You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/documentation.markdown
+188Lines changed: 188 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1325,6 +1325,194 @@ it to anyone you wish. Other options in the Shares popup are:
1325
1325
All of your shares can be viewed and edited by selecting the My Shares
1326
1326
option in the menu under your username.
1327
1327
1328
+
## Security
1329
+
1330
+
### Overview
1331
+
1332
+
This section explains how Curate manages Role-Based Access Control (RBAC) and how it integrates with SSO providers. Specifically, it addresses the requirements for managing access to sensitive documents, such as those intended exclusively for specific teams.
1333
+
1334
+
### Understanding Role-Based Access in Curate
1335
+
1336
+
Curate implements a robust RBAC system that determines which users can access specific workspaces, folders, and files. The system uses several key concepts:
1337
+
1338
+
#### Key Concepts
1339
+
1340
+
1.**Roles**: Container for a set of permissions that define what actions a user can perform in the system
1341
+
2.**Access Control Lists (ACLs)**: Sets of permissions attached to roles that grant access to specific areas
1342
+
3.**Groups**: Hierarchical organisation of users that can inherit roles
1343
+
4.**Security Policies**: Dynamic rules that can grant or restrict access based on context (time, location, etc.)
1344
+
1345
+
#### How Roles Work in Curate
1346
+
1347
+
- Each user in Curate can be assigned one or more roles
1348
+
- Roles determine what folders and files a user can see and what actions they can perform
1349
+
- Permissions can be applied at the workspace level (by Penwern) or at specific folder/file levels (which can be managed within your organisation)
1350
+
- When multiple permissions apply, they follow specific merging rules:
1351
+
- Deny by Default: If no access is explicitly granted, access is denied
1352
+
- Explicit Denial Wins: If a "Deny" permission exists at any level, it overrides any "Allow" permissions
1353
+
1354
+
#### Role Management Process
1355
+
1356
+
#### Current Setup
1357
+
1358
+
In your Curate implementation, role management is handled by Penwern (as the system administrators). End users and local administrators do not have direct access to role creation in the system.
1359
+
1360
+
#### Role Creation Process
1361
+
1362
+
When you need to create specialised roles:
1363
+
1364
+
1.**Request a Role**: Contact Penwern support to request creation of a new role
1365
+
2.**Define Access Permissions**: Specify which workspaces or folders this role should have apply to
1366
+
3.**Specify Security Policies**: If needed, define any specific conditions for access (time restrictions, IP limitations, etc.)
1367
+
1368
+
Penwern will create the role in the Curate system according to these specifications.
1369
+
1370
+
### Integration with SSO Providers
1371
+
1372
+
To manage which users are assigned to specific roles, you'll use a combination of group management in your SSO provider and role mapping in Curate.
1373
+
1374
+
#### Setting Up Access for Specific Documents
1375
+
1376
+
##### Step 1: Create a Security Group in Your SSO Provider
1377
+
1378
+
1. In your SSO providers admin centre, create a security group (e.g., "Executive Team")
1379
+
2. Add the appropriate users to this security group
1380
+
3. Make note of the Group ID or name for reference
1381
+
1382
+
###### Step 2: Create Your Folder Structure
1383
+
1384
+
1. Your team should create any folders that require specific role based access controls or security policies
1385
+
2. You have complete freedom to organise your folder structure as needed
1386
+
3. The permissions will be automatically applied based on the role assignments
1387
+
4. If you request a role that restricts access to a certain folder, only users who are members of the mapped security group will have access to it
1388
+
1389
+
##### Step 3: Request Role-Group Mapping
1390
+
1391
+
1. Contact Penwern support with:
1392
+
1393
+
- The name of the security group you created
1394
+
- The specific access requirements (which workspaces, folders or files that should be accessible)
1395
+
- Any special conditions (e.g., "only accessible during business hours")
1396
+
1397
+
2. Penwern will:
1398
+
- Create a corresponding role in Curate
1399
+
- Map the security group to this Curate role
1400
+
- Apply appropriate ACLs and security policies to the requested resources
1401
+
1402
+
### Managing Changes
1403
+
1404
+
#### Adding Users to the Executive Team
1405
+
1406
+
1. Simply add the user to the appropriate security group in your SSO provider
1407
+
