Media Object and Security

Two question:

1) In you opinion which is the best way to store media Object file if I want manage a security policy on them?
2) How can manage user access on Media Object (read/write or Read only)?

Thanks Gigi

There is a table where you can direct where to put/find media objects, I think by system. Then use NT security to secure the paths. PeopleSoft has accepted a position paper, through Quest, on creating a better way to secure Media Objects.

Gigi, in order to answer that question, we need to how clients access the system (i.e., web server, citrix, full client, etc.). The reason we need to know this information is because of how user permissions hit the media object repository from different types of clients.

User access system with Terminal Server 2003 and WEB. All the architecture is not in a Domain, is in a group (so I have some problem on setting permisssion)
Gigi

Another Question:

Why if I attach (via link) a Word or Excel file through web interface, this document is attached with garbage character and not like a Word or Excel document?
Thanks Gigi

Very interesting question. I have the same question when I was trying to create view security group. This is what PeopleSoft Support says "If user has access to the application that has media objects row exit then they can modify the media object( You can not apply row exit security to media objects). There is no way to directly apply security to media objects".
Here are 2 workarounds
1. Identify applications where user can access media objects and make sure that user can not access these application.
2. Provide view level access at the database level and link oneworld user with view user at the database level. In this way, user can not modify anything in the application ( including media objects). I implemented the second soluton.

Hope this help.

Gigi, there is also a caveat when using a web client.

When media objects are accessed from a web client, the websphere service logon profile is actually used to access the media objects from the web servers. This means that the media objects can't be secured by the user or group profile in JDE if using a web browser. The permissions for web access need to be based on the websphere service logon profile since everyone using a web browser will be using the same permissions for accessing media objects. If I'm wrong on this... someone PLEASE let me know.

Sometimes this situation is not evident because the web servers cache media objects in a folder structure on the web server that emulates the true media object folder structure on the deployment server (or where ever you really store the media objects). Then at a later time the cached objects are finally flushed and changes are either applied if permissions are met or not applied if permissions are not met. This "flushing" in our case can take anywhere from 10 minutes to 30 minutes... but it is rarely an immediate thing.

In the end, we reached the conclusion that media objects could not be used to store confidential material. The closest we could come to any security was to make the media objects "read only" for JDE purposes and perform all "write" operations outside of JDE.

Hopefully, someone else will come up with a better results for media object implementation in regards to web access.

We are facing the same problem at the moment. We are installing a JAS web server and planning to use it by the end of January.
But now we noticed the security "flaw" on Media Objects. Through Citrix connection, our HR department could set some nice security to prevent people from seeing confidential information, but after reading this post I'm starting to think that this will not be possible using a web server?

Or did someone find a workable solution for restricting access to confidential media objects through a web server?