User roles and accessing the library

A user's role determines the permissions they may have access to in the system. FileHold comes pre-configured with 12 user roles. The roles are organized in a hierarchy with the Limited role being the least powerful and System Administration being the most powerful. Roles are assigned to users when they are members of a FileHold group that is assigned the role.

Role Inherits from Default group
Limited None. This is the most basic role. Limited Users
Read Only Limited Read Only
Document Publisher Read Only Document Publishers
Document Publisher & Delete Document Publisher Document Editors
Publisher Document Publisher Publishers
Publisher & Delete Document Publisher & Delete Editors
Organizer Publisher & Delete Organizers
Organizers & Delete Organizer Organizers & Delete
Cabinet Administration Publisher & Delete Cabinet Administrators
Library Administration Cabinet Administration Library Administrators
Senior Library Administration Organizer & Delete Senior Library Administrators
System Administration Senior Library Administration System Administrators

For each role, FileHold ships with a pre-defined default group that is assigned the role to simplify setup of a new system, testing and demonstration. Though they can be used in a production system, they can also be deleted and replaced with groups that are more relevant to your operation / configuration.

Some permissions associated with a role take immediate affect when the role is assigned. For example, access to the library administration menu items is granted when a user has the library administration or higher role. Other permissions do not take effect until additional assignments are made. For example, a user with the cabinet administrator role will only have the permissions associated with the publisher and delete role until they are assigned as the owner of a cabinet in the library. Once that happens, they will have the full permissions of the cabinet administration role, but only when they are working on folders or documents in that cabinet.

When a permission is granted by virtue of the role simply being assigned to the user, these permissions are said to be inherent to the role. Inherent permissions are always granted according to the highest role a user is assigned. For example, a user with a library administration role has access to all document schemas. This same user might also be assigned to a group with a read only role. The read only role does not grant any automatic access to any document schemas, but this is not important as the inherent permission on the library administrator takes precedence. All permissions for the system administration role are inherent.

The hierarchy of roles is in full effect when the same user is assigned to a cabinet or folder more than once. For example, a user belongs to the Sales group and they also belong to the Management group. Both groups are members of the same Sales territories folder. The sales group is assigned the document publisher role and the management group is assigned the organizer & delete role. The user will have organizer & delete permissions in the Sales territories folder. The role of the sales group will be ignored.

Roles can be arbitrarily reduced by cabinet or folder. When assigning a user or group as a member of a folder, the advanced security option will allow the normal role for that group to be reduced. Using our example above, assume the sales group should only have read only permissions for the sales territories folder. One way to do this would be to create a new group like "Read only sales" and assign the read only role. Then, use this new group for membership in the sales territories folder. However, the amount of management needed can be reduce by simply using the advanced security option and reducing the role of the sales group to read only for this one folder. More information on advanced security is available on the Managing Folder Access page.

Select permissions can be disabled for certain roles by group by a user with the system administration role in the FileHold Groups area. These reduced permissions are effective where ever the group is assigned.

Reduced permission Applicable roles
Disable email All
Disable sending Courier transmissions Document Publisher and higher
Disable document download Document Publisher and lower
Disable printing Document Publisher and lower
Disable viewing Document Publisher and lower
Disable ad hoc searches Senior Library Administration and lower

Detailed role descriptions

Role Name



A user assigned to a group with a “limited” role has restricted access to the system. Users can search, view, download and email documents.

There are two user account types that can be assigned to a limited role:

  • Limited Registered user accounts can log into FileHold using a single username and password.
  • Portal Alias user account types are used in conjunction with the Anonymous portal and require no login.

Using limited registered or anonymous portal user account types are a cost-effective way for many people to view documents in the repository but with very limited functionality.

Read Only

Read Only and remaining roles must be assigned to a Full Registered user account. The Read Only role inherits the permissions of the Limited role.

A user with Read Only permissions has access to My FileHold and can adjust their view preferences. This is the minimum role needed to be a participant in a workflow.

Document Publisher

Document Publisher user role has the permissions of Read Only plus add, check-in/check-out, edit documents, and metadata. They can move documents that are owned by them. They cannot delete any documents including those which they have added to the system.

Document publishers can initiate workflows, participate in workflows, and initiate Courier transmissions.

Document publishers can convert offline documents to electronic documents using the check out and check in process (if the permission setting is enabled).

