocType1

  7. Repeat this steps for “DocType2_SC” that will be used to define access to DocType2

HyperDoc has been extended with possibility of using proprietary groups with already implemented Proprietary User List mode.

MSSQL users and groups can be also managed using HyperDoc Admin tool and HIS sites described above. But in this case, there are some limitations.

java Here are some of them: fixed database roles couldn't be deleted, public role and dbo user shouldn't be managed using above tools. User used by HyperDoc Internet Server needs to have enough rights for users and groups handling (please refer to Microsoft MSDN to check rights requirements).

To enable using of proprietary groups with proprietary users one has to use “Check and Create Extra Tables” option from HyperDoc Configuration Manager's File menu. Then they would be available after setting Proprietary User List mode in HyperDoc Admin from User list mode menu.

Proprietary groups and users memberships can be managed from within HyperDoc Admin tool or using hisUsers.asp and newly added hisGroups.asp web pages.

loading table of contents...