Security Considerations - DocPop - English - Foundation 22.1 - OnBase - Essential - Premier - Standard - external - Standard - Essential - Premier


Foundation 22.1

In the default usage, DocPop requires a hard-coded OnBase user name and password to log on to OnBase. (As described earlier, there are other mechanisms for validating users.) Each DocPop User operates under the context of the hard-coded OnBase User and is granted access to all document types, custom queries, product rights, and privileges of the OnBase User. Any operations that are logged normally in OnBase will be recorded in the Transaction Log with the OnBase User's user name.

The Web Server uses a mechanism to avoid random access to documents through this OnBase User. Only documents that were retrieved by DocPop can be viewed within the context of that DocPop session. When a user clicks a URL and brings up a list of documents, that user will have access only to the documents that occurred in the hit list. When viewing a document, any attempt to change the document ID will result in a security exception. This mechanism helps to prevent a user from obtaining access to documents the user should not have access to.

Even with the security mechanism in place to prevent random access, a user may modify the DocPop URL if the user knows the correct format. Any document types, keyword types, custom queries, etc. that the OnBase User has rights to, the user could access by modifying the DocPop URL. You can configure DocPop to add a checksum to the URL to validate the URL has not been modified by the user. For more information about using DocPop with checksums, see enableChecksum under DocPop Vars.

Since the DocPop User operates under a specified OnBase User, either through a hard-coded user name and password or some other validation method, it is strongly encouraged that the OnBase User that DocPop is using have a limited set of document types and custom queries. This will prevent a user from gaining access to documents that should not be widely available.

It is important to note that the user will have access to the right-click menu options available from the viewer and the Document Search Results list. The user should be limited to a minimal set of Product Rights and Privileges in OnBase Configuration. This limits the risk of unwanted actions such as sending a document to Workflow, re-indexing the document, etc.