Document Actions
1.
Where to Install Local Solutions of the OpenEngagement DMS and Controlling Access to It
Up one level
Security Concerns
Depending where the site is hosted, anyone with a web browser can reach the site, and view it as an anonymous user. However, without a username and password, such visitors will not be able to view anything other than public pages. No content in the DMS will be visible to users not logged it, but some content in the KMS may be. That is, firms may select to make some content in the KMS visible to the world.
Without a Go-Between, visitors to the site will not be able to download any Working Papers client files. Allowing persons access to the OpenEngagement CMS through a web browser will not compromise the security of the content of the site, assuming no content is set Public in error. However, allowing persons access to the computer on which it is installed will compromise the security of the site.
For whichever computer the OpenEngagement DMS is installed on, you should assume that the any persons who have access to that computer, also have full access to the CMS. Anyone with access to the computer can start and stop the OpenEngagement CMS, add scripts to it or modify its source (given access to someone with knowledge of the python programming language, which is not an obscure language), install third party Plone products, etc. Given that most firms will wish to keep the OpenEngagement CMS very secure and free from tampering by tightly controlling access to it, and will also wish to ensure the OpenEngagement CMS is reliably running virtually all the time, this may be a serious concern. People with access to the computer on which the OpenEngagement CMS is installed will also be able to copy the OpenEngagement CMS database. With sufficient knowledge of Python, they could extract any information in the database. Also, users with access to the computer could install other applications, which could compromise the performance of the OpenEngagement DMS. That is, persons with access to the computer may also unintentionally affect the performance or reliability of the DMS.
Firms selecting the Local Solution option should, in most cases, severely restrict access to the computer on which the OpenEngagement DMS is installed. With the hosted solution, this is not an issue, as there is no access to the server by any firm member, and the only access to the OpenEngagement DMS is through a web browser, the Quick Upload, or the Go-Between.
Other Concerns Related to the Installation Location of the DMS
The OpenEngagement CMS can create a site that is public (internet/extranet) or private (intranet). There is no difference in the OpenEngagement CMS or how it is installed in these two cases. The difference is where it is installed, and how the firm controls access to it. A firm does, though, need to register the domain if they wish to make it an internet site. Note, if you do not register with any search engines, the site can still be found, and your site may receive some unwanted traffic.
Generally, the OpenEngagement CMS should be installed once per firm, but can be installed multiple times. If you install multiple times, you should ensure that different content is strictly kept within only one instance; if you wish to keep the same content in multiple locations, it is quite easy to run into versioning issues (not knowing which version is the most recent, most accurate etc.)
Installing the Go-Between
The Go-Between must be installed on whichever computers have Working Papers and where users will use Working Papers as an interface to the OpenEngagement DMS. There is an installer for the Go-Between, which is run for both Local and Hosted Solutions. There are no security issues related to the installation of the Go-Between.