External users in IBM Connections are easy to spot
One of the main reasons for using tools like IBM Connections is that you can share information with a lot of people at the same time, without having to use email. This means that the information is open for everybody who has access to it. This instead of being hidden in someone’s inbox, upon which you have to ask them to forward you a message, a file, a task and so on via an email.
This works very well internally in your organization. It does not help you minimizing email contact with your customers, business partners, suppliers and other people outside your organization. In turn, this often forces you to use email instead of Connections also inside your organization since projects with external partners mostly also involves several internal people.
In IBM Connections 5.0 you can get around this by inviting external users into communities on your IBM Connections server. If you do this, you can share information also with external people, without having to resort to email. Garbriella Davis from The Turtle Partnership gave a very good presentation of this during the ISBG meeting in Larvik.
The first thing on any administrator’s mind is security. What is it that an external user can and cannot do? An external user cannot:
- See public content
- Create communities
- Follow people or add them to their network
- Search for users
- See anything under Recommended
- See the menu selection Profiles
- See @-mentions
- See already existing tags (but can add new ones)
An external user can:
- Only access the community he is invited to
- Use, edit and share files in the community
- Post and reply in forums inside the community
- Comment and like content inside the community
- Only share files directly with the community, or with users inside the community if he knows the exact email address
Only selected people can create external users and communities for such users. It’s not open for anyone to do this. There are also other issues that must be addressed:
- How should external users be registered
- Who should be given the rights to do this
- What sort of password policy should you enforce
- Where should the users be registered
- It’s recommended that you use a separate LDAP-server or a separate branch
- You should turn off Anonymous user access on all IBM Connections applications
- Make sure reader is not set to Everyone on any IBM Connections applications
- Turn off public caching in LotusConnections-config.xml (you should do this anyway!)
You can also set up self registration. This means that you can create a community for external users and then send out invitations to join it. When the external user clicks on the link in the invitation, he’s asked to register. Domino is very good for self registration and there are Xpages based solutions for this.
Other security information:
- All communities with external users are clearly marked with a huge yellow sign
- If you share a file with a community with external users via the web version of Connections, you are given a warning
- If you share a file with a community with external users via one of the plugins you are not given a warning. This means that one should have well established routines around this
- A community with external users can be converted into an internal community where no external users have access.
- You cannot take an existing internal community and convert it to an external community, not even if the community is a former external community that was converted to an internal one
Sharing information with external people does have its pitfalls, but I think these pitfalls are far outweighed by all the benefits.