The Document Publisher role is the most common in use in a typical FileHold system.

Document Publisher + Delete

Document Publisher Plus Delete user role can do everything a Document Publisher can do and delete their own electronic documents. They must be the owner of the document in order to delete it. To see the owner of a document, you can look at the version properties in the metadata pane.


Publisher user role can do everything a Document Publisher can do plus:

  • Create new folders or rename folders that they own.
  • Assign existing folder groups.
  • Copy or move folders that they have already created.
  • Clone folders and folder groups created by other users and become the owners of the folders.
  • Publishers cannot delete existing documents, folders or folder groups including those which they have added. All documents and folders created by the Publisher will be owned by them and they cannot change the ownership.

Publisher + Delete

Publisher plus Delete user role can do everything that a Publisher can do plus delete electronic documents, folders and folders group owned (created) by them.


The Organizer role is for users who are responsible for organizing documents that are scanned or imported into the system or who are assigned to organize documents added by other users. For example, organizers would move the documents generated by scanner operators to their correct folder in the library. Only trusted personnel should be given this role. Organizer role user can:

  • Move any document they have access to, to other places in the library including documents which they do not own. In other words, they can move documents and records that are owned by other users.
  • Move, copy or clone all folders and folder groups regardless of their ownership. In case of cloning they will become the owners of folders. In case of copying and moving the original ownership of folders is preserved.
  • Add folders where they will be the owner, and rename folders.
  • Assign existing folder groups.
  • Delete electronic documents that they own.
  • Change document owner regardless of ownership.
  • Export documents.

Organizer + Delete

Organizer plus Delete role can do everything that Organizers can do plus delete all electronic documents, folders and folder groups regardless of their ownership. This organizer and delete role can only do this within Cabinets, Folders and Schemas that they are a member of.

This role should be used by trusted personnel only.

Cabinet Administration

Cabinet Administrators can only administer the cabinets that they own; they cannot create cabinets for themselves.

When a user with the Cabinet Administration role has permission to a folder in a cabinet they do not own they have the Publisher and Delete role.

When a user with the Cabinet Administration role owns a Cabinet they can:

  • Create, edit, and delete drawers, folder groups and folders and manage their properties (i.e. membership structure).
  • Have inherent access to all document schemas. If they do not have permission in a Cabinet or Folder they will not be able to access the documents.
  • Rename folder groups.
  • Move documents between cabinets as long as they are owners of both Cabinets.

Use the Organizer role when a user needs to move documents between Cabinets that they do not own.

  • Delete and move electronic records. Electronic records can only be moved in the Cabinet or to another Cabinet they own.
  • Convert electronic documents to electronic records and vice versa (if the permission setting is enabled).
  • Convert electronic documents to offline documents for cabinets (if the permission setting is enabled).
  • Change document owner for documents.
  • Manually move documents to and from the library archive as long as they are the Cabinet owner in the library archive.

Library Administration

Library Administrators can only administer the cabinets that they own. Their permissions are the same as the Cabinet Administration role plus they can:

  • Create cabinets where they are the owner.
  • Access the Library Administrator menus where they can manage metadata fields, schemas, events, set up workflow templates, manage numerous global settings (i.e. viewer permissions, search engine settings, reporting services permissions and more), perform various managerial functions such (as check-in for user, change document owner, recover deleted document etc.) and access many useful reports and usage logs for cabinets that they own.

If a user needs to be able to create cabinets for others users including cabinet and library administrators they will need to have at least a Senior Library Administration role.

Senior Library Administration

Senior Library Administrators have the permissions of a library administrator and have inherent access to all parts of the library. Senior Library Administrators can create cabinets to be managed by any Library Administrator or Cabinet Administrator.

System Administrators

System Administrators have inherent access to all parts of the FileHold application. They can perform all of the functions of all other roles. However, the main tasks of the System Administrators are to add users to the system (including assigning the initial password and setting requirements for all new passwords and ability to self register), assign users to their appropriate groups, enable document control numbers and version control numbers, manage user accounts, user groups and the system license pool. The System Administrator also has access to various global settings (outbound e-mail, system wide configurations for managing the various documents format conversion permissions etc.) and as well as user activity reports.

Every system must have no less than one user with the system administration role and a guaranteed concurrent session.