One or Multiple Vaults?

Dear Forum, 

During a conversation with another M-Files user, one feedback I took note of was the comment that companies should never operate just one vault.

Their feeling was also that HR (due to its sensitive data) should also be excluded from the main vault.

My understanding is that the comprehensive security including NACL's means that any sensitive data can be managed effectively if placed in one vault.

My question for others is:

  1. In which scenarios would you operate a second vault / or in what scenarios would multiple vaults be beneficial? (aside from a publishing vault) 
  2. Are there any major risks of operating one main productive vault that we should be aware of?
  3. Is there such a thing as "best practice" when it comes to vault operations and management. 

Thanks in advance for your feedback

  • Great question! This is not a trivial one to answer and depends on many factors.

    Usually a common vault is preferred when: the use case, functionalities, data, integrations etc. are shared by multiple groups of users who co-operate in these use cases but also have separate use cases which utilize the same data.

    Usually a separate vault is preferred when: the use case, functionalities, data, integrations etc. are dedicated to a specific group of users and other users do not share these use cases or use their functionalities or data.

    Usually if content is shared between multiple groups of users it should reside in the same vault for better usability and easier use. If content is only used by a certain group of users (e.g. HR or financial documents) they could reside in their own vault.

    Special cases of separate vaults include: publishing vault for external users (clearly separate internal and external content) and archiving vault (content not in active use). Also one vault can act as a metadata master vault meaning that the metadata structure is replicated from there to all the other vaults. Sometimes vaults with the same structure and content (synchronized using M-Files replication) are located in different areas (e.g. Europe and North America) for improved performance for users in those regions.

    Benefits of a common vault:

    • Simple for end-users to know which vault to use to store and access the content
    • Simple to develop and maintain in the sense that all the changes are done to a single vault

    Potential challenges with a common vault:

    • Might grow to be large content-wise
    • Might be difficult to maintain and develop due to complicated metadata structure, permissions, functionalities etc. needed to support all the use cases
    • Might be difficult to find content
    • Might be difficult to use due to complicated metadata structure etc.
    • Does not scale that well, e.g. vault database is always hosted by a single database server

    Benefits of separate vaults:

    • Can contain only the structure, functionalities, content, users etc. needed for that specific use case
      • Easier to use and maintain
    • Scales better as the vault and the database can be hosted on separate servers
      • Vault can also be located on a server closer to the end-users for improved performance
    • Easier to make sure that potential problems with permission configuration do not expose confidential material to wrong users by accident by restricting vault access

    Potential challenges with separate vaults:

    • Users have to know which vault to use for which use case and where to store and find the necessary content
    • If common metadata structure, integrations, functionalities etc. are needed they have to be implemented and maintained separately for each vault
    • If common master data is needed it has to be integrated or replicated to all the vaults separately
    • If parts of the content is needed by multiple groups of users this might cause a need for a two-way replication between the different vaults

    Hope this helps your thinking!