BookStack icon indicating copy to clipboard operation
BookStack copied to clipboard
verified publisher icon BookStackApp

[Feature Request]: Confidentiality

Open MaartenUreel opened this issue 4 years ago • 5 comments

Describe the feature you'd like

Provide functionality for confidentiality. Confidentiality does not necessarily control access to a certain document, but it could.

It would be helpful so that confidentiality levels can be defined and associated with a color. This would be clearly indicated on the page then.

An addition could be to limit certain confidentiality to certain roles.

Describe the benefits this feature would bring to BookStack users

Achieve ISO 27001 compliancy.

Additional context

No response

MaartenUreel avatar Oct 29 '21 13:10 MaartenUreel

Thanks for the request @MaartenUreel.

We already have the permission system, which is already complex in nature, in addition to tags. I'm not really sure what this would achieve, upon those features, to be worthwhile building a system which sounds like it would have overlapping functionality.

You have specified "Achieve ISO 27001 compliancy" as the benefit. I'm not sure whether this is being achieved from a platform point of view, or whether it's helping the companies of users achieve compliance. Either way, I think I'd need some details in regards to the exact standards/requirements that need to be met and whether that's valuable to existing users. I'd imagine not since I have not received much previous request for any specific features to achieve 27001 compliance.

ssddanbrown avatar Oct 29 '21 14:10 ssddanbrown

Essentially what I'm looking for is what Office365 for instance offers: https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels?view=o365-worldwide

We are storing a lot of information on BookStack, but it's hard to indicate to a user what the sensitivy of a document is.

I wrote ISO27001 compliance as my argument, but that is based on my personal needs at this point; but having sensivity labels is just a generic feature available in a lot of documentation or document management systems.

Most compliancy rules require quite a few things you already have in store, such as audit log & revisions.

Adding this would make BookStack even more suitable for these use cases.

MaartenUreel avatar Oct 29 '21 14:10 MaartenUreel

Okay, Thanks for explaining. I guess I still don't really understand what it would offer upon tags, while introducing a significant secondary feature to support.

ssddanbrown avatar Oct 29 '21 14:10 ssddanbrown

There are a few missing functionalities to tags to make that work:

  • the allowed values should be limited / configurable for that tag
  • color coding (but we have the other discussion about that)
  • tag policy that requires specifying a value for that tag, so that every document is tagged properly

MaartenUreel avatar Oct 29 '21 14:10 MaartenUreel

The existing access control features are enough for ISO 27001 compliance, if your content is setup so they can apply on a gradual enough level. An explicit confidentiality level would certainly help to make it more visible and easier to understand by auditors, however.

tvogt avatar May 03 '22 13:05 tvogt