This article provides information about the area DocuWare Configuration > Security.
Here, you define the security settings for your DocuWare organization. Every setting has a status of ‘enabled’ or ‘disabled’. If a setting is ‘enabled’, it potentially increases the security of your organization.
Login security
Password Policy
A password policy restricts users from using insecure passwords. Here, you specify the minimum requirements for all users' passwords:
Minimum password length
Required characters
Password validity period
Notification period before password expires
Maximum number of failed logins
Duration how long an account is locked after the maximum number of failed logins
Read the note about the new password policy, which is activated by default for all new DocuWare organizations created from version 7.12 onward. The default password policy does not apply to organizations created before version 7.12.
Session timeout
In case of inactivity, a user can be automatically logged out of DocuWare Client and DocuWare Configuration. If no input is made within a certain time, the user first receives a notification with an appropriate message before being logged out and redirected to the login window.
If the timeout is exceeded, the user is logged out of all DocuWare Client browser windows and out of DocuWare Configuration. Clicking anywhere in a browser tab will cause the timer to count down from the beginning. Automatic DocuWare Client activities such as notifications do not reset the timer. Unsaved changes are discarded when you log out.
This setting applies to all users in the organization.
In DocuWare Forms, automatic logout only takes effect for non-public forms. Public forms do not require a real login and are therefore exempt from the timeout.
Single Sign on
Single Sign-On (SSO) allows users to access DocuWare using their corporate credentials, so they do not need to remember separate DocuWare usernames and passwords. This functionality simplifies the login experience and can improve security by utilizing the authentication methods of the corporate identity provider, such as two-factor authentication.
To enable Single Sign-On in DocuWare, you must integrate your DocuWare organization with an external identity provider. You need to have access to the identity provider to perform the integration.
DocuWare supports several types of identity providers (see below). Each DocuWare organization can connect to only one external identity provider. Click here for instructions how to set up the connection to an identity provider.
General SSO Options
Automatically assign existing users at login
With this option enabled, DocuWare automatically links the users with the user accounts of the identity provider the first time they log in. It must be enabled for OIDC compatible identity providers.
Enforce single sign-on authentication for all users
This option determines whether users must exclusively use the external identity provider for authentication or can alternatively use their DocuWare credentials.
When this option is enabled, users are required to log in using the external identity provider exclusively. They cannot use their DocuWare username and password unless they are added to an exclusion list. Administrators can specify excluded users or roles, allowing those specified to bypass the single sign-on requirement and use their DocuWare credentials.
When this option is disabled, users can log in to DocuWare using either their DocuWare username and password or the external identity provider. This provides flexibility for users who may prefer different authentication methods.
Note
Test your single sign-on configuration thoroughly before enforcing it: in case single sign-on fails, all users might be locked out. Please consider excluding at least one organization administrator from enforced single sign-on to allow them access to DocuWare in case there are problems with single sign-on.
Restrict public access
In DocuWare 7.11 and below, this section was referred to as Guest login. In DocuWare version 7.12, it has been updated to Restrict public access.
Guest login enables everybody with network access to your organization (the 'guest') to enter DocuWare without providing any credentials. The permissions granted to the guest user align with those of the DocuWare user designated as the guest. Depending on these permissions, 'guests' might be able to severely harm your system.
If you turn off Restrict public access, you can set the guest user option, which will appear on the DocuWare login page.
Risk
If you turn off Restrict public access you make your DocuWare system available to external users who do not verify their identity using a username and password. This introduces a security risk. Please consider carefully if you want to deactivate this security setting.
File types
File types entered in Restricted file types are blocked for archiving in DocuWare. Enable one of the lists to block the file types included or create a new list. The restrictions apply to all file cabinets of the organization.
The restricted file type lists are also available as an allow list and a blocking list for the configuration of the full-text.
External connections
Secure external URL locations
This functionality enhances the security of URLs stored as index data within documents. It ensures that URLs are only clickable if they direct to pre-approved, secure locations, thereby mitigating the risk of malicious URLs that may have been embedded prior to the document's storage in DocuWare.
To mark a location as secure, it must be added to this allow list. Add all relevant domains or URLs here, without “https://”. Once a domain is embedded in this allow list, all its associated subdomains and pages are also considered secure by default.