Quick Fields Server Security

Document classes and sessions are stored on the Quick Fields Server, secured by privileges and access rights.

Privileges:

Privileges are broad, overarching permissions granted to users and groups allowing them access to Quick Fields Server features.

• Administrator:Grants unrestricted access to the Quick Fields Server. Only a user with this privilege can grant or revoke this privilege. An administrator can view the full list of users, their privileges, and access rights. There must be one user with this privilege at any time.
• Create Sessions:Grants the ability to add sessions to the Quick Fields Server. You can add a session to the Quick Fields Server by publishing it from Quick Fields or importing it using the Quick Fields Administration Console. This privilege also lets you modify the session's document class priority. Any user that creates a session has full access, by default, to that session (see Access Rights below).
• Delete Sessions:Grants the ability to delete sessions from the Quick Fields Server. You can delete a session from the Quick Fields Server using the Quick Fields Administration Console.
• Create Document Classes:Grants the ability to add document classes to the Quick Fields Server. You can add a document class to the Quick Fields Server by publishing it from Quick Fields or importing it using the Quick Fields Administration Console.
• Delete Document Classes:Grants the ability to delete document classes from the Quick Fields Server. You can delete a document class from the Quick Fields Server using the Quick Fields Administration Console.
• Manage Users/Groups: Grants the ability to add, remove, and modify user and group security on the Quick Fields Server via the Quick Fields Administration console. A user with this privilege can view and modify the full list of users, their privileges, and access rights. This privilege (along with full access rights to the document class) also grants the ability to assign reviewers to document classes in the Quick Fields Administration Console.

Access Rights

Access rights determine what access users and groups have to individual document classes and sessions.

Note: By default, every user is granted the Viewer access right.

• Full: The user or group will be able to see, modify (edit the description, link/unlink, import, and restore versions), and run the session or document class in the Quick Fields Administration Console, Quick Fields, and Quick Fields Scanning. A user is automatically granted full access if they create the session or document class.
• Viewer: The user or group will only be able to view and run the document class in the Quick Fields Administration Console, Quick Fields, and Quick Fields Scanning. In the Quick Fields Administration Console, a Viewer will not be able to edit a description, link or unlink sessions and document classes, restore and import new versions, or see the access rights of other users. They will, however, be able to see their own access rights.
• Denied:The user will not have any access to the session in the Quick Fields Administration Console, Quick Fields, or Quick Fields Scanning.

Security Inheritance and Effective Permissions

A user's rights are the sum of the privileges and access rights granted to the user and to the groups he or she belongs to. For example, if a user has not been granted any privileges, but he or she belongs to at least one group that has been granted some privileges, that user's effective permissions will include those privileges.

A user's individual access rights assigned take precedence. If a user does not have individual access rights assigned, but they are a member of a group, that group's access rights are inherited by that user. If a user is a member of multiple groups with conflicting rights, the most restrictive rights wins, with two exceptions:

• Users with the Administrator privilege are automatically assigned the Full access right and will have full access to all sessions and document classes on the Quick Fields Server.
• Users with the Manage Users/Groups privilege will always be able to see the basic information and access rights for all sessions and document classes on the Quick Fields Server, regardless of any denied access rights. For example, if a user is denied access rights, the user will still be able to see the list of users and basic information because they have the Manage User/Groups privilege.

Users with the Administrator or Manage Users/Groups privileges can view the full list of users and their rights/privileges. Otherwise, a user can only view their own rights/privileges. A user with the Manage Users/Groups privilege cannot modify his or her own privileges or access rights unless that same user also has the Administrator privilege.

Security Examples

Below are some examples that show the interactions between group membership and individual rights and privileges.

• John has been added as a user, but has not been granted any privileges or access rights. Every user is granted Viewer rights by default, so John will have the ability to view and run all sessions and document classes.
• Chris has been granted the Administrator privilege. He has full, unrestricted access to all sessions and document classes. He can also add or modify a user and group's privileges and access rights, including his own. The Administrator privilege also gives him the ability to grant or revoke the Administrator privilege to other users or groups.
• Jenny has been granted the Create Sessions privilege. This gives her the ability to create sessions. Because she is a session creator, she is automatically granted Full access rights to the sessions she creates. She will have Viewer access rights to all other sessions created by others because everyone is granted the Viewer access right by default.
• Bobby has been granted Full access rights for the "Invoices" session and he is also part of the group that has the Manage Users/Groups privilege. He will be able to see, modify, and run the "Invoice"s session. He will have Viewer access to all other sessions besides the "Invoices" session. He inherits the Manage Users/Groups privilege from the group he's in. This lets him see the full list of users and groups and add or modify their privileges and access rights. However, he will not be able to modify his own privileges or rights because he does not have the Administrator privilege.
• Justin is a member of a group that has the Delete Document Classes privilege and a member of another group that has the Delete Sessions privilege. He has been Denied access to the "Applications" document class. Even though he has inherited the Delete Document Classes and Delete Sessions privileges, he will not be able to see or delete the "Applications" document class. He will, however, be able to delete all other document classes and sessions. By default, he will have Viewer access rights to all document classes and sessions except the "Application" document class, since he was explicitly denied access to the "Applications" document class.
• April has been granted the Viewer access right to the "Employee Forms" session. She is also part of a group that has been granted the Full access right to the" Employee Forms" session. Even thought she inherited the Full access right for the session, she was explicitly granted the Viewer access right, therefore, she only has Viewer access rights to the" Employee Forms" session.