At the heart of Venio's security and workflow efficiency is its sophisticated access control system, which governs user permissions through a combination of Project Groups, Global Roles, and Rights/Permissions. This system ensures that users, ranging from system administrators to reviewers and external clients, have precisely the access they need without compromising data integrity or compliance.
In Venio, access is hierarchical and modular:
- Global Roles (Venio Admin Level) provide overarching application permissions that span the entire system.
- Global Groups (Project Group Association) define rights within projects
- Rights are granular permissions tied to specific actions, such as viewing documents, tagging (project rights), or managing servers (application right).
These elements are interconnected via association tables, allowing administrators to customize access dynamically. This overview explores each component, their relationships, and how they enable secure, role-based collaboration in Venio.
Project Groups
Project Groups in Venio categorize users based on their primary function within a project. These groups can be modified and defined by admins and serve as the foundation for assigning project-specific permissions. Each role has an ID, name, description, and a flag indicating if it's a system role (IsSystem=1 for all listed groups, meaning they are built-in and not user-created).
Default Project Groups include:
- Site Admin Group: For top-level administrators managing the entire Venio instance.
- Project Admin Group: Handles administrative tasks within individual projects.
- User Group: General users with standard access.
- Viewer Group: Read-only access for observation or auditing.
- OnDemand Group: For Venio OnDemand clients, supporting ad-hoc access.
- External User Group: External collaborators in OnDemand scenarios.
- Data Uploader Group: Focused on uploading and ingesting data.
- Reviewer Group: Dedicated to document review and tagging.
These groups are linked to rights via the `tbl_pj_ProjectGroupRightAssociation` table, which maps GroupIDs to RightIDs. For example, the Site Admin Group (GroupId 1) has extensive rights, including creating projects (RightId 16), managing tags (RightId 128), and viewing reports (e.g., RightId 106 for Project Settings Report). In contrast, the Reviewer Group (GroupId 8) has more limited rights focused on review tasks, such as viewing documents (RightId 50-53) and applying tags (RightId 44).
This group-based structure allows Venio to enforce project-level segregation of duties, preventing unauthorized actions like data deletion or export.
Global Roles
Global Roles extend beyond individual projects, providing system-wide or cross-project permissions. They are stored in `tbl_pj_GlobalRole` and include attributes like role name, description, associated group (if any), and flags for system roles and project association.
Default Global Roles:
- Venio Admin: Full system control, including server configuration and license management.
- Non Admin: Basic access without administrative privileges.
- Legal Admin: Specialized for legal oversight, with no direct group association.
- OnDemand Client Admin: Manages all OnDemand projects associated to the project.
- OnDemand Client External User: Limited external access.
- Project Admin: Project-specific admin role.
- Reviewer: Focused on review workflows.
- Data Uploader: Data ingestion specialist.
- User: Standard user role.
Global Roles are associated with rights through `tbl_pj_GlobalRoleRightAssociation`. For instance, Venio Admin (GlobalRoleId 1) has broad rights like configuring databases (RightId 1) and creating users (RightId 7). The Reviewer role (GlobalRoleId 10) is more restricted, with rights like opening projects (RightId 17) and changing passwords (RightId 130).
Some roles have the `AssociateProject` flag set to 1 (e.g., OnDemand roles), indicating they are tied to specific projects, while others (e.g., Venio Admin) operate globally.
Rights and Permissions
Rights (or Permissions) are the atomic units of access in Venio, defining specific actions users can perform. Stored in `tbl_pj_RightInfo`, each right has an ID, name, description, module association, and flags for active status, global applicability (IsGlobalRight), and OnDemand relevance (IsVODRight).
There are hundreds of rights, categorized by modules like System Management, Data Management, Analyze, Review, Work Product, Production, and Reports. Examples include:
- CONFIGURE_DATABASE_SERVER: Global right for server setup.
- ALLOW_SEARCH: Project-level search permission.
- ALLOW_TO_APPLY_REDACTION: For applying redactions in reviews.
- ALLOW_TO_VIEW_AI_PII_DETECTION_PANEL: AI-related feature for PII detection.
Rights are flagged as global (e.g., license management) or project-specific (e.g., tagging documents). OnDemand-specific rights (IsVODRight=1) cater to cloud-based workflows.
Associations ensure rights are only granted via groups or roles, promoting least-privilege principles.
Associations and Permissions Flow
Venio's permission model flows from roles and groups to rights:
- Project Group-Right Associations: Define what a group can do within a project. For example, the Project Admin Group can ingest data, export, and manage reviews.
- Global Role-Right Associations: Handle system-level access. The Venio Admin role can backup/restore projects and manage global fields.
A user's effective permissions are the union of their global role rights and project group rights. This hybrid approach supports scalability: Global roles for admins, project groups for team members.
For instance:
- A Site Admin has nearly all rights, ideal for system oversight.
- A Reviewer can search, tag, and view documents but not delete or export.
Best Practices and Considerations
- Customization: Please consider cloning a Group or Role prior to modifying existing Groups and Roles. Admins can modify Right associations but should avoid altering the default groups/roles so mistakes can be easily reverted.
- Security: Use flags like IsInternalRole to distinguish internal vs. external access.
- Auditing: Rights for reports (e.g., audit logs, RightId 330) ensure compliance.
- OnDemand Focus: VOD rights support external users without full system exposure.
In summary, Venio's Roles, Project Groups, Rights, and Permissions create a flexible, secure framework for eDiscovery workflows. By tailoring access, organizations can enhance efficiency while mitigating risks. For implementation details, consult Venio's admin documentation or contact support.
Comments
0 comments
Please sign in to leave a comment.