Options
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 2 answers
  • Subscribers 8 subscribers
  • Views 680 views
  • Users 0 members are here
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Limit administrator's access to certain files

Žan Stožinič

Hello,

so several of the higher ups at our company(mostly HR) are having problems lately with administrators having access to sensitive documents like wage information and other personal information about employees. Is there anything I can do about this? I was thinking it would ease their mind if I set up the notifications so it notifies them when the document is accessed, but it only gives the option for a check-out. Anyone else had problems like this before, what was your solution?

Thanks

  • 0

    As you mentioned, administrators can access all the documents. One solutions I have witnessed is to limit the access is to protect the documents with passwords. At least Microsoft Office offers this possibility.

  • 0 in reply to Heidi Immonen-Isomäki

    Other things to consider:

    • If the administrators are also normal users in these vaults (creating/accessing documents etc.), they should have separate user accounts for admin operations and normal use. They should only log into the vaults with the admin accounts when some administrative work needs to be done. This would already limit the exposure to sensitive documents in their daily work.
    • File downloads are logged to the vault event log, so there could be an auditing process in place to notice any inappropriate file accesses
      • For added security, the logs could be exported to a secure location that the M-Files administrators cannot access directly (so malicious administrators cannot cover their tracks by deleting log events).
    • If M-Files is self-hosted, make sure you have enabled encryption of data at rest so server administrators cannot access the file data from the file system: Best Practices for Data Security and High Availability in M-Files (Encryption is enabled by default on M-Files Cloud.)
    • Instead of password-protecting the files, using Azure Information Protection might be an option. More information in section 10 here: M-Files and Microsoft Office 365
  • 0 in reply to Joonas Linkola

    I went with the password protect option - it worked fine although we found out that I could still access the documents from History. I also created another "normal user" account for myself, and since there is only me and my mentor as administrators there isn't that much to worry about. The event log idea is a good one, could maybe create a script that then filters this event log to show only the sensitive HR documents, since the event log logs even the preview window.

  • 0 in reply to Heidi Immonen-Isomäki

    We also came to that conclusion and are using this for the moment, only issue I found was that I could still access previous versions from History





              

© M-Files Corporation 2024 | Privacy Policy