2. The SSO integration will automatically grant the user the corresponding role and access permissions in Curate
1408
+
1409
+
#### Removing Users
1410
+
1411
+
1. Remove the user from the security group in your SSO provider
1412
+
2. The user will no longer have access to the restricted content in Curate
1413
+
1414
+
#### Modifying Access Permissions
1415
+
1416
+
If you need to change what the role can access:
1417
+
1418
+
1. Contact Penwern support with your requested changes
1419
+
2. Specify which resources need modified permissions
1420
+
3. Penwern will update the role permissions accordingly
1421
+
4. Your team can then create, modify, or reorganise folders as needed
1422
+
1423
+
### Access Control Features
1424
+
1425
+
Curate offers several powerful access control features that can be implemented:
1426
+
1427
+
#### Basic Permissions
1428
+
1429
+
-**Read**: Allows viewing files and folders
1430
+
-**Write**: Allows modifying, uploading, and deleting files
1431
+
-**Deny**: Explicitly prevents access regardless of other permissions
1432
+
1433
+
#### Advanced Security Policies
1434
+
1435
+
Security policies can add dynamic conditions to access rights:
1436
+
1437
+
**Time-Based Access**
1438
+
1439
+
- Example: Allow access only during business hours
1440
+
1441
+
**Location-Based Access**
1442
+
1443
+
- Example: Restrict access to specific IP ranges
1444
+
1445
+
**File-Type Restrictions**
1446
+
1447
+
- Example: Prevent specific file types from being downloaded
1448
+
1449
+
**Granular Action Control**
1450
+
1451
+
- Deny Delete: Users can modify but not delete files
1452
+
- Deny Download: Users can see files exist but cannot view contents
1453
+
- Deny Upload: Users can read but not modify content
1454
+
1455
+
### Practical Examples
1456
+
1457
+
#### Example 1: Executive Board Papers
1458
+
1459
+
- Create an "Executive Board" security group containing all executive members
1460
+
- Create and organise any folder structure needed for executive resources
1461
+
- Request a corresponding role in Curate with access to the appropriate resources
1462
+
- Only members of the Executive Board group will see these folders
1463
+
1464
+
#### Example 2: Department-Sensitive Documents
1465
+
1466
+
- Create department-specific security groups (e.g., "Finance Leadership")
1467
+
- Your departments can create their own folder structures within their accessible workspaces
1468
+
- Request a map to corresponding roles in Curate with your security requirements
1469
+
- Each department will only see the folders in the workspaces their role has access to
1470
+
1471
+
### Best Practices
1472
+
1473
+
**Group Management**
1474
+
1475
+
- Keep Entra groups updated with current team members
1476
+
1477
+
**Folder Organization**
1478
+
1479
+
- Use consistent naming conventions for roles and folders
1480
+
- Maintain a clear folder hierarchy that reflects your organisational structure
1481
+
1482
+
**Regular Reviews**
1483
+
1484
+
- Periodically review membership of sensitive groups
1485
+
- Conduct access audits to ensure permissions remain appropriate
1486
+
1487
+
### Summary
1488
+
1489
+
- Create security groups in your SSO provider to organise users with similar access needs
1490
+
- Penwern will create corresponding roles in Curate and map them to your groups
1491
+
- Users will automatically receive appropriate access based on their group membership
1492
+
- Special conditions can be applied to further restrict access when needed
1493
+
1494
+
### Support
1495
+
1496
+
For any assistance with role creation, mapping, or other access control concerns, please contact Penwern support.
1497
+
1498
+
### Frequently Asked Questions
1499
+
1500
+
#### Q: How quickly are permission changes reflected in the system?
1501
+
1502
+
**A:** When you add or remove a user from a security group in your SSO provider, the changes typically take effect during their next login to Curate. For urgent changes, contact Penwern support.
1503
+
1504
+
#### Q: What happens if a user belongs to multiple groups with conflicting permissions?
1505
+
1506
+
**A:** If the user belongs to one group that grants access and another that denies it, the deny permission always takes precedence.
1507
+
1508
+
#### Q: How can we audit who has accessed sensitive files?
1509
+
1510
+
**A:** Curate maintains detailed audit logs of all file access. Contact Penwern support to request access reports for specific files or folders.
1511
+
1512
+
#### Q: Can we create custom roles for our specific needs?
1513
+
1514
+
**A:** Yes, Penwern can create custom roles with precise permission sets tailored to your organizational requirements.
0 commit comments