Thursday, February 22, 2007

Are you in control of your Stellent Systems?

A few days ago I've got a call from my old time client. He was reading SANS' Top-20 Internet Security Attack Targets and was wondering if his Stellent installation might be vulnerable. He had all the latest patches at that time but something kept him thinking of his Stellent installation after hours.

We did an audit on his instance and found that even though the system was completely up to date with security patches, most of his contributors were in fact super admins! They couldn't find a better way to let contributors access the site continent they needed to access - there were simply too many security groups and accounts to deal with!

In my years as Stellent architect I've seen many capable sysadmins badly misconfiguring their security system. Is there anything wrong with Stellent security? Ten years of its succeess in multiple industries tells us otherwise. Stellent is simply very different when it comes to security. Here is why.

In my other post I've explained the limitations of a hierarchical folder structure which grows unwieldy over time making it difficult to find documents. Stellent overcomes this by providing a single metadata-driven content repository. This strategy is very effective for managing content but it takes away conventional files and folders where all of us are so used to set permissions! So where do we set permissions now? Just the content items themselves. There is no permission inheritance. Once the content checked in - its group and account values are set. Unlike Windows where you can specify who can do what with a file, in Stellent you specify what content group it belongs to and then you specify who can do what with your content groups.

Another major confusion point is the actual naming convention. What Stellent calls "Group" and "Account" is not always what the rest of the world calls them. Unfortunately, there is only a few simple words in English that can describe a group of content so Stellent calls it "Group". Windows users are trained that a "Group" is a group of users and "Account" is a user security record... Once again, a "Group" in Stellent is a Group of Content or "Content Group". An "Account" is another grouping of content or "Content Account". Try these names in your next security discussion and see confusion subside!

What if your system is already implemented? Is it too late to change content security? Do you have to manually update content group and account of every content item? Fortunately, in most the answer to those questions is no. Existing systems can have their security updated in just a few days. If your system is vulnerable - it can be fixed.