Security on the ICMS is accomplished by a combination of two fields which are carried in the information for a document, your Accounts and your Security Groups.
When you add a document you are given two ways to limit access to it. There is a required field - Security Group - and an optional field labeled Secure To. The security on the document is the intersection of the two settings. That is, imagine that Security Group specifies one group of people and Secure To specifies another. If you specify both on a document then only those people who are in both the Security Group and Secure To you specified will be able to access the document.
Security Group is required for all documents. We have made our best effort at giving the security groups meaningful names - knowing acronyms like APS, ANL, DOE and CNM should be all that is required of system users. You will only see values in the Secure To and Security Group dropdowns which you have access to.
List of Security Groups
The following Security Groups are relevant to nearly all ICMS users:
- World - This security group is for all content intended for viewing outside of Argonne. This group is intended for Internet content. World will be used only by users contributing content that is published to the Internet.
- ANL - This security group is for content intended for anyone who has access to the Argonne network, including Argonne employees. This group will be used for Argonne Intranet content. ICMS Guest Users (including Argonne employees) will be able to view documents in this group. Documents previously in the Public group will be migrated to the ANL group.
- APSCNM – This security group will be used for both documents and drawings to be shared with both APS and CNM. This will be the target group for all Models and Drawings checked in from Intralink; links to these drawings will require the user to sign into ICMS in order to view them. Argonne Guests will not have access to this security group.
- APS - This security group will continue to be used for all content that is intended to be viewed solely by APS personnel.
Most documents contributed by APS staff use the APS group.
A number of other Security Groups exist, but are designed to be used by smaller subsets of ICMS users.
Here is the list of Security Groups as it appears on the content check in form:
Note: The list of Security Groups you have access to may not include all the items specified in this screen shot.
The 'Secure To' dropdown list specifies the Account you have specified for this document. This allows you a way to specify who can read a document as well as which groups of users can edit it.
Accounts that you have access to are specified near the top of your 'My Profile' screen.
Secure To Is Hierarchical
There is some nuance involved with the Secure To field due to its hierarchical properties. For example, if you set a document to:
this means any APS person can read the document, but only people with Read Write access to APSShare/ALD can edit it. This behavior is why all APS people are granted read access to APSShare by default.
Same goes for PublicShare/*, but documents secured to those accounts are also readable/editable by CNM people.
Specifying Security For a Document
When specifying access to a document you are adding or modifying it is your task to balance the conflicting goals. On the one hand you will wish to limit access to only those people which need to see or change this document - there is clearly a lot of intellectual property, administrative and other documents which should not be exposed to the population at large. On the other hand this is a centralized repository of documents for all users and staff of the APS and as such it's important for users to be able to find documents which relate to them. We ask you to exercise your best judgement, if you have any questions feel free to open up a help desk ticket or email us at firstname.lastname@example.org.
Securing Documents to Be Viewable by APS Users Only
If you have a document that has been migrated from the Public security group to the ANL security group and do not want it viewable outside of APS, you will need to open the Content Information page for the document, select the Update option in the Actions box, change the security group to either APSCNM or APS, and submit the update.
Guest Users and What They are Permitted to See in ICMS
Most documents contributed to ICMS use the APS security group. In order to access these documents, a user must have an ICMS User ID and Password. However, from the ICMS Log In page a Guest User can search ICMS without logging in; this is a Guest—or non-authenticated—User.
Guest Users are permitted to view any document in the Public and World security groups. If you want to contribute a document that can be viewed by anyone in the Argonne Network, you should choose the Public security group.
Viewable by APS Users Only
Group=APS, Account=APSShare (or APSShare/*anything*)
- No ICMS Login required to see
- Everyone can read
- IT users can modify
- Only APS staff who can log in can see
- Only Controls can modify
- Only Power Systems staff can see
- Only Power Systems staff can modify