Library and Archives Canada
www.collectionscanada.gc.ca
Common menu bar links
Institutional links
Government
Previous | Table of Contents | Next
8. Details of Individual Metadata Elements
8.1 Access Rights
Attributes
Attribute
Value
Identifying Attributes
Name
accessRights
Label
Access Rights
Defined by
Government of Canada Records Management Metadata Standard - accessRights
Element URI
[To be actioned by Treasury Board of Canada, Secretariat before publication]
Definitional Attributes
Definition
Permissions assigned to a record or file that govern or restrict access to or actions taken on a record or file.
Purpose
To facilitate or restrict access to records or files based on operational requirements and/or a need to know basis.
To facilitate the management of access to records or files: includes alerting individuals to restrictions on access.
To facilitate compliance with legal, security and other requirements.
Rationale
"The integrity of a record refers to its being complete and unaltered. It is necessary that a record be protected against unauthorized alteration." ISO International Standard 15489-1, s. 7.2.4
"The regulatory environment, in which the organization operates, establishes broad principles on access rights, conditions or restrictions that should be incorporated into the operation of records systems…Records may contain personal, commercial or operationally sensitive information. In some cases, access to the records, or information about them, should not be permitted….Ensuring appropriate access controls are done by assigning access status to both records and individuals." ISO International Standard 15489-1, s. 9.7
"Managing the access process involves ensuring that:
a) records are categorized according to their access status at a particular time,
b) records are only released to those who are authorized to see them,
c) encrypted records can be read as and when required and authorized,
d) records processes and transactions are only undertaken by those authorized to perform them, and
e) parts of the organization with responsibility for particular business functions specify access permissions to records relating to their area of responsibility." ISO International Standard 15489-1, s. 9.7
"Control measures such as access monitoring, user verification, authorized destruction and security should be implemented to prevent unauthorized access, destruction, alteration or removal of records." ISO International Standard 15489-1, s. 8.2.3
"Key elements of security metadata, such as basic access rights or restrictions, should be identified and applied at the point of record creation and capture in order to facilitate a record's ongoing preservation and management." ISO Technical Specification 23081-1, s. 9.2.4.1
"Access to records should only be restricted when there is a business need or when the law requires it. Security metadata should be monitored and updated to ensure the ongoing applicability of all identified restrictions…Security metadata need to be maintained and kept current throughout a record's existence." ISO Technical Specification 23081-1, s. 9.2.4.2
Value Domain
Enumerated strings of text representing permissions.
Datatype Name
String
Constraint
Applicable at record level and file level.
Obligation
Mandatory at record level; mandatory at file level.
Relational Attributes
Encoding Scheme
Institution-specific scheme
References
-
Linkages
Agent Individual Identifier; Agent Individual Name; Event Type; Security Clearance; Sensitivity; Supplemental Markings
Conditions of Application - Record
Format
Text, based on encoding scheme.
Modifiable
Pre Record Declared Locked
Post Record Declared Locked
Yes, by Creator/Trustee.
Yes, by authorized official only.
Occurrence
Not repeatable
Conditions of Application - File
Format
Text, based on encoding scheme.
Modifiable
Yes, by authorized official only.
Occurrence
Not repeatable
Comments and Guidance
a) Explanation of Definition/Usage
This element controls, at both the record level and file level, the access privileges granted to a record or file. Each institution requires business rules to determine who can apply these rights. At the record level, it is often the Creator or Trustee.
This element should not be used as a security control element, since access privileges to a record or file are given to individuals without concern for that person's security clearance level. The EDRMS will manage security control by matching the individual's security clearance level with the record's sensitivity level.
b) Best Practices
Recommended best practice is to select a value from an institution-specific scheme.
The value of this element may be modified after the record is locked in order to grant access rights to new individuals; similarly, with access rights to a file. In both cases, only an authorized official may modify the values.
c) Obligation
This element is mandatory in order to properly secure the record or file against unauthorized access.
d) Default Values/Auto-populate
This element will be defaulted to the lowest level of restriction. The Creator or Trustee will have the right to apply restrictions as required.
e) Linkages
This element is linked to elements Agent Individual Identifier and Agent Individual Name in order to ensure proper authorization to perform an action on a record or file. It is also linked to the element Security Clearance which oversees the security of all individuals, the element Sensitivity which establishes the security of the record or file and the element Supplemental Markings which specifies special handling instructions for the record or file. It is the relationship among these elements that controls the overall level of access to a record or file and establishes who may perform an action on a record or file.
Access Rights is also linked to the element Event Type in cases where a change to the access permissions of the record or file must be noted in the management and event history log.
f) Examples
- "View profile"
- "Read-only"
- "Normal access"
- "Full access"
