Document Access Control

This article describes the purpose of Document Access Control

Documents added to tasks in Straatos are stored in Blob Storage. By default, Azure Blob Storage is used. However, in regions where Azure Blob Storage is unavailable, documents are stored on a File Server.

Security & Encryption

Documents are encrypted at the application level.
In Azure Blob Storage, they receive additional encryption at the infrastructure level for enhanced security.

Accessing Documents

Within Straatos: Documents are primarily accessed via Straatos Workflow Steps or through the Straatos MyHome page. Secure access is automatically managed by Straatos in these cases.

External Access:
- When documents need to be:
  - Exported to a backend system.
  - Submitted to external tasks for processing.

The API interface must be used to allow access. This can be configured using:
- Time-limited access.
- Authentication-based access.

By implementing controlled access mechanisms, Straatos ensures document security while enabling integration with external systems.

Access to Documents (Webservice Key)

Using a Webservice Key is the preferred method for server-to-server communication, ensuring that the key remains secure and not exposed.

Steps to Access a Document via Webservice Key

Retrieve the Document URL:

Use the GetDocumentInfo API call to obtain the document’s URL.

Authenticate with the Webservice Key:

Include the Webservice Key (found in the Organisation Configuration) when accessing the document URL.

Example URL from GetDocumentInfo:

https://effektif-connector-cpro.cumuluspro.net/ConnectorService.svc/json/AsyncStorage/e27d78eb-b0c1-49f2-91bf-dff0f92d5c55.pdf

Example URL with Webservice Key to Access Externally:

https://effektif-connector-cpro.cumuluspro.net/ConnectorService.svc/json/AsyncStorage/09551add-e6ed-47f7-87ec-d388ff94f7f5.pdf?w=4ac45ee9-3581-400e-b6a8-7578dd1e3c0d

Access to Documents (User Session ID)

Using a User Session ID is recommended when displaying a document in a browser window.

Important Notes:

The Session ID is regenerated each time a user logs in.
Session IDs have a limited lifespan and expire after a period of inactivity.
If a user saves the document link, it will no longer be accessible once the Session ID expires.

This approach ensures secure, session-based access while preventing unauthorized use of expired links.

Example of URL with Session ID added:

https://effektif-connector-cpro.cumuluspro.net/ConnectorService.svc/json/AsyncStorage/09551add-e6ed-47f7-87ec-d388ff94f7f5.pdf?s=4ac45ee9-3581-400e-b6a8-7578dd1e3c0d

Access to Documents (Time-Based)

Some APIs or integrations may not support additional parameters and require direct access to the document URL. In such cases, access can be granted using a time-based restriction.

Configuring Time-Based Access

The time-based access restriction can be configured in the UI.
By default, this restriction is set to "Never", meaning unrestricted access is not enabled.
The access time is calculated from the moment the document is created in the workflow.

This method ensures controlled access while accommodating APIs that cannot handle additional authentication parameters.

The options Custom allows the definition of the number of Minutes until the access is expired.

Access to Documents (Limit on Number of Times)

Some APIs or integrations may not support additional parameters and require direct access to the document URL. In such cases, access can be restricted based on the number of times a document can be accessed.

How It Works

A document can be configured to be accessed a limited number of times.
For example, if access is granted only once, the document becomes unavailable after it has been accessed a single time.

Availability

This option is only configurable via Script and is not available in the UI.

This method provides an additional layer of control over document access, ensuring security while integrating with external systems.

Setting Access via Script

Document access restrictions for "Time-Based Access" and "Limit on Number of Times" can be configured via script.

Use Case Example

If a backend system needs access to store a document, the script can grant one-time access in a workflow step just before the export.
This ensures that the document URL is only exposed for a limited time or number of accesses, enhancing security.

Using this approach helps control document accessibility while integrating with external systems.

Last updated 1 month ago

hashtagSecurity & Encryption

hashtagAccessing Documents

hashtagAccess to Documents (Webservice Key)

hashtagSteps to Access a Document via Webservice Key

hashtagAccess to Documents (User Session ID)

hashtagAccess to Documents (Time-Based)

hashtagConfiguring Time-Based Access

hashtagAccess to Documents (Limit on Number of Times)

hashtagHow It Works

hashtagAvailability

hashtagSetting Access via Script

hashtagUse Case Example