Entry Access Rights

Access rights determine what documents and folders a user can see and open, and what actions they can perform on those documents and folders. Because access rights apply to documents and folders, they are configured in your repository itself, not in Repository Administration or Account Administration.

Access rights allow you to set granular security that may differ in different parts of your repository. For example, you might want to allow Sally to freely create, modify, and delete documents in her own folder, and to view and modify documents in her department's folder (but not to create or delete them), but you might not want to allow her to even see the folder for another department. You can do this using access rights.

When you configure an access right, you will specify three things:

• Who: Which user or group you are granting or denying a particular right or set of rights.
• What: The right or set of rights that you are granting or denying.
• Where: The scope of the rights: what documents and folders will be affected.

Access rights can be configured by any user with the Manage Entry Access privilege. See Privileges for more information.

Planning Access Rights

Before you begin setting access rights, it is a good idea to make a plan for them. Determine what you want users and groups to be able to do in your repository, and where. It is also a good idea to design your repository so that documents that should have similar security settings are grouped together. This allows you to quickly and easily set security on folders, rather than needing to set security document by document, which is both tedious and prone to errors.

In general, it is a good idea to work from more general to more specific. Begin by setting rights on folders high in the folder tree, allowing inheritance to propagate those rights down, and begin by granting rights to groups. You can then fine-tune with subfolders and individual users as necessary.

Setting Access Rights on a Document or Folder

1. Select the document or folder on which you want to configure access rights in the folder browser, or open it in the document viewer. (It is strongly recommended that you set rights on folders rather than documents wherever possible.)
2. Click the More button () and point to Advanced, then select Show Security. The Access Rights dialog box will open.
3. In the Access Rights tab, you can view security that has already been set for this document or folder. Rights that were inherited from higher in the folder tree will list what folder the right was set on, or will list Not inherited if the right was set at this level. (If you only want to view rights set at this level, clear the Inherit rights from parent option at the bottom of the dialog box.)
4. Either select an existing trustee that is listed as Not inherited, or type a trustee name in the Select another trustee option and click Add. (Inherited rights must be modified at the level at which they were set.)
5. In the Scope Selection option, select the scope for this right. Scopes range from This folder, subfolders, and documents, which will affect all the documents and folders under this one, to This entry only, which will only affect the specified entry. You can use scope to determine how much of the folder tree this right will apply to.
6. Select the rights you want to grant or deny to this trustee. Allow grants the right and Deny denies it. If neither Allow or Deny is selected, the trustee will not be granted the rights to perform the specified action, but can inherit the right from higher in the folder tree. An explicit Allow or Deny, on the other hand, takes precedence over rights inherited from higher in the folder tree.

   Note: If more than one right applies to a user on the same level--for instance, if they belong to one group that has been set to Allow and another set to Deny--rights will be calculated in this way: Deny takes precedence over Allow, and Allow takes precedence over no rights configured. However, if the conflict is between rights set explicitly on an entry and rights inherited from higher in the folder tree, the explicitly-configured rights will take precedence.

7. Click Save to save your new access right configuration.

Viewing Effective Rights

The Effective Rights tab of the Access Rights dialog box provides a simple interface for determining what actions a particular user can perform on the selected entry. It takes into account all rights, both explicitly set and inherited. By default, the Effective Rights tab will display your effective rights, but you can type another user name in the Select another trustee option to view effective rights for another user or group.

List of Access Rights

Each operation on a document or folder has a set of required entry access rights. If the user attempting the action does not have the necessary rights, the user is denied permission to perform the operation.

The following is a list of entry access rights:

• Browse: The ability to see if a document, folder, or shortcut exists.

Note: The Browse entry access right is not sufficient to open a folder or a document. The Read entry access right is also required.

• Read: The ability to see the contents of a folder or document.
• Modify Contents: The ability to modify the contents of a document, including adding, removing, or modifying pages, making changes to an electronic document, or generating text from a document. Implicitly grants the Read right.
• Append Data: The ability to add pages to a document or move existing pages into a document. If a document has not already been assigned text, this right grants the ability to generate the text of a document via OCR. It does not grant the ability to reorder or remove pages. Implicitly grants the Read right.
• Delete Entry: The ability to delete a document or folder. When deleting a folder, you must also have the necessary rights to delete all entries that reside in the folder. This right does not allow you to delete pages or text from a document.
• Rename: The ability to rename a document or folder.
• Delete Document Pages: The ability to delete pages from a document. Implicitly grants the Read right.
• Annotate: The ability to add, modify, and remove annotations (not including redactions) on a document. Adding and modifying redactions requires both this right and the See Through Redactions right. Implicitly grants the Read right.
• See Through Redactions: The ability to see through redactions and choose whether to export documents with redactions removed or intact. Implicitly grants the Read right. (By default, users connecting through Laserfiche WebLink will not be able to see through redactions even if they have been granted this right.)
• Write Metadata: The ability to manage the metadata assigned to an entry once it has been created, allowing a user to assign a template and field data to a document, as well as the ability to modify or delete document links and document versions and add or remove tags from documents and folders. (A user does not need this right to set metadata on an entry at the time it is created.) Implicitly grants the Read right.
• Create Documents: The ability to create documents or shortcuts.
• Create Folders: The ability to create folders.
• Read Entry Security: The ability to see the rights assigned to an entry. Note that users do not need this right to see their own effective rights.
• Write Entry Security: The ability to assign access rights on an entry. Implicitly grants the Read entry security right.
• Set Last Review Date: The ability to set, unset, or modify the review date on a vital record.
• Close/Reopen Folder : The ability to close and reopen record folders, and file new records into closed record folders.
• Add/Remove Hold: The ability to add or remove holds on entries.
• Set Event Time: The ability to set, unset, or modify the event date on a record folder. Set, unset, or modify the alternate retention event date.