workspace administration (high) Flashcards
Security and Permissions
how can you use the instance setting Relativity.Authentication WindowsAuthIpRange to define an IP address for users to log in?
this setting is used to define the valid range for the Relativity instance; the default defines all IP addresses as valid
how do trusted IP ranges work to define IP addresses for users to log in?
specifies a valid IP address or addresses for each user, which could be an individual address, a range of addresses, or combination of either
what are 2 ways that an IP address range could be set for Relativity users?
WindowsAuthIpRange and Trusted IP range
can WindowsAuthIpRange and Trusted IP range be used to stop users from logging in if they access Relativity from the same server where it is installed?
No, you must disable non-admin user remote access to the server
what instance settings can you use to define integrated authentication behavior? (2)
UseWindowsAuthentication and WindowsAuthIpRange instance settings
If UseWindowsAuthentication is False, then:
integrated authentication can’t be used. Relativity ignores the WindowsAuthIpRange value.
if UseWindowsAuthentication is True and WindowsAuthIpRange isn’t set:
then integrated authentication will always be used regardless of IP address
If UseWindowsAuthentication is True and WindowsAuthIpRange is an IP address or address range:
then Integrated Authentication is used when the computer’s IP address falls within the WindowsAuthIpRange value.
what kind of server do you need to send email authentification?
SMTP server
what instance settings are needed to define the emails addresses and body text for authentification? (3)
- AuthenticationEmailFrom - sets the email address that appears in the From field of email messages that contain authentication information for users.
- EmailFrom - sets the email address populated in the “From” field when sending email notifications.
- ForgotPasswordRequestEmailFrom - sets the value in the From field for the forgotten password request email message.
what is relativity not certified to work with any version of?
RSA Authentication Agent for Web for Internet Information Services
how many agents must you add for each web server in your relativity environment?
one
what must you do before you configure RSA authentication in Relativity?
you must copy the RSA configuration files to your Relativity web server
a user can have multiple login methods, but only one from what categories?
only one from among password, RSA, and active directory
the invitation workflow works applies to which methods? (3)
password only,
password 2-factor, and
password outside trusted IP
how long is the invitation email for the password only option valid for?
one week
what instance setting can be used to increase the default invitation link expiration period?
InvitationLinkLifetimeInMin
how does the password 2-factor option work?
requires a passcode in addition to a password; The system emails a passcode to the user during logon, and it’s different each time.
how long is the link in the email for the password 2-factor option valid for?
5 minutes, and only the most recently-sent email can be used. The link expiration time is not configurable.
how does the password outside trusted IP option work?
requires a passcode only if the user logs in outside of a specified IP range. If the log on is inside the trusted range, then only a password is required.
how are passwords reset in Relativity?
by sending the user an email with a reset link
how long is the link within the email for password reset valid for?
15 min, and only the most recently sent email can be used
what instance setting can you use to increase the default reset link expiration period?
PasswordResetEmailExpirationInMinutes
can system admins set or see passwords?
no, by default
in order to manually set a password, what instance setting must be configured?
AdminsCanSetPasswords instance setting, set to true
how does the active directory method work?
uses Windows Active Directory to authenticate the user
how does integrated authentication work?
uses Windows supported authentication protocols, such as Kerberos, to automatically log in users
what 2 instance settings must be configured in order to use integrated authentification?
- UseWindowsAuthentication - must be set to True to use Integrated Authentication
- WindowsAuthIpRange - set this to the IP address or addresses for a trusted range of computers
how does client certificate authentication work?
uses a smart card assigned to a user
how does RSA authentication work?
requires a user to have an RSA SecurID token that is registered with your RSA Authentication provider
why does implementing client domains require an additional license from Relativity?
Each client domain license is unique, and client domains can have different terms encoded on their license keys. The license for a client domain is unrelated to any other license for Relativity (e.g., number of seats).
what cannot be activated for Client objects that have existing workspaces associated with them?
Client domains functionality
what is the purpose of the client domain feature?
an easier way to securely isolate users, workspaces, groups, resource pools, and matters by client
what is the root object of a client domain?
the client object in the administrative workspace
if you enable client domains a client, you can no longer do the following:
- cannot disable it on that client later,
- cannot edit the name of the client
- cannot delete the client
what can a user group that is not part of the system admin group (named: client domain admins) do?
perform common administrative tasks within their own client domain with limited visability into the Relativity environment as a whole
what does enabling client domains on a client involve?
generating a client domain request and then applying an activation key
by enabling a client domain, you ensure that:
any content or other Relativity components associated with this client are visible only to a select group of users
what must you do before client domains can be enabled on a client?
you must create all the objects you want to include within the client domain child objects of the client
what instance setting must you configure to view and edit client domain settings?
