An introduction to access control in Documaster
Documaster's access control is based on groups; meaning that a