The Folder security section
This topic describes what Folder security profiles are and how to manage them in the Folder security section of the System Administration.
By default, users of a Board Platform can access all the Capsule folders on that Platform. However, there are cases where a company may have different applications made of various Capsules on the same Platform, such as a financial planning application and a sales operations application. In addition, there may be administration Capsules for both applications as well. Therefore, access to these Capsules should be controlled according to the role of each user, especially for administrative roles. In this scenario, you can place the Capsules of the various applications inside different Capsule folders, and then create Folder security profiles to allow users access only to certain Capsule folders. Finally, assign these Folder security profiles to the desired user Roles in the Roles section to grant users associated with those Roles access to different Capsule folders.
Folder security profiles represent the third security layer of Board's Four Security Layers model.
To access the Folder security section, access the System Administration area of the desired Platform and click on the Folder security tile. You will be taken to the Folder security page.
In the Folder security page you can see all existing Folder security profiles and their main information: the table is sortable and searchable using the interactive header fields. You can also show or hide columns to your liking, by clicking the Column chooser button in the upper right corner of the table.
The table contains the following information:
- Name. This column displays the name of each Folder security profile
- Rules count. This column displays the number of Folder security rules that have been configured for each Folder security profile.
Creating a Folder security profile
To create a Folder security profile, proceed as follows:
- From the Folder security section of the desired Platform, click on “+FOLDER PROFILE” in the upper left corner to bring up the Folder security profile configuration panel
- Enter the name of the Folder security profile in the "Name" field
- Add the Capsule folders that users can access. Click on the name of a Capsule folder in the list displayed under the "RULES" menu to highlight it and press on "ADD FOLDER" to create a security rule for it. A table will then be displayed below with the newly created rule in it. Repeat this step for each desired Capsule folder.
Only Capsule folders displayed in the table can be accessed by users associated with the corresponding Folder security profile.
Hover over a Capsule folder inside the table to highlight it and click on the "X" icon that appears to the right of the highlighted row to remove it from the table.
- Configure the Access level for each Capsule folder. You can configure the access level for each Capsule folder contained in the table to further specify the type of actions a user can perform in the Capsules he or she can access.
The available options are the following:- Play only. This option allows users associated with this Folder security profile to access a Capsule folder and its content in Play mode only: this means that users cannot edit the Capsules inside of the Capsule folder and cannot switch to Design mode
- Read only. This option allows users associated with this Folder security profile to access a Capsule folder and its content in Read mode only: this means that users cannot edit the Capsules inside the Capsule folder, but they can switch to Design mode. However, they cannot save any changes
- Read/Write. This option grants users complete access to a Capsule folder and its content: this means that they can create and edit Capsules inside that Capsule folder
- (Optional) Enable the "Inheritance" option for the desired folders. If enabled, the access level defined for the Capsule folder will be applied to all its sub-folders. For example, if there is a Capsule folder named "Parent" that contains a Capsule folder named "Child" and you create a Folder security profile that allows access to the "Parent" Capsule, then the user will be able to access only the "Parent" folder and not the "Child" folder if the "Inheritance" option is disabled.
If you create a security rule that allows a user access to a subfolder, but there's no security rule that allows that user access to the parent folder, the user will be able to access the parent folder in "Play only" mode by default.
Managing and assigning Folder security profiles
To edit a Folder security profile, select it and modify the desired options explained in the steps above.
To delete one or more Folder security profiles, select the desired ones and then click on the "DELETE" button above the table.
To associate one or more Folder security profiles with a user Role, proceed as follows:
- Click on the "Enable Folder Profile" toggle to enable the Folder security feature
If this option is disabled, Folder security profiles cannot be associated with users and therefore will not be applied.
- In the System Administration area, go to the Roles section and select the Role you want to assign a Folder security profile to
- Check the corresponding checkboxes to enable the desired Folder security profiles under the "FOLDER PROFILE" menu
In the case of a Role associated with multiple Folder security profiles that have overlapping security rules (i.e. different access levels for the same Capsule folder), the rules with higher privileges will take precedence over the others.
Folder security profiles with overlapping security rules
Board allows you to assign multiple Folder security profiles to a single Role. In this case, a user associated with that Role is able to access Capsule folders that are refereced in at least one of the security rules of all Folder security profiles assigned to that Role. In the case where some of these security rules apply to the same Capsule folder, Board considers the one with the highest access level.
The access level hierarchy, from highest to lowest, is the following:
- Read/Write (highest privileges)
- Read only
- Play only (lowest privileges)
For example, you can create two Capsule folders named "HR Admin" and "HR Local" with additional subfolders in them. Then you can create two Folder security profiles named "Developer" and "Standard" and create the following security rules:
- Developer. This Folder security profile can access both the "HR Admin" and "HR Local" Capsule folders with the "Read/Write" access level. In addition, you can enable the "Inheritance" option on both security rules, which gives the user "Read/Write" access to all the subfolders of the two Capsule folders
- Standard Local. This Folder security profile can only access a specific subfolder of the "HR Local" Capsule folder named "HR Italy" with the "Play only" access level.
At this point, you can assign both Folder security profiles to a Role named "Admin", and then assign only the "Standard Local" Folder security profile to a Role named "Standard", as shown in the two images below:
In this case, Board applies the security rules of the Folder security profiles for both Roles in the following way:
- Users associated with the "Standard" Role are able to access only the "HR Local" Capsule folder and its "HR Italy" subfolder, with "Play Only" access level
- Users associated with the "Admin" Role are able to access the "HR Admin" and "HR Local" Capsule folders with "Read/Write" access level. They can also access the subfolders of those Capsule folders (including the "HR Italy" subfolder) with the same "Read/Write" access level since the "Inheritance" option is enabled in the security rules of the "Developer" Folder security profile.
Therefore, in the case of the users associated with the "Admin" role, Board applies all security rules in both Folder security profiles, and in the case where security rules overlap, those with the highest access level take precedence over the others.