ClientDomainFeatureAvailable to true
what group should not be assigned as the workspace administrator group for a given workspace that is part of a Client Domain?
the everyone - (client’s name) group that is created after client domains are enabled
what is created automatically after client domains are enabled?
- a new Everyone - [Client’s Name] group
- a unique copy of all resource pools associated with any workspaces under the client domain
- a client domain admin group that permits its members to perform admin operations within the client domain
- The Billing statistics - case rollup and Billing statistics - users reports include columns called Client Domain Name and Client Domain Artifact ID
what overrides client domain isolation after enabling of client domain?
permissions assigned to groups
enabling client domains does NOT change:
previously configured item level security settings applied to any objects within the client domain.
what happens if you try to use an activation key for client domains on a different client?
error message; you must select the client that you originally used to generate the request key
what are client domain admins?
essentially workspace admins for workspaces within the client domain; any limitations are based on the permissions you set for the user group in Relativity that the client domain admin belongs to
can client domain admins perform tasks that are exclusive to Relativity System Administrators?
No
what will happen if you use the Relativity User Import Application to import a Client Domain Admin?
the application adds that new user to the Everyone group by default, which will then break the Client Domain security in your Relativity instance
if you grant workspace admins within the client domain permission to edit security settings for groups within the client domain, then:
they can’t edit permissions on groups outside of the client domain
how do you make a client domain admin?
a system admin must add them to the client domain admin group
what happens If you assign admin permissions to a user group by copying permissions from system admins?
you must unset and reset the View Workspace permission to allow the user group to edit the workspace
what 5 categories are relativity workspace permissions divided into?
object security tab visibility browsers mass operations admin operations
what does the object security tab list?
all workspace objects with their related item-level permissions
some object permissions require what other permissions?
corresponding tab visibility or browser permission
what overrides object-level security permissions?
item-level security
what permission only appears if Audit is installed and configured?
export (mass operations)
If a user has view access or greater to the History tab, but doesn’t have permission to View All Audits, then:
the user can’t view the history tab
where can you edit workspace permissions?
using the Workspace Security dialog accessible from the Workspace Details tab
what must you have in order to add and remove groups?
you must have the Edit Security permission set for the Workspace object and the Add and Delete permissions set for the Groups object (instance level security)
if you are in a workspace admin group, what do you need in order to add a group to a workspace?
you must have the instance-level Edit permission to the Group object
what can you do with instance security?
you can apply permissions to system admin groups to limit or grant access to particular system admin objects
what do you need to be if you want to edit client and matter for a workspace?
a system admin
If you grant tab visibility on a tab to a group that doesn’t have view permissions on that object, then:
users within that group are unable to view the tab
Users will have access to the Workspaces tab even without the:
View Admin Repository permission
where can you find the group permissions report?
in the instance details tab, clicking group permissions report
what are the un-editable admin permission settings for the everyone group? (8)
- View User - visibility of user.
- View View - visibility of views.
- View Choice - visibility of choice.
- View Group - visibility of groups.
- View, Edit,and Add Error - visibility, edit rights, and add rights to errors.
- View Relativity Script - visibility of Relativity script.
- View Server - visibility of servers.
- View Tab Type - visibility of tab type
system admins are the only users who can access: (6)
- library applications views
- library application detail
- relativity scrippt library view
- new script page
- edit script page
- run script page
who is the only user able to grant other users membership into the system admins group?
a system admin
should you use tab visibility as a sole method of preventing security permissions?
no
what does the preview security feature allow a system admin to do?
interact with Relativity as if they are logged in as a specific user or a member of a specific group, allowing them to easily verify that the correct permissions are applied without logging in to Relativity under a different account
If you perform a job while previewing a user’s security settings, then:
the audited action is credited to your username and not to the user whose security you were previewing when you started the job
does the preview security feature allow the system admin to monitor the actions of a user in real time?
No, it only stimulates what the user would see
what happens if you wanted to preview security on a member of the system admins group?
the preview security button is unavailable, and the favorites menu is disabled during preview security sessions
when might you involve a wait time when altering security permissions from overwrite inherited security to inherit security and vice versa?
if it is affecting 50,000 records or more