Alfresco Governance Services -What to Consider when Implementing AGS
By Steve Stott – Principal Architect, Content Management Solutions
In my recent ClearPerspectives blog on the basics of Alfresco Governance Services (AGS), I gave an overview of the solution. Today, I’ll go further and describe what should be considered when planning an AGS implementation. ClearCadence recognizes that a successful implementation requires a broad understanding of the concepts of Governance and Records Management, the overall architectural approach taken with AGS, and the nitty-gritty technical implementation described in system documentation. The aim of this blog is to help Architects and Implementers join these dots and see the whole picture.
Effectively, the only technical prerequisite for implementing AGS is to have a functioning installation of Alfresco Content Services (ACS). AGS is a module that is deployed into ACS to extend it. This is achieved in the same way as deployment of any other ACS module.
There are additional modules and add-ins to further enhance ACS and AGS. These are mentioned later in this article and are optional.
Record Keeping Basics and AGS
Going into the detail of the various, different approaches to effective record keeping here would make this the length of your standard textbook. So, we’ll focus on the main and common concepts and describe how they relate to AGS functionality.
You may consider that simply using an ECM system to store content in logical folders is good enough. This is actually a pretty good first step, however as you’ll see there’s more to Records Management and Governance than simply filing things away.
File Plan - Indexing and Categorization
The term “File Plan” is recognized by Record Managers but may be new to you. It simply means the structure and rules for your records filings. Setting up a “File Plan” involves defining how records will be stored. Liken it to a physical file storage system where you specify which file cabinet, drawer and folder particular records get filed to so they can be more easily located.
In AGS, you set up Records Management (RM) sites that can either be a Standard RM site, which is usually appropriate for most organizations, or a DoD 5015.2 RM site which has additional controls and constraints related to the well-defined DoD 5012.2 standards. The next step in AGS is to define Categories that would be the equivalent to the top level of your organizational structure – maybe department, function, line of business, division, etc. – and then dividing those up into smaller sub-sections , further Categories of Folders to enable a set of records to have its own retention and review schedules.
A note about content outside of ACS When considering your organization’s File Plan, you don’t need to limit yourself to the content stored in ACS. AGS has the capability to manage physical records too. When declaring a record just tell AGS that it’s “non-electronic” and provide information on where the paper, microfiche etc. is stored.
But wait, there’s more… Alfresco’s Federation Services extend ACS, and AGS, to allow control of content held in a range of content management solutions, file systems, and storage solutions. So yes, you can bring your in-place SharePoint, Box, IBM FileNet etc. content into your central governance solution. More on this later.
So, you now know where your records are stored and how they’re organized, but are they safe? Who has the keys to the cabinets? Can they be tampered with or destroyed either deliberately or by accident?
AGS takes security very seriously. Think of it as a doorman at that exclusive club, Airport security, and the operatives at a Vegas casino – If you’re not on the list you can’t come in, if you’re up to no good you’ll be spotted, and if you think you’re walking out with that pile of cash, think again. That may be a pretty dramatic description, but it would be fair to say that AGS has the capabilities to implement the level of security appropriate to whatever records you’re keeping. Your task is to define that permissions and access structure.
AGS has a set of built-in security classifications and allows for an unlimited number of custom security groups to be configured, containing an unlimited number of security marks, to fit an organization’s needs.
Take the example below. Records under this security classification would be marked as Secret, which would be applicable to a particular user role or accessible to a business function. These classifications and security marks can be combined in ways that mean not only should a user be a part of a specific department but also to a specific role AND have clearance to see Secret Records.
The best advice I can give is to keep it simple. Start from the position of need-to-know. It’s usually easier to grant access than to revoke especially if your permissions model is based on groups or roles.
Knowing which of your records to keep, and for how long, is essential to ensuring legal and regulatory compliance. This decision may also be based on organizational best practices or usefulness of information over time.
While the most basic retention policy might be “keep forever”, it’s more likely you’ll have a range of policies such as “keep for 6 months from date of submission” and “keep for 10 years from date of expiration.” A lot of organizations may have even more complex arrangements.
As always, the key is to keep retention policies as simple as possible. Where appropriate, follow established standards. In fact, you will almost certainly have statutory obligations to keep certain records.
Decide when the clock starts ticking for retention – this can often be overlooked. Is this from date created, when declared as a record, signature date, last review, when superseded, when expired or cancelled? – which is appropriate will vary. AGS can handle all these.
Some records may be one-and-done, needing no review in their lifetime. A good example is a job application. It is valid when submitted and wouldn’t need to be updated at any point. Other records require periodic review, such as company handbooks, safety protocols, service agreements, etc. These review periods and events can be configured in AGS. Take time to define these in advance. The action to be taken on review can also be configured – consider what a particular review would consist of, who would be notified and how, what happens to retention, disposition, etc.
