Library and document security
Accessing documents in the document management system has several layers of security. The following table describes these levels.
|Library object||Security controlled by||Contains documents|
|Library||Basic access to FileHold||No|
|Library Archive||Basic access to FileHold and the existence of archived documents||No|
|Folder group||Cabinet membership and folder assignment||No|
|Folder||Folder membership or inherited cabinet membership||Yes|
|Document||Containing folder and document schema assignment||n/a|
Access to documents are controlled by:
- Permissions at the cabinet and folder level. If a user is not a member of the cabinet and folder, they do not see or have access to them. Membership in a folder is constrained by the members in the cabinet where the folder is located. A folder does not need to contain the same members as the cabinet, but you cannot add a member to a folder if it is not already a member of a cabinet. A system administrator can manage the users and groups that are added as members to the cabinets and folders.
- Membership of the document schema. If a user is not a member of the schema, they cannot access nor search for documents belonging to the schema. A library administrator or higher role manages the users and groups that have access to schemas.
A common document access problem is when a user has access to a folder, but they are not a member of a schema. A user's permissions for the entire system can been seen with the Effective Permissions report.
Who can manage cabinet and folder security?
Cabinet security can be managed by a user or group with a senior library administration or system administration role, or a cabinet administration or library administration role if they are also the cabinet owner. Users and or groups with a role lower than senior library administrator do not see a cabinet or any of its contents if they are not an owner or member of the cabinet.
Folder security can be managed by a a user or group with a Publisher role or higher and is also the owner of the folder. If a user or group is not an owner or member of the folder they do not see the folder or any documents in the folder when they log into the system.
Who can manage schema security?
Schema security is managed by a user or group with a library administration or higher role. Users with a cabinet administration role or higher are inherently members of all schemas.
For other users and groups, if they are not a member of the schema they cannot see, add, search or use links to documents with that schema.
See User Roles and Accessing the Library for more information on group roles.
Group members, effective permissions, and advanced security options at the cabinet and folder levels
In the Security tab of cabinet and folder properties, permissions can be viewed or modified. The Current Members list displays all users and groups who have access to the cabinet or folder and their respective roles. To view the users who belong to a particular group, click Group Members. Click on a group name in the All Groups / Users list to view the users who belong to the group. This function can be used to determine if the appropriate users and groups have access to the folder or cabinet.
To determine what role a user has at cabinet or folder level, click Effective Permissions. In the Effective Permissions list, all users with access to the library level and their respective role is displayed. Users with a role of "Inherent" means that the user inherently has access to the cabinet or folder, such as a senior library administrator, system administrator, cabinet owner, or folder owner. Users with an "Inherent" role cannot be restricted from accessing this level of the library.
Groups or users can be given a lower role then set at the group level. For example, a folder owner may want to restrict a particular a group of users from adding documents so may lower their document publisher rights to read-only. Advanced security does not allow an illogical assignment. For example, a library administrator who is not the owner, can not be assigned a cabinet administrator role or organizer role. For cabinet or folder owners, the advance security cannot be set. To modify permissions of a group or user, click Advanced Security Options. Select a group or user from the Current Members list and then select the lower role to apply. To reset a user or group permissions to their original role, click Restore.
If permissions have been lowered, a red dot appears on the folder where this has been configured. A red dot next to a folder icon has special meaning as follows:
- The user has read-only access to the folder
- The user has reduced permissions at those folder levels. For example, a user belongs to a group with an organizer and delete role and a group with a document publisher role. If only the group with the lower permissions has access to the folder, then the red dots appear. The red dot does not affect their abilities as document publishers in those folders.
- The group permissions have been modified using the Advanced Security options.
Rules about FileHold security
- The library is visible to all users regardless of type or group.
- All users that are given access to a cabinet see all of the drawers and folder groups inside that cabinet.
- Users are only able to see folders where they are members or owners.
- Users only see documents inside a folder where they are members of the assigned document schema for the current visible document version.
- Access to the library archives follows the same logic as the main library.