Tagged: Connections

IBM Connections Folders #2: Ownership of files and folders

This blog is follow up in a series of blogs on Folders in IBM Connections. For full understanding I would recommend reviewing #1: Community Folders first

Ownership is quite important in IBM Connection when it comes to data. Why? Well because ownership isn’t always straight forward and sometimes data shouldn’t be public.

Obvious! Why would you even need to say that?

Well… The premises of any social platform like IBM Connections is to share. That means that in theory the thinking is that every file you put into your social platform should be ‘public’ (e.g. findable and accessible to all). Reality of course is that this is not always the case. Even in a very ‘open’ organization certain files will still require protection and limited access. This is one of the reasons why users in IBM Connections can specify “Sharing” settings on files they upload as well as folders and communities they create, restricting access to only specific groups or users. The basic idea is though, and this is something you feel very clearly when working with IBM Connections, that everything is open, unless.

Storage

How you can limit access is partly determined by where the files are stored. Looking specifically at files you can say that IBM Connections allows for two* main storage points:

  1. By uploading it into a users personal Files section
  2. By uploading it into a community

In the first case, uploading a file into personal files, the file will always remain in the ownership of the user. The standard security level setting for personal files is ‘Private’, meaning no one can access apart from the owner. The owner can however decide to make a file ‘Public’ (accessible to all)  or grant specific Editor or Reader access to specific users, groups or communities. Ownership and full control will always remain with the original user though.

A file stored directly into the community however is different. Ownership of these files lies not with the user that uploaded it into the community but with the community. All users of that community from then on have equal rights to that document. This means that if the user uploads a file into a restricted community and is subsequently removed as a member of that community, the file remains in the community and is no longer accessible to the user that originally uploaded it.

A similar structure applies to folders. Folders created in a users personal files section will always remain in the ownership of that user. Folders created as Community folders and/or CCM folders however will always be property of the community, not the creating user. This also implies the biggest restriction which is that a folder created within a community or CCM Library can never be shared across communities while Folders created as personal folders can be shared with more then one community, group or user.

CCM folders have one added element to keep in mind which is that they allow for imposing additional access restrictions on folders by limiting edit access to specific subgroups of community users. You can for instance use this to restrict that only a few of the community users are allowed to edit the information in a CCM folder. Read access however will always be there to all community members though and the user creating the folder as well as the community owners cannot be revoked as owner of that folder unless they are removed from the community.

Shared folders versus Tags?

Which brings me to another peculiarity of shared folders…. A folder in the traditional sense as people know them from for instance their file drive is a place, a physical location to store a file. Meaning a file can only reside in one folder at the time. Shared folders however are different as a file can be added to more then one Shared folder. So in a way shared folders aren’t really ‘folders’ at all, they are collection sets and almost act the same as tags. After all a tag is nothing else then a categorization and several files having the same tag can be seen as a collection as well. The difference between a shared folder and a tag in IBM Connections is though, that you can control access and Share a shared folder and you can’t do that with a tag.

Folder_11So keep in mind that a Shared folder is significantly different from a community or CCM folder as those are more aligned to the standard concept of folders while Shared Folders in a way hold the middle between a Tag and a folder.

Shared folders & security

So… why would you create folders within communities if personal (Shared) folders give you more options to share across communities & user groups and allow you to have information in them that is also shared in other folders? Well because there are some risks with having shared folders. For one, users don’t always realize the implications of putting a file in a folder shared by someone else.

No problem if the community (and therefore the data in it) is public anyway but what if you have a Restricted community that has a shared folder which is also shared with another Community? A user might think that because he is adding a file to a folder within the Restricted community that therefore the file itself is also only shared within that community. Unknowingly though he might be sharing that file with other users & communities. Only if he actively opens the sharing tab will he see that it is also shared with other communities and therefore visible to not only the users of the (restricted) community he thought he was adding it to, but any other communities/users that folder was shared with as well.

Example of a folder with the ‘Sharing’ tab opened to show this folder was shared with two communities

In theory the user who originally created the folder and shared it with the community could even be removed from that community while his shared folder would remain shared and visible within the community. Which means that any files added to that folder by any other community member after the user was removed from the community would effectively still be accessible to the user (creator of the folder). Using Shared folders in Restricted communities is therefore something I would strongly discourage to prevent confusion. In these situations Community folders and/or CCM folders should definitely be the first line of choice. Shared folders should only be used to share public info where it is no problem that it is visible across several public communities

———————————————-

Next up I will go into how you can work with the different types of folders and what differences and similarities are between them. I hope to publish this tomorrow.

 * Files can also be uploaded in other places like Activities and blogs but from a standpoint of file management I am leaving these out for now

 

IBM Connections Folders #1: Community Folders

Last week CR4 for IBM Connections 4.5 came out. An intermediate update that had a few new options for file management in IBM Connections. One of which was the ability to add Communities folders. Until now the standard option to get a folder in a community Files section was to create one in your personal files and share that with the community. Control and ownership would however remain with the user, not the community. This has now been extended with the option to create a folder specifically in a Community itself. It does however pose some questions as now there are two (or three – depending on if your organization has implemented CCM) types of folders a user can use within a community. And all have their own specific features and quirks so time to do a little comparison!

