Confidentiality: Document Access for Authorized Users Only

Employees often deal in a wide range of processes. In order to carry out their tasks, they need authorization to use a wide variety of resources, e.g., document and IT functions.

However, in order to achieve the security goal of "confidentiality", restrictions are also necessary. Certain restrictions make sure that only authorized personnel have the right to do certain things, and maintain transparency for everyone. Documents and data may only be viewed or modified by authorized users.

The following measures in DocuWare make it possible to implement such complex scenarios:

  • Control document access via permissions.

  • DocuWare as a high-security system offers additional security through restrictions on the assignment of permissions. Only selected employees can access high security file cabinets. This prevents particularly sensitive areas in DocuWare from being accessed by mistake - for example, via incorrect groups and role assignments.

  • Sensitive documents are protected from unauthorized access even at the administrator level thanks to standard 256-bit encryption.

Customers of locally installed DocuWare systems (on-premises) please note:

Certain data relevant to DocuWare cannot be protected with DocuWare permissions or other security measures. This includes the index data for the documents and the extracted full text that is stored in the respective databases.

To learn how to protect this information, please refer to the DocuWare On-Premises - System Architecture white paper in the Security and External Access chapter.

Permissions

The rights concept distinguishes between functional rights, file cabinet rights and object rights, which allow you to precisely control the scope of action of each user.

  • Functional rights are permissions to certain program functionalities. This includes, for example, the right to create a stamp or a document tray. .

  • File cabinet rights refer to a file cabinet and the documents stored in it, such as storing and searching a document, editing index entries or exporting documents or a file cabinet to the file directory. Different file cabinets rights can be assigned for different file cabinets.

  • Object rights: For a number of other objects, users and roles can be granted "usage" and "admin" rights. The object can be used with the user right, the administrator right contains the right to edit the object or the corresponding configuration.

The various permissions are combined into profiles and assigned to individual or groups of employees.

Read more about how you can control the scope of action and document access with authorizations in the Basics article Permission concept.

DocuWare as a High Security System

To use DocuWare On-Premises as a high security system, the high security level must be activated once for the entire DocuWare system (DocuWare Administration > System). If you are using DocuWare Cloud, the high security level is enabled by default.

Both in DocuWare Cloud and in DocuWare On-Premises as a high security system an organization administrator can assign the high security property to certain users (DocuWare Configuration > User Administration) and file cabinets (DocuWare Configuration > File Cabinets).

Only a high security-user can access a high security file cabinet.

There are some more differences from a system without a high-security level:

  • If a file cabinet is set to high security, it is no longer possible to assign file cabinet profiles to roles for these file cabinets, since file cabinet profiles must be assigned directly to users. These users must have the "high security" property.

    This prevents access to especially sensitive areas being granted by accident through uncontrolled groups and role assignments.

  • If the high security property is assigned to a user, the user password may be changed only by the high security user. The organization administrator may reset the password for this user but will not be able to change it.

  • A high security user cannot log on using a trusted login, since with trusted login security is not ensured by DocuWare.

Encrypt Documents

To ensure that not even an administrator can read sensitive documents, DocuWare offers an encrypted storing of documents. With this option you can also reliably prevent access to documents in the file system.

The key is 256 bits long by default.

Please note specifically for DocuWare On-Premises:

  • Encrypted file cabinets can only be accessed by authorized users. The document keys are decrypted using an asymmetric procedure with a key stored in the database. Since the documents cannot be decrypted without the key in the database, if you are using encrypted storage you should make sure that regular backups are made of the DocuWare system tables, so that the key tables in particular can be restored if the database is lost.

  • Fulltext information is not encrypted by DocuWare. The index data in the database is also not encrypted. If the index data contains highly sensitive information, you should consult the options offered by the database provider.

  • DWX files are not encrypted. In DWX files, metadata about the document can be saved in addition to being stored in the storage location of the file cabinet.