Articles in this version
This article provides an overview of the RecordPoint permissions model and covers:
- Using the out of the box Standard RecordPoint Security Groups
- Setting up custom groups to manage physical records
- Setting permissions to functions in RecordPoint such as the ability to create records, run disposals, generate reports etc. using both Standard RecordPoint Security Groups and Custom Groups
- Providing access to electronic records in RecordPoint (both metadata and archived content)
This guide is relevant for both RecordPoint on premises software and the Records365 service.
Roles and Groups
Standard RecordPoint Groups
For the RecordPoint site, four user groups are created as part of deployment. These groups are ranked in order, the lowest level access is granted to Record Visitor. A full description and default permissions for each group can be viewed through the UI under each user group.
- Record Administrator: Access to all functions in RecordPoint and full control of stored record data in the storage layer.
Record Administrators is a high level role in Records Management Unit which manages day-to-day running of RecordPoint to maintain its integrity, reliability and usability. The Record Administrator has access to all functions in RecordPoint and support troubleshooting of system and processes within the guidance of internal policy and procedures. The Record Administrator performs technical and functional activities and would be the interface between technical IT Unit and Record Management Unit. Major tasks in this role would be to resolve high level enquiries, produce reports, monitor and control permissions and perform diagnostics on the system to maintain integrity and reliability of system.
- Record Manager: Access to all functions in RecordPoint relating to the management of record keeping processes excluding permissions to modify Classifications or apply Disposal Actions to records.
The Record Manager is the principle owner of processes, policies and strategies of Record Management Unit. The role focuses on how RecordPoint meets compliance and business objectives in management of records for the organisation. In terms of RecordPoint, it should have wide permissions to management tasks excluding deletions of records, updating permissions and updating or deleting classifications.
- Record Coordinator: Limited access to functions in RecordPoint relating to the updating of non-electronic records to the system, preparation of records for retention purposes and general viewing.
The Record Coordinator role typically involves the processing and retrieval of records both electronic and non-electronic. This role supports the Record Manager in the preparation of records for retention purposes and updating processing of content requests.
- Record Visitor: Limited access to view record metadata, audit data, record binary, version history and contents of a record aggregation.
The Record Visitor can be defined as auditors or examiners of records for the purpose of evaluating the how and what is processed in a record keeping function. Generally, these users only require access to examine the system and records without being able to manipulate data.
RecordPoint also supports the use of custom groups to meet particular needs such as to define access to physical content types to manage security around physical records.
Limitations of Custom Groups
Please be aware of the following limitations when using Custom Groups.
- Custom Groups cannot be used to provide access to electronic records. Standard Groups should be used for this purpose.
- A SharePoint limitation means that custom groups cannot be added to other SharePoint groups.
Use of Active Directory Groups rather than individual users
In all cases we recommend the use of Active Directory Groups rather than placing individual users in either the standard or custom groups within RecordPoint.
Use of AD Groups minimizes the need to Update Permissions as new permissions do not need to the synchronized with the storage layer permissions within the RecordPoint.
Adding Users and Groups to Standard RecordPoint Groups
In most cases using the Standard RecordPoint Security Group will be sufficient where:
- Only electronic records are being managed; or
- Where there are no security requirements around physical records
RecordPoint supports the adding of users and groups to the above RecordPoint user groups. This includes the following types of users and groups:
- Active Directory (AD) groups
- ADFS Claims groups
- SharePoint users (not recommended see Synchronising User and Group Permissions)
Security is enabled by default in the RecordPoint Site.
- Navigate to Management and select Settings
- Under Users and Permissions, click Security Settings
- Select the records role to configure security settings for
By default, the Records Administrator groups has access to all settings and full control of stored record data
- Update the required settings for this user group, then select the check box under description 'To allow the group access to all records in RecordPoint'. This provides access to the records store so the user can perform actions as per allocated permissions
- Click Submit to save
- On the Security configuration page
- Click Update Permissions to synchronise RecordPoint Users to all content sites
Providing access to electronic records
To provide access to electronic records:
- Add the relevant users or AD Group(s) to the RecordPoint Standard Group.
- Ensure that Record Access is ticked as this will push down permissions to view records onto the records held in the storage layer.
- Click Update Permissions which is at the bottom of the Security settings page.
Setting up a custom group
Custom groups are used where there is a requirement to manage physical records and to apply selective access to these records. They can also be used to provide, for example, IT Sysadmin staff with access to RecordPoint functions without any access to the records themselves.
To set up a Custom Group:
- Create a SharePoint group in the RecordPoint site collection using Site Settings→ People and Groups
- Add relevant users or, preferably, Active Directory Groups
- Go to ‘Security Settings’ and click on the newly created Custom Group
- Select the relevant permissions from the list e.g.
- The above configuration would give access to common IT related system admin tasks with no access to records tasks nor to view records in the system.
- To grant access to physical content types associate the group with the relevant content type(s)