Blog

Security and User Access Control in Ephesoft 3.1

by | Jun 30, 2014 | Document Capture/Imaging, Ephesoft | 1 comment

 

Overview of Ephesoft Security

With an introduction of Single Sign-On (SSO) and other great new features, such as new Extraction (Fuzzy Key Field, Zone Extraction, Regular Expression Builder) and Classification (Test Classification Tool, Advanced DA Switch, Regex Classification Switch) Features, Application Level Scripting, Email Batch Processing, and RecoStar TIFF Conversion, for the new Ephesoft version 3.1, Ephesoft is now more enterprise-ready than ever before. While working with the Ephesoft SSO and user access control implementations for my client, I had a chance to explore Ephesoft’s adherence to CIA principles – Confidentiality, Integrity, and Availability of information.

Also known as the CIA triad, CIA is a fundamental concept in information security and often used as a guideline for information security policies within an organization. Confidentiality refers to limiting information access and disclosure to authorized users and preventing access by unauthorized users, therefore protecting information from any unauthorized access. Integrity refers to the accuracy and trustworthiness of information and protecting information from unauthorized modification. Finally, Availability refers to a guarantee of access to the information by authorized users.

In this blog, I wanted to concentrate on the “Confidentiality” of Ephesoft. The following are Ephesoft features that ensure confidentiality of the Ephesoft document capture system:

  • SSO through HTTP(S) header request – User-based authentication, which ensures data confidentiality, is controlled at the organization level.
  • Integration with secure MS Active Directory or LDAP – In addition to the user authentication, user authorization can be provided based on roles configured with secure MS Active Directory or LDAP server.
  • Role-based user access control – User access control ensures that only users with valid roles can access different areas of the application and the information of Batch Classes and batch instances that are only intended for right people. Following are examples of role based  user access control:
  1. Security Constraint
  2. Batch Class Access
  3. Batch Instance Access

Ephesoft 3.1 Product Documentation available on the Ephesoft website provides detailed information on the SSO and User Management using MS-AD, LDAP, and Tomcat. Please refer to This Link for more information.

Examples of User Access Control

In addition to the Product Documentation, we can further explore the examples of the role-based user access control here.

Security Constraint

Role-based application access control let you limit access to the Ephesoft User Interfaces and following table shows UI represented as web resource and suggested role type for each resource.

Ephesoft_User_Role_Types

 

If needed, the role types can be more specialized, such as Scan Operator, Review/Validate Operator, etc. The following table shows an example of specialized role and web resources accessed by each role type.

Ephesoft_Specialized_Role_Types

 

Below is an example of the “batch list” security constraint configured in <Ephesoft Installation Path>\Application\WEB-INF\web.xml.

	<security-constraint>
		<web-resource-collection>
			<web-resource-name>batch list</web-resource-name>
			<url-pattern>/ReviewValidate.html</url-pattern>
			<http-method>GET</http-method>
			<http-method>POST</http-method>
		</web-resource-collection>
		<auth-constraint>
			<role-name>ReviewValidate Operator</role-name>
<role-name>Scan Operator</role-name>
		</auth-constraint>
	</security-constraint>

*Please note that for Ephesoft 3.1, if SSO is configured to be in use, the security constraints need to be commented out in web.xml because the security constraint in conjunction with SSO is not fully developed yet. Ephesoft expects to provide the security constraints fully compatible with SSO in the next major patch release.

 

Batch Class Access

Ephesoft made it very simple to apply role based access to Batch Classes and batch instances. You can simply navigate to the Batch Class Configuration section and pick the role you want as shown below.

Ephesoft_Role_Window

 

Each Batch Class can be configured with available user role(s), so only the users that belong to such role(s) can access the Batch Class and batches created based on the Batch Class. This Batch Class user access control can be very useful in providing variable scan processing depending on unique group or departmental usages within a large organization. Ephesoft can be shared by multiple departments within an organization, but each department sees the Batch Class and batch instances that are only relevant to the department.

Batch Instance Access

It is a common practice for multiple groups or departments within an organization to share single Ephesoft system and if processes are different, each department can have a separate Batch Class to handle different scanning needs as explain in the Batch Class Access section. However, maintaining multiple Batch Classes for the same process can be difficult to maintain. If single Batch Class needs to be shared by multiple departments, utilizing the batch instance group feature can provide a customized view of the batch list with dynamic assignment of a user role to each batch instance.

The Batch Instance Group feature, using one the Ephesoft application database tables, batch_instance_group, allows you to assign group name to each batch instance through simple custom scripting. The method below is an example, which was developed based on an example script, ScriptDocumentAssembler_BatchInstanceGrouFeature.java, which is available to download from the Ephesoft Script Guide

//get the batch ID from batch.xml	
	Element root = documentFile.getRootElement();
	Element batchInstanceID = (Element)root.getChild(BATCH_INSTANCE_ID);
	if (batchInstanceID == null) {
		return;
	}
	batchID = batchInstanceID.getValue();
		
	if (batchID != null && batchGroup != null) {
		//Retrieve DB info from dcma-db.properties file
		Properties prop = new Properties();
		String pathHome = System.getenv("DCMA_HOME");
		String pathProp = "WEB-INF/classes/META-INF/dcma-data-access/dcma-db.properties";
		File propFile = new File (pathHome, pathProp);
		InputStream input = null;
		try {
			input = new FileInputStream(propFile);
		} catch (FileNotFoundException e) {
			e.printStackTrace();
		}
		try {
			prop.load(input);
		} catch (IOException e) {
			e.printStackTrace();
	} finally {
	if (input != null) {
	try { input.close(); } catch (IOException e) { }
	}
		}
		
		//get URL, username and password to make DB connection
		String username = (String) prop.get("dataSource.username");
		String password = (String) prop.get("dataSource.password");
		String driverClassName = (String) prop.get("dataSource.driverClassName");
		String databaseName = (String) prop.get("dataSource.databaseName");
		String serverName = (String) prop.get("dataSource.serverName");
		String url = (String) prop.get("dataSource.url");
	
		url = url.replace("${dataSource.serverName}", serverName);
		url = url.replace("${dataSource.databaseName}", databaseName);
			
		//Execute SQL update to assign group name to the batch_instance_groups table
		Connection conn = null;
		Statement stmt = null;
		try {
			Class.forName(driverClassName).newInstance();		
			conn = DriverManager.getConnection(url, username, password);
		
			String sqlInsert = "insert into batch_instance_groups(creation_date, last_modified, batch_instance_id, group_name) VALUES (Now(), Now(), '" + batchID + "', '" + batchGroup + "')";			
			stmt = conn.createStatement();
			stmt.executeUpdate(sqlInsert);
				
		} catch (Exception e) {
			e.printStackTrace();
	} finally {
	if (stmt != null) {
	try { stmt.close(); } catch (SQLException e) { }
	}
	if (conn != null) {
	try { conn.close(); } catch (SQLException e) { }
	}
		}
	} else {
		System.err.println("Cannot assign Batch Instance Group - missing Batch ID and/or User Group.");
	}
}

 

Depending on the batch group assignment logic of your choice, such as scan operator, info on batch cover sheet, document type, metadata extracted from documents, etc., you can dynamically assign different role groups to each batch and provide a specialized access to the batch instances.

As you can see from the examples of the user access control mentioned in this blog, Ephesoft is capable of providing multi-layers of user access control that are easy to apply and configure. Ephesoft not only makes it easy to process your documents, but also put you in full control of user access on your valuable information.

Categories

1 Comment

  1. alex hales

    love your blog I am a writer

    Reply

Submit a Comment

Your email address will not be published. Required fields are marked *