Ok, first of all… Folders in a social environment like IBM Connections don’t necessarily work the same as folders we are used to in for instance a file system. I’m not comparing them to that and I think neither should you. However…. as they are called folders and look like folders and in many ways act like those folders in an ordinary file system, users will think they are…  So it is important to understand what these folders in IBM Connections do exactly and how they function and to explain that to the user. It could make a big difference in keeping vital information safe and secure.

Folders in Communities

What type of folders do we have in IBM Connections Communities?

1). Shared Folders: In the personal files section of IBM Connections users have always had the option to create (Shared) folders. These can be used to organize files and can also be shared with either everyone (public) or with selective people/communities. If shared with a community the folder will show up in the folders tab of the Files section for that community. Files placed in the folder are visible to all users in the community as well as any other user or community that folder was shared with. Depending on the access given to the community by the original folder owner community members can also edit and even delete files in that folder.

2). CCM is a add-on feature that can be installed with IBM Connections to allow for (limited) document management features within Communities – including folders. The big difference to Shared & Community folders is that folders within CCM allow for nesting (subfolders, e.g. folders within folders) and for selectively limiting access to files for community members within folders and even the sub folder levels. In contrast: Community & Shared folders only have one access level which applies to the whole community they are shared with. Meaning that all community members are either reader, contributor or owner whereas a CCM Folder allows you to specify that for instance only a subset of community members can edit files in that folder and all others can only read. There is one restriction: Community members can never be denied access to a CCM folder. They will always have at least Reader access.

3). Community folders is the new kid on the block. This feature came out with version 4.5 CR4 and allows users to create folders directly in the Community Files. Why is this important? Well because ownership of that folder now solely lies with the community. A community folder can never be shared outside the community and someone who leaves the community (if it is a restricted community) will no longer have access to the folder or community files in it. Community folders also allow you to selectively “Follow” a folder. A great option if you want to be informed of updates to a specific folder but not to other community events.

Example of a folders section in the community files showing both a community as well as shared folder:
 shared and community folders
Example of a CCM folder containing both several files as well as a subfolder:
CCM folder

———————————————-

So… Now we know what we have it is time to look at some important things to keep in mind while using folders. In the next few days I will go into this in a few follow up blogs. First up is how Ownership is arranged in the different types of folders, so keep tuned

 

Shared folders – potential security issue

IBM Connections allows users to share personal folders with groups, communities and users. An ideal option to share sets of documents/files with multiple target audiences at the same time. There are however some caveats. Especially in situations where Shared Folders are used to share potentially sensitive information with Restricted (secured) communities. If your organization uses Shared Folders I would strongly advise looking at the below example to get an idea of the potential risks so you can assess if this is something that could cause problems in your organization:

An example:

User A creates a Shared Folder in his personal IBM Connections Files and places some files in it.

Folder_1

He then shares this folder with a community called “Demo Community” of which he is a member and which has restricted access. The folder is now visible and accessible in the Demo community to all community members:

folder_2

Both User A as well as the community members can see the folder is shared with the community in the “Sharing” tab of the folder itself:

Folder_3

The Community admin then decides that User A should no longer be allowed access to the information in the community and revokes his access. User A cannot longer open the community.

As the Test folder was a personal folder that he shared with the Demo community though, User A is still able to access the folder from his personal Files&Folders section. If he looks at the  “Sharing” tab of the folder there is no mention of the Demo Community anymore, it looks as if it is a private folder:

Folder_5

In reality though, the folder is still shared with the Demo Community and both visible and accessible to the members of that community. If they look at the “Sharing” tab of the Test Folder, “Demo Community” ís shown:

Folder_10Effectively this means that they can still access, edit, delete and add files in the folder from within the community:

Folder_9

When they do, User A can see and access these newly added files in his folder but it must be very confusing for him to see users that are not listed in his Sharing settings perform actions on files in his folder:

Folder_8

So what’s the problem?

a). User A doesn’t see the name of the “Demo Community” as an entity with which this folder is shared after he was taken out of the community, so he has no way of knowing it is still accessible to the community members.

b). Because he can’t see that it is still shared with the restricted community, he can’t remove the sharing option either. Effectively this means he has no control over the folder access anymore apart from deleting the whole folder.

c). Even though he is no longer part of the Demo Community, his folder is. Users in that community (which is restricted) would have a reasonable expectation that the  information they share within that community is limited only to members of that community. In reality though any files they place in this folder will be visible to User A (no longer a member of the community) and any other communities, groups or users he chooses to share the folder with.

 ————————————–

I understand that the above situation is extreme and not likely to happen very often but it is important to be aware of this.  There are other options that can be used instead of Shared Folders like CCM folders and the new Community folders (released in CR4 of IBM Connections 4.5). These are not owned by a user but by the community and would therefore not impose the same security flaw. I will be publishing another blog on the differences between Shared, Community and CCM folders over the next few days for those interested.

IBM Connections 4.5 and Connections Content Manager available

As announced the IBM Connections 4.5 release and the Connections Content Manager add-on were made available for download today through the appropriate channels. The following sites give information on features, links to relevant content and pricing:

Enjoy!