Interactions Between Permissions
Privileges and Access Rights
Some privileges allow administrative users to bypass access rights checking. The specific access rights that are bypassed by a particular privilege depend on the purpose of the privilege.
Example: The Manage Fields and Templates privilege allows a user to modify fields and templates, regardless of whether they have been granted individual field or template access rights. Manage Entry Access privilege allows a user to open every folder and browse every entry in the repository in order to assign entry access rights. This privilege bypasses the Browse and Access Control entry access rights. Since this privilege allows a user to see the contents of folders, Manage Entry Access also bypasses the Read entry access right on folders.
Since some privileges grant the user considerable access to the repository, you should be careful when applying privileges.
Access Rights and Feature Rights
Feature rights control whether a user has access to certain commands in Laserfiche client applications, whereas access rights control whether a user can modify an entry in a particular way. A user must have both the appropriate feature right to perform an action and the appropriate access right to modify the document in a particular way. Without both, the user will not be able to perform the action.
Example: A user with the Append Data or Modify Contents entry access right can generate text for a document via OCR. However, removing the Process feature right disables the OCR option from the Action menu. Without this feature right, the user is unable to access the OCR option in the user interface.
Be aware that feature rights do not actually secure an entry. Feature rights are not enforced by the Laserfiche Server and only disable specific Laserfiche Windows client or the web client user interface functions.
Entry, Template, and Volume Access Rights
Certain actions may be governed by more than one type of access right. If this is the case, the user must have all relevant access rights in order to complete the action.
Example: The Read entry access right allows a user to open a document. The Readvolume access right allows a user to view the pages in a document associated with that volume. The Read field access right allows a user to see a field value. If a user is granted the Read entry access right on a document, but is denied the Read volume access right and Read field access rights, that user will be able to open the document in the document viewer but will be unable to view its pages or see its field values. Similarly, a user granted the Read field access right, but denied the Read volume access right will be unable to see the document's pages, but will be able to open it to view metadata. The user needs all three types of access rights to open the document and view its pages and fields.
Take note of access rights descriptions that overlap with other descriptions.
Security Tags and Other Security Mechanisms
Documents with security tags can only be seen or acted on by users that have been assigned all of the security tags assigned to the document. This security check occurs before all other security mechanisms. Users not assigned a tag associated with a document will be unable to see the existence of that document, regardless of what other rights or privileges the user might have. For example, if a document is assigned two security tags, a user who is assigned only one of the security tags will be unable to access it.
Note that security tags can be assigned to all trustees. A user can inherit security tags that are assigned to groups to which the user is a member. In the previous example, if that user belonged to a group that was assigned the other security tag, the user would be able to access the document.