S1. User Security Overview
XDOC simultaneously allows both internally managed users and externally managed users to access the XDOC software and XDOC projects.
To understand XDOC security, you must understand the difference between internally and externally managed users, the XDOC project model, and XDOC Security Profiles.
1.1. XDOC Projects Overview XDOC is a multi-project system with user security and access control defined on a project by project basis. User access can be limited to only certain projects, with different security profiles and permissions for each project.
A project in XDOC is essentially a Workspace to store certain types of documents. Documents stored in a project can be related to business entities in other 3rd party applications, or just indexed and categorized internally within XDOC.
Each project has its own separate Repository Configuration that defines the types of documents being stored, processing rules, security, electronic delivery to 3rd party systems, and many other configuration settings.
Examples of projects include:
- Loan Documents. Stores documents related to loans in a 3rd party LOS. Document types may include 1003 Loan Applications, Credit Reports, Appraisals, etc.
- Human Resources. Stores documents related to employees in an HR system or LDAP directory. Document types may include W2s, Employee Non-Disclosures, etc.
- Maps and Records. Stores maps, permits, architecture documents, internally indexed by addresses and document type.
1.2. User Security Profile Overview All access control and permissions in XDOC are defined in XDOC Security Profiles. Administrators can create as many different Security Profiles as needed based on user responsibilities and access. A Security Profile provides for very granular control of permissions and document access based on both static permissions, and dynamic permissions based on document properties and properties of the related business entity (Container).
Users can be assigned a default Security Profiles for each project they have access to, as well as a dynamic Security Profile for each business entity / container that is accessed. The determination of the default Security Profile for a given project is re-evaluated at each user logon and can be determined by a combination of internal user settings, as well as settings passed to XDOC from the External System if the user is managed externally.
1.3. Internally Managed Users Internally managed users are created, stored, and authenticated within the XDOC database user related tables. Username and Password validation is done against the stored user password in the XDOC database.
1.4. Externally Managed Users Overview Externally managed users are managed by an External System. The External system can be any type of system, application, or database including:
- LDAP compliant server. E.g.: Active Directory, Lotus Domino, Oracle Directory.
- SQL Database, Flat File Database, or any other database with ODBC/OLEDB/or ADO interfaces.
- Web Service or HTTP Service enabled application.
- Any other system via the XDOC User Authentication published interface specification.
Externally managed users do not need to pre-exist in the XDOC database. When an external managed user is authenticated the first time against the External System, XDOC automatically adds the user record to the XDOC database and marks the user as External so that XDOC knows to always validate logon attempts for this user via the External System.
Additionally, each subsequent time the user logs on to XDOC, the user record in the XDOC database is updated with the latest user information passed from the External System including:
- Display Name
- First Name
- Last Name
- Email Address
- External System Security Role(s)
- External System user identifier
- Additional External System data
1.5. Logon Processing Overview An attempt to logon to XDOC can occur in any of the following methods. Note: XDOC supports all of these methods, which can be enabled or disabled as required by the XDOC Administrator.
User Entered Credentials:
- User entered Username and Password. This is normally done via the XDOC logon web page. The user enters their username and password and submits for authentication.
- Auto-logon using browser cookie based auto-logon credential passing. Username and validation tokens are retrieved from the encrypted cookie information.
- Auto-logon using IIS / Active Directory Windows Integrated Authentication. Windows logged on Username and credentials are passed to the website via Internet Explorer and IIS handshaking. Obviously, this works only for Windows environments.
Secure User Token Passed Credentials:
- Auto-logon via secure credential passing from an External Application trying to open XDOC user interface web pages. Username and credentials are passed security from the External Application via encrypted parameters.
1.5.1. User Entered and Auto-Logon Credential Processing XDOC performs the following steps when validating User entered credentials, or Auto-logon supplied credentials:
- Queries the XDOC database to determine if the user already exists.
- If the user exists, determines if the user is internally or externally managed.
- If the user is internally managed:
- Validates the username and password against the internal XDOC database.
- Returns the user object information from the internal XDOC Database including: last name, first name, email, security profiles, etc.
- If the user is externally managed, or doesn’t already exist in the XDOC database:
- Passes the username and password to the External System for validation.
- If successful, the external system returns the user object attributes.
- If the External System indicates success and passed back a user object:
- Adds the user record in the XDOC database if it doesn’t already exist.
- Updates the user record in the XDOC database with the information returned from the External System.
- Assigns the appropriate Security Profiles to the user based in the Profile / User Role information contained in user object returned from the External System, as well as information stored in the XDOC database.
1.5.2. Secure User Token Passed Credential Processing Secure User Token passed credentials are used by 3rd party application wishing to open XDOC User Interfaces for users already logged on to their application, without requiring the user to re-logon to XDOC.
If XDOC is configured to allow User Token passing from this application, when XDOC receives the User Token, XDOC will assume that the user is Trusted and XDOC will not re-validate the credentials with the External System. The User Token must therefore contain the same information normally returned from the External System during a User Entered logon scenario.
For details on the structure and encryption of the User Token, see the XDOC User Interface Service document (XDOC-Service-UserInterface.pdf).
Assuming that User Token is valid and allowed, XDOC performs the following steps:
- Adds the user record in the XDOC database if it doesn’t already exist.
- Updates the user record in the XDOC database with the information contained in the User Token.
- Assigns the appropriate Security Profiles to the user based in the Profile / User Role information contained in the User Token, as well as information stored in the XDOC database.