Entry Access Rights

Access rights determine what documents and folders a user can see and open, and what actions they can perform on those documents and folders. Because access rights apply to documents and folders, they are configured in your repository itself, not in Repository Administration or Account Administration.

Access rights allow you to set granular security that may differ in different parts of your repository. For example, you might want to allow Sally to freely create, modify, and delete documents in her own folder, and to view and modify documents in her department's folder (but not to create or delete them), but you might not want to allow her to even see the folder for another department. You can do this using access rights.

When you configure an access right, you will specify three things:

Access rights can be configured by any user with the Manage Entry Access privilege. See Privileges for more information.

Free Training: Entry Access and Scope eLearning course in Aspire.

Planning Access Rights

Before you begin setting access rights, it is a good idea to make a plan for them. Determine what you want users and groups to be able to do in your repository, and where. It is also a good idea to design your repository so that documents that should have similar security settings are grouped together. This allows you to quickly and easily set security on folders, rather than needing to set security document by document, which is both tedious and prone to errors.

In general, it is a good idea to work from more general to more specific. Begin by setting rights on folders high in the folder tree, allowing inheritance to propagate those rights down, and begin by granting rights to groups. You can then fine-tune with subfolders and individual users as necessary.

Setting Access Rights on a Document or Folder

  1. Select the document or folder on which you want to configure access rights in the folder browser, or open it in the document viewer. (It is strongly recommended that you set rights on folders rather than documents wherever possible.)
  2. Click the More button (The More button, three vertical dots.) and point to Advanced, then select Show Security. The Access Rights dialog box will open.
  3. In the Access Rights tab, you can view security that has already been set for this document or folder. Rights that were inherited from higher in the folder tree will list what folder the right was set on, or will list Not inherited if the right was set at this level. (If you only want to view rights set at this level, clear the Inherit rights from parent option at the bottom of the dialog box.)
  4. Either select an existing trustee that is listed as Not inherited, or type a trustee name in the Select another trustee option and click Add. (Inherited rights must be modified at the level at which they were set.)
  5. In the Scope Selection option, select the scope for this right. Scopes range from This folder, subfolders, and documents, which will affect all the documents and folders under this one, to This entry only, which will only affect the specified entry. You can use scope to determine how much of the folder tree this right will apply to.
  6. Select the rights you want to grant or deny to this trustee. Allow grants the right and Deny denies it. If neither Allow or Deny is selected, the trustee will not be granted the rights to perform the specified action, but can inherit the right from higher in the folder tree. An explicit Allow or Deny, on the other hand, takes precedence over rights inherited from higher in the folder tree.

    Note: If more than one right applies to a user on the same level--for instance, if they belong to one group that has been set to Allow and another set to Deny--rights will be calculated in this way: Deny takes precedence over Allow, and Allow takes precedence over no rights configured. However, if the conflict is between rights set explicitly on an entry and rights inherited from higher in the folder tree, the explicitly-configured rights will take precedence.

  7. Click Save to save your new access right configuration.

Viewing Effective Rights

The Effective Rights tab of the Access Rights dialog box provides a simple interface for determining what actions a particular user can perform on the selected entry. It takes into account all rights, both explicitly set and inherited. By default, the Effective Rights tab will display your effective rights, but you can type another user name in the Select another trustee option to view effective rights for another user or group.

List of Access Rights

Each operation on a document or folder has a set of required entry access rights. If the user attempting the action does not have the necessary rights, the user is denied permission to perform the operation.

The following is a list of entry access rights: