Blogs

Access Controls in an ERM System

By Carl Weise posted 09-02-2011 15:46

  

Access Controls are the rules and mechanisms by which an ERM system will restrict access to records by users.  The term ‘Access Control Policy’ or ‘Access Policy’ are often used to refer to access control rules.  

Underpinning the concept of restricting access to records by users are the following:

Identification - how we establish the identity of a user.  This is usually a username which will uniquely identify the user to the system.

Authentication - how we establish that the user is who they claim to be, for example by using a secret password known only to the user

Authorization - the access rights granted to a user.  In the context of ERM system, a users' authorization will determine what functions are assigned to them and which records they can access once their identity has been authenticated successfully.  This may include what metadata they can see.  Access rights can be assigned to an individual user, to a group of users or by role-based access control.

Techniques or mechanisms involved in the enforcement of Access Control include:

Using encryption, rendering a document unreadable - and therefore unavailable - to all users unless they are in possession of a decryption key.

Using digital signatures to establish a protocol to authenticate the identity of the sender of a message or the signer of a document.  A digital signature can also ensure that the original content of the message or document that has been sent or stored is unchanged.

An audit trail can provide evidence of authenticated users exercising their rights over records.  This information is used to understand the current state of a record and recreate its life history.

How are you using access controls to manage your records?

How controls have you found successful in your organization?

 



#ERM #ElectronicRecordsManagement #ECM
0 comments
56 views