Web Security: Administering

Page 1 of 4

Administering Web Security

Web Client is a production platform linked to the data and functionality provided through Imaging and
Process. Administrative tasks, including security, are managed in the Windows client.
The use of Web Client is dependent only on access to the system's published IP address and a valid login
configured through the MS Windows security protocol. This protocol centers on Group assignments and the
accesses allowed as a member of a group. Web Client compiles these accesses and activities and organizes
the use of one or more custom tools to model the functionality of the Galleries supporting similar activity in the
Windows client application.
To ensure the intended scope of production may be supported by Web Client, the following steps are
recommended:
z
z
z
z

Confer with supervisor to ensure security Group assignments are current and appropriate
Evaluate any restraints on access to Saved Searches
Review enabled Schema allowances
Ensure that any Process activity is associated with an active database.

Web Client operates independently of the Windows client tools or Galleries.

Accessing this command link at the top of the initial page's primary navigation panel opens the first of many
work pages. This page is divided into three lists of available activities: Find, Process and Store. These lists are
custom to the user. Custom in that the work allowed under Find, Process and Store is a response to a similar
scope of work allowed in the Windows client. Any other user associated with different groups and having
different accesses and permissions, has different Find, Process and Store lists displayed through Web Client.
There are three areas in the Security tool within the Windows client that interact with the Web Client:
z
z
z

Saved Searches
Schemas
Process.

Saved Searches - This is enabled through Web Client when access is allowed to one or more Saved
Searches. Saved Searches are created only in the Windows client with the Search Builder tool. The activity
associated with a Saved Search includes the five permissions, below. Modify, Delete and Fax Search are
administrative and have no bearing on Web Client functionality.
Saved Search Functionality
Saved
No
Execute Modify Delete Fax
Searches Access
Search
Search1

Search2

X
X

Administrative tasks are not functional

in Web Client.
Security Assumptions - In the above example, a user would have access to execute Search 1 but not be able
to execute Search 2. When No Access is assigned to a Saved Search, all other permissions applied to that
search are overridden.
Schemas - Grants access to database tables.

mk:@MSITStore:c:\Program%20Files\Stellent\IBPM\ibpm.chm::/CLIENT/Csecadma.htm

6/20/2007

Web Security: Administering

Page 2 of 4

Schema selections have a variety of permissions granted to a user regarding access to the data. Like the
permissions enabled with Saved Searches, not all of the Schema permissions apply to Web Client. The table
below shows each Schema permission and identifies which domains it influences: the Windows client (WC)
and/or Web Client (WEB).

WC

Table Permissions
Windows Client

WEB Web Client

Schema Permissions
can be enabled
Schema
Permission

WC

WEB

No Access

Delete*

*Deletions can only be by the page through

Web

Print/Fax**

**Print/Fax can only be to PC based Fax

software

Lock

Doc
Annotation
Local
Access***

***Local Access is managed through viewer

Lock Override

Create

Annotate

Annotation
Admin.
Stamp Admin.

Black
Redaction
White
Redaction
Launch

mk:@MSITStore:c:\Program%20Files\Stellent\IBPM\ibpm.chm::/CLIENT/Csecadma.htm

6/20/2007

Web Security: Administering

Page 3 of 4

Span Docs

Modify

View

Ad-Hoc Search

Saved Search
Creation
Associate

Declare

Disable Sticky

Disable Text

Read Only
Sticky
Read Only
Text
Annotation
Security

The Replicate Security feature, which is not actually a part of the schema permissions table, is not available via
the Web.
Process - This are the third and last non administrative arena for permissions. In Web Client, these accesses
and permissions are considered a part of Process.
The user must have access to one or more databases to enable any Process related functionality. These
accesses and permissions may not be administered from Web Client, are exclusive to the Windows client and
generally require administrator access. The IBPM administrator should review access and permissions
carefully because of their secondary impact on Web Client functionality. The best view of these procedures and
resources can be seen under the Process tab on the Security tool.
If Web Client Process functionality is enabled the user must:
z
z

Have access to an appropriate database

Have access to database profiles, queues and processes.

mk:@MSITStore:c:\Program%20Files\Stellent\IBPM\ibpm.chm::/CLIENT/Csecadma.htm

6/20/2007

Web Security: Administering

Page 4 of 4

The Windows client includes an additional series of options that administer tool preferences. These
preferences can effect the functionality of Web Client or custom applications created using the SDK. You can
configure the amount of time that User Connection Manager (UCON) will wait before returning a license to the
free state. To change the 30 minute default for the Web Client it is necessary to change the Windows Client
setting to the new desired timeout.
There are three types of Web Service Client use cases that need to be considered when talking about Web
session Timeouts. They are:
z
z
z

Web Client only

Web Service only
Web Client Service combinations

When using the Web Client only, the session timeout setting on the Microsoft Internet Information Server (IIS)
should be set to the same timeout (or close to the same timeout) out as the UCON timeout setting.
The Web Client uses session state. Part of the data required for the Web Client to properly function is kept in
the IIS Session State. This means that when the IIS Session expires the Web Client will require a new login.
Because of this dependence on the IIS Session the shorter of the two timeouts (IIS Session timeout and UCON
timeout) will be the timeout used by the Web Client.
Closing the Web Client without logging out orphans a license for the remainder of the timeout period. Users
should be encouraged to exit the application by logging out, which frees the license.
When using the Web Service Only the IIS Session Timeout does not apply. The Web Services do not use IIS
Session State. This means that the UCON time out setting applies to the Web Service calls regardless of the
IIS Session timeout if only Web Services are used.
When using a combination of the Web Client and Web Services in an integrated solution, keep in mind that as
soon as the Web Client is used, the IBPM License is tied to the IIS Session. Use of the Web Client includes
the use of the URL Toolkit. In this use case the IIS Web Client session end will cause a logout of the license.

mk:@MSITStore:c:\Program%20Files\Stellent\IBPM\ibpm.chm::/CLIENT/Csecadma.htm

6/20/2007