SEC-17a-4 (17 CFR § 240.17a-4 - Records to be preserved by certain exchange members, brokers and dealers.) is a US regulatory related to the records preservation.
The main areas are related to secured storage, retention management, change and deletion prevention, legal hold, and audit trail.
For the record documents storage, we will use Amazon S3 capabilities with a bucket with the following parameters:
- Versioning turned on
- Compliance mode turned on
- No default retention in the bucket (or default retention as 0)
- As a granted user, I want to be able to lengthen the expiration date of a document under a retention policy
- As a broker dealer, I want that no one can shorten the retention period, even an administrator
- As a broker dealer, I want the event "Retention period updated" to be logged in the audit/history including the new expiration date when the retention is updated
The goal is to improve the retention management by allowing only to lengthen the retention period (never shorten it), including at storage level.
- Override the retention period at storage media level by updating the expiration date (retain until date) on Amazon S3
- Use setObjectRetention method (cf. https://docs.aws.amazon.com/AmazonS3/latest/API/Type_API_ObjectLockRetention.html )
- Provide a UI action to lengthen the retention period
- Override retention period to a record:
- History display:
- The expiration date is updated at Amazon S3 level once a user overrides it at Nuxeo level,
- The expiration date defined on S3 is exactly the same one as on Nuxeo Server,
- I can override a retention policy to a document only if I have the Set retention permission,
- As a user, I can NOT shorten the retention period,
- As an administrator, I can NOT shorten the retention period,
- As a developer, I can NOT shorten the retention period by using Nuxeo API,
- As a developer, I can lengthen the retention period by using Nuxeo API,
- The event "Retention period updated" is displayed, including the new expiration date in the comment, on the history of the document / Audit when I override the retention period