Device Management
After a user has set up the STP.Documents.OnPremise Mobile DESK on their phone, the law firm administrator must explicitly allow this device. As long as a device has not been explicitly allowed, its access to STP.Documents.OnPremise will be blocked early by the agent. An allowed device can, of course, be deactivated or permanently removed at any time. This ensures that the law firm always has full control over which devices and users access via the cloud. Device management can be performed by the administrator in the agent or directly in the app. In the app, the administrator can also set up email notifications for new device registrations.
Users can see their own registered devices in the app settings and can remove them themselves. They can also see which device and secret key are being used and how the current secret key is stored. If the current secret key is stored in the STP.SecretService, it can be deactivated or removed via the link to the STP.SecretService. If the current secret key is stored in the browser, it can also be removed here. If the secret key is stored in the password manager, it cannot be managed here. This is only possible in the device’s password manager.
Audit Trail
The law firm administrator can use a special interface in the agent to track, in emergencies, which documents were transferred via the cloud to which device and user, at what time, and from which IP. The audit trail is hidden by default and can be viewed if needed. The audit trail is stored in the agent’s database. Access logs are kept for 6 months.
{
...
"AuditTrail": true,
...
}Permissions
Users of the STP.Documents.OnPremise Mobile DESK can be assigned roles via user groups in the Cloud UserManagement, allowing law firm administrators to control which functions are available to which users. Since groups are managed per tenant, they must first be created if they do not already exist. Each group is also based on a corresponding role, which can simply be added to the new group. The most important groups are described below:
Documents.Agents
Members of this group are authorized to connect as agents to the cloud, receive requests from the apps, and send their responses back to the cloud. This group is intended exclusively for the technical user of the on-premise agent.
Documents.Administrators
Members of this group can administer the DMS Mobile DESK. They can access device management, activate new devices, and deactivate or remove old devices. They can also access the audit trail.
Documents.Users
Members of this group can use the DMS Mobile DESK to access documents from the on-premise system via the cloud. This includes search, favorites, and files. Whether a user is authorized to actually see a file or document is controlled by the object rights within STP.Documents.OnPremise. Therefore, a user must not only be assigned to this cloud group but also linked to an on-premise user. This link is established by assigning the user to the CloudAccess group in the on-premise UserManagement.
Documents.Downloaders
Members of this group can not only view documents in the app but also export them from the app. This means downloading to the phone or sharing/forwarding as original, PDF, and PDF/A. Whether documents may be exported from the app is usually specified in the law firm’s internal data protection policies.
Documents.Uploaders
Members of this group can upload new documents to STP.Documents.OnPremise via the app. They can also upload new versions to existing documents. This is necessary, for example, for editing.
Documents.Deleters
Members of this group can mark documents for deletion via the API in STP.Documents.OnPremise or remove this marking.
Documents.Offliners
Members of this group can save documents for offline mode on the phone.
Documents.Task
Members of this group can view, complete, and create tasks.
Documents.Task.Viewers
Members of this group can view tasks.
Documents.Task.Completors
Members of this group can complete tasks.
Documents.Task.Creators
Members of this group can assign tasks to all DMS users. This function should be reserved for law firm staff.
Documents.KMSAccessors
Members of this group can view KMS information for the selected file. This also requires installation of the ‘STP.Kms.Cloud On-premise-Agent’. KMS information is not transmitted via the end-to-end encrypted tunnel of the STP.Documents On-premise-Agent.
Documents.WZAccessors
Members of this group can view winsolvenz information for the selected file, regardless of whether they are authorized for the file in winsolvenz. The winsolvenz integration must be activated for this.
Documents.Coauthors
Members of this group can join active co-authoring sessions. Co-authoring uses OneDrive for Business in the law firm’s Microsoft 365 tenant, so the document is stored on Microsoft’s servers during editing. System requirements, privacy notice, and installation instructions can be found here.
Documents.Signers
Members of this group can digitally sign documents.
Documents2.NotificationCredentialsUsers
Members of this group can set up notifications.