Large organizations (more than 1,000 people) are usually composed of multiple relatively independent subordinate organizational units. Each subordinate unit has its own responsibilities and goals. This article discusses how to achieve document management for large organizations.
- organize
1.1 Organizational Definition
A large organization consists of four organizational levels: headquarters, subordinate units, departments, and personnel:
The headquarters is the top-level unit of a large organization, such as the name of a group, the name of a university, etc. There is only one headquarters in the Yueku system. The headquarters contains multiple levels of subordinate units, and the subordinate units also include multiple departments, forming a tree-shaped organizational structure. The headquarters itself is also a special subordinate unit and abides by the relevant rules of subordinate units.
Subordinate units are a logical type of organization, usually used to establish a relatively independent logical scope of personnel management, with independent organizational structure and file access security boundaries. For example, group subsidiaries, university colleges, group hospital branches, etc. Subordinate units can contain multiple subunits or departments, which can be under the headquarters or other subordinate units, but not under departments.
A department is a branch of an independent organization. It can be directly affiliated with the headquarters, or a subordinate unit, or it can be under the headquarters, subordinate units, or other departments.
Personnel are individuals who are affiliated with an organization. Personnel can be directly affiliated with the headquarters, or they can be affiliated with multiple departments or units at the same time.
Example of a simplified organizational tree structure:
1.2 Organizational relationships
Headquarters relations
There can be 0 or more subordinate units under the headquarters, and the subordinate units have only one headquarters.
There can be 0 or more departments under the headquarters, and a department has only one headquarters.
There can be 0 or more personnel under the headquarters, and the personnel must belong to 1 headquarters.
Subordinate unit relationship
A subordinate unit can have 0 or more sub-subordinate units, and a sub-subordinate unit has only one superior unit.
A subordinate unit can have 0 or more departments, and a department has only one parent unit.
Subordinate units can have 0 or more personnel, and personnel can belong to 0 or more superior units.
Department relations
A department can have 0 or more sub-departments, and a sub-department has only one parent department.
A department can have 0 or more personnel, and personnel can belong to 0 or more superior departments.
personnel relations
Personnel can be directly subordinate to the headquarters/subordinate units/departments.
Personnel must be affiliated to one headquarters, but can be affiliated to multiple subordinate units or departments at the same time.
ER relationship diagram between various levels in the organization:
RootOrganization (headquarters), SubOrganization (subsidiary units), Department (department), personnel (personnel).
- Role
2.1 Role definition
The scope of access control in the enterprise depends on the role played by the employee. The role contains the specifications of the duties, responsibilities and qualifications confirmed by the enterprise. For example: the roles in the Yueku system include file administrator and personnel administrator. , operation and maintenance administrator, etc. Each role has different access scopes according to the responsibilities it contains.
For example, the unit personnel manager role is used to manage personnel within the unit and has personnel-related permissions such as creating, editing, and deleting personnel/departments.
Only people can have roles in an organization, and a person can have multiple roles at the same time:
2.2 Role level
Roles are divided into administrator roles, unit supervisor roles, department supervisor roles, and ordinary roles according to power levels. Administrators can only create new roles with a lower level than their own roles. When assigning roles to others, the assigned role permissions must be smaller than the permissions of the current administrator's own role. This can prevent malicious role escalation.
Default roles created by the system, of which levels 1 to 3 are management roles and level 4 is ordinary roles:
Level 1 Administrator Role
The file administrator can manage all files in the system and view all units, departments and personnel in the system.
The personnel administrator can manage all subordinate units in the system and the departments and personnel in the subordinate units, as well as manage the roles of the unit and public roles. It has the highest authority for personnel management, but only has personnel authority and no permission to manage files.
Operation and maintenance administrators are responsible for operating and maintaining the system and have no personnel and file management rights.
Level 2 Unit Supervisor Role
The unit file manager can manage all files in the unit and view all departments and personnel in the current unit.
The unit personnel manager, located in a subordinate unit, can view and manage all departments and personnel in the current unit, manage the current unit roles, and does not have permission to manage files.
Level 3 department head role
The department file manager can manage all files in the department and view all departments and personnel in the current unit.
Level 4 ordinary character
Ordinary employees can operate on files within the scope of authorization. By default, they can only access organizations within their own unit. After authorization, they can access other units and organizations.
2.3 Segregation of Duties
Segregation of duties is a strategy to ensure that a single person does not have all the necessary permissions to complete a malicious act. The most common example is initiating payment and authorizing payment operations in financial work. No one person should be able to have these two permissions at the same time. In the field of file management, take the FTP server as an example. The responsibility of the operation and maintenance personnel is system operation and maintenance, but they can go beyond their own responsibilities and directly view all corporate files on the FTP server (which should be the responsibility of file management). The responsibilities of the operation and maintenance personnel are Unclear information will increase the risk of leakage of corporate documents.
Management roles are divided into functional management and document (business) management according to responsibilities. Personnel management and operation and maintenance management belong to functional management. The personnel management role is only responsible for managing organizations and personnel. The operation and maintenance management role is only responsible for managing system operation and maintenance-related work. The functional management role does not participate in the management of file access rights. The document management role is specifically responsible for document (business) management within the organization and does not participate in the functional management of the organization.
3. Permissions
3.1 Unit isolation
A subordinate unit is a relatively independent organization with unit-wide security boundaries. Each unit is isolated from each other in operations such as organizational access, file access, and role setting, and cannot communicate with each other by default.
For example, in a group hospital, if Shibei Branch and Laoshan Branch are defined as subordinate units, by default, personnel from Shibei Branch will not be able to access the files of Laoshan Branch, and they will not be able to see the organizational structure of Laoshan Branch. Custom roles created and set in Shibei Branch are not visible in Laoshan Branch.
3.2 Unit collaboration
Establishing collaborative relationships between isolated units is a common application scenario in enterprises.
A single person can access other units' organizations or files through settings and authorization. For example, by adding Xiao Ming, a user from the Shibei Branch, to the West Coast Branch, cross-unit access is achieved. In this way, Xiao Ming from the Shibei Branch can access the organizational structure and authorized files of the West Coast Branch.
As an independent unit, you can also set up visible units to achieve organizational interoperability between the two units. After organizations are interconnected, they can access the files of the other organization based on authorization.
Appendix
Common large organizational forms:
University
Group Company
Group Hospital
