Common Security Questions: Difference between revisions
Dgreenwood (talk | contribs) No edit summary |
Dgreenwood (talk | contribs) No edit summary |
||
| Line 10: | Line 10: | ||
* (Default) Windows Authentication (Active Directory credentials) | * (Default) Windows Authentication (Active Directory credentials) | ||
* Microsoft Azure Entra ID OAuth | * Microsoft Azure Entra ID OAuth | ||
''Application users do not need access to the Grooper database or file store. Only the Grooper app pool identity and Grooper service accounts need access to the database and file store.'' | |||
'''How is user access to a Grooper Repository restricted?''' | '''How is user access to a Grooper Repository restricted?''' | ||
Revision as of 09:40, 10 July 2025
How is access to files/data stored in a Grooper Repository restricted?
A Grooper Repository is composed of a SQL database and a Windows file store. User access to these resources are managed by your network security team.
- The Grooper app pool identity on the Grooper web server will need access.
- Accounts running Grooper services (such as Activity Processing) will need access.
How is user access to the Grooper application restricted?
The Grooper application is opened in a browser using a URL pointing to the Grooper web server. Users on your network who can access that URL will be able to open the Grooper application. Security can be applied to the web app in two ways:
- (Default) Windows Authentication (Active Directory credentials)
- Microsoft Azure Entra ID OAuth
Application users do not need access to the Grooper database or file store. Only the Grooper app pool identity and Grooper service accounts need access to the database and file store.
How is user access to a Grooper Repository restricted?
Use Permission Sets to restrict which users in your domain can access a Grooper Repository. Permission Sets allow users to determine access using Activity Directory users and groups. Access to the entire Grooper Repository can be blocked. Access to individual pages (Design, Batches, Tasks, etc.) can be blocked as well.
Restricting access to a Grooper Repository using Permission Sets is the best way to ensure only appropriate users can view Batch content.
How is access to different Batches or Review steps managed?
Review Queues filter what work is presented to a user in the Batches and Tasks page. Active Directory users and groups are assigned to a Review Queue. The Review Queue is then assigned to a Batch Process or Review step. Assigning the Review Queue to the Batch Process will filter out what Batches are available in the Batches page. Assigning the Review Queue to the Review step will filter out what Review tasks are available in the Tasks page.
Be aware, Review Queues are a work filtering mechanism, not a true security principle. They do act as a "soft security" measure by filtering out what work is available. However, if you want to completely lock down a user's ability to view a document, the most secure way to do so is remove their access to the Grooper Repository in its Permission Sets.
Is Grooper SOC compliant?
Yes. Grooper is SOC 2 compliant and undergoes a third party SOC audit annually.
My organization does not want to use Grooper's large language model (LLM) based features. How do I prevent users from using LLMs in Grooper?
LLM connectivity is allowed in Grooper by adding an LLM Connector. If you do not want to use LLM features, do not add an LLM Connector to the Grooper Repository.