What happens when a record reaches the end of its usefulness or you are no longer required to keep it? The term "Disposition" means, quite simply, how to dispose of a record. Imagine the potential headache of keeping every piece of information for all time. On top of the vast storage needed, consider locating the correct record when required. Searching for the needle in the right haystack in several fields full of haystacks is a problem to avoid. Disposition may mean destroying records, it may also mean archiving (which in turn may initiate a whole new record lifecycle for the archived content). In a DoD Records Management site, destruction means that the content in the storage system is not just deleted at the filesystem level, but its location is overwritten 7 times – a recognized standard for obliteration of digital data.
Retention and disposition are often considered to be opposites – you retain until you dispose. Maybe more correct, and the way AGS defines things, retention determines how long you should keep a record. Disposition defines what should happen at the end of that retention period.
The concept of a “Hold” is very important in record keeping. A “Legal Hold” may be placed on records that could be needed during a legal process. Holds may also be placed on records involved in audits, requests for information or at any time when it’s vital to ensure that appropriate records don’t go through updates or disposition. In AGS, it’s very straightforward to apply a hold to an individual record, active content, a category or folder. Holds can be applied in-bulk to sets of search results – very useful when you need to place a hold on any and all related records spread across your File Plan. Removing a hold is similarly straightforward.
It’s also important to identify what’s known as “Vital Records”. These may be things like Company Registration documents, disaster recovery procedures etc. That allows these to be handled appropriately and will drive decisions around retention, review, accessibility and disposition. Any record in AGS can be marked as vital.
Audit and Reporting
This is another area that may well be defined by statutory or compliance requirements. If so, then that makes some of the decision making a little more straightforward.
While I would always advise that auditing and operational reporting be largely defined prior to implementation of any system (as it often influences the design), in the case of AGS you can be reassured that, since this is a Governance application with Records Management at its heart, the audit capabilities are comprehensive and should require little in the way of additional configuration or extension.
At any point a complete or targeted audit of the organization’s records can be run. All activity on a record results in the detailed collection of data on content updates, metadata changes, reads, downloads, system actions, and more. In fact, the system can be configured to save any actions as a report, and this report can itself be declared as a record and managed accordingly. The capability is there for you to be confident that if it happened, it can be recorded and reported on.
Automation and Process
If you have a department that already uploads content to ACS, tags it with metadata, and handles its reviews and retention, then AGS will definitely make that department’s work more efficient and accurate. New and existing content can be easily declared as a record to then take advantage of all the features AGS has to offer. Further, with the automation that’s available both out of the box in ACS and as provided by AGS, there is no part of the record lifecycle that can’t be automated. When you mix in Alfresco Process Services (APS) – the business process automation solution – the scope is there to automate entire business functions from start to finish. Very powerful stuff.
Where well defined, semi-manual business processes and records management lifecycles are already established, your implementation plans should take advantage of that groundwork. With those lifecycles and processes in place, it should be relatively easy to identify where automation would have biggest impact and include that in your planning.
Integration and Extension
We have talked a lot about planning your file, security, and retention plans but we can enhance those even more by utilizing the tools provided by the Alfresco Digital Business Platform (ADBP). “Start simple”, I said, and I stand by that, but in your planning don’t ignore the Digital Business automation capabilities available to you. Here’s a few options to consider when looking into initial implementations or as part of a digital transformation roadmap:
Get visibility and control over your content stored outside of ACS. Connectors exist for many popular content and data management systems such as SharePoint, Salesforce, Google Drive, IBM FileNet and more. Manage all your records in-place.
A feature of ACS that allows users’ local content to be automatically managed in the repository – which means it can then fall under the Governance of AGS.
Leveraging Amazon’s AI capabilities adds another level to Governance. Consider, for example, bulk operations at scale to identify records containing Personally Identifiable Information (PII) or tag records with metadata based on complex analysis of content.
Alfresco's Application Development Framework
Continually updated, this toolset allows for the development of rich custom applications leveraging the power of ACS, AGS and APS, such as ClearCadence's ClearView for the Alfresco Digital Business Platform.
Alfresco SDK 5
Newly announced, this software development kit lays the groundwork for even more extension to the ADBP.
Whether your organization already has well defined, efficient processes or you’re setting these up from scratch, AGS provides the capabilities and functionality you need to move to digital Governance. The key to successfully setting up a Governance and Records Management application is to start with a well-defined Records Keeping process. If you currently identify all, or most of the above, that will greatly streamline the implementation of a system like AGS.
Of course, there’s far more depth to AGS functionality than can be covered in one short article. My intention here has been to reassure you and demystify the basic concepts related to an implementation. AGS conforms to standard Governance and Records Management practices. It uses common terminology and recognized events. Above all, it’s logical and intuitive in its design.
Steve Stott is a Principal Architect at ClearCadence, with a primary focus on designing and delivering effective content-based solutions for Fortune 1000 clients.
ClearCadence has a long track record of assisting customers with analyzing, planning, designing, and implementing solutions. Visit the link below for more information about our organization.