In the default usage, PDFPop requires a hard-coded OnBase user name and password to log on to OnBase. (As described earlier, there are other mechanisms for validating users.) Each PDFPop User operates under the context of the hard-coded OnBase User and is granted access to all document types, custom queries, product rights, and privileges of the OnBase User. Any operations that are logged normally in OnBase will be recorded in the Transaction Log with the OnBase User's user name.
The Web Server uses a mechanism to avoid random access to documents through this OnBase User. Only documents that were retrieved by PDFPop can be viewed within the context of that PDFPop session. When a user clicks a URL and brings up a list of documents, that user will have access only to the documents that occurred in the hit list. When viewing a document, any attempt to change the document ID will result in a security exception. This mechanism helps to prevent a user from obtaining access to documents the user should not have access to.
Even with the security mechanism in place to prevent random access, a user may modify the PDFPop URL if the user knows the correct format. Any document types, keyword types, custom queries, etc. that the OnBase User has rights to, the user could access by modifying the PDFPop URL. You can configure PDFPop to add a checksum to the URL to validate the URL has not been modified by the user. For more information about using PDFPop with checksums, see enableChecksum under PDFPop Vars.
Since the PDFPop User operates under a specified OnBase User, either through a hard-coded user name and password or some other validation method, it is strongly encouraged that the OnBase User that PDFPop is using have a limited set of document types and custom queries. This will prevent a user from gaining access to documents that should not be widely available.