Document Level Security: HP Records Manager / TRIM collections

Background information

Document level Security can be applied to TRIMPush collections. These are collections that are gathered from the TRIM records management system. Applying Document Level Security to TRIM collections will ensure that searchers will only be able to see those results from the TRIM collection that would be able to see if they were to connect to the TRIM system using the standard client software. TRIM uses a configurable mapping from the current Windows user to a TRIM Location that will (in concert with the TRIM records themselves) contain the security information regarding which records particular users can see. TRIM integration will only function on Windows.

Setting up

To set up a TRIM collection with document level security, the following steps must be taken:

• Ensure that the TRIM SDK and client software is installed. (This should have been performed already when configuring the collection).
• Ensure that the web server has a TRIM working directory.

Note that because the search results will be served from the target Push collection (and not the TRIMPush collection that was used for gathering), some TRIM settings must be replicated on the Push collection such as ui.modern.serve.trim_link_prefix, trim.database, etc.

For the same reason all the configuration described below must be applied to the Push collection, not the TRIMPush one.

Configuring security

• Set ui.modern.authentication to true
• Set the security.earlybinding.user-to-key-mapper option to Trim2, to tell Funnelback to query the TRIM server to fetch user credentials at query time.
• Set the security.earlybinding.locks-keys-matcher.name to secTrim2. This will tell the query processor to use a specific plugin to match user keys with TRIM record lock strings, enforcing the TRIM security model (Security levels, Caveats, Locations, Classifications, Record types).
• Set security.earlybinding.user-to-key-mapper.cache-seconds if needed.
• Ensure that the following security lockstring metadata is configured in your collection's metadata mappings. Note that if this was not setup when the gathering took place you need to vacuum the Push collection in order to re-index all the documents with the new mappings. See the Push collections section for more details.
  • Class name: S
  • Class type: document permissions
  • Source name: trim.lockstring

See also

• HP Records Manager / TRIM collections

• Document Level Security
• Windows authentication and trust delegation
• ui.modern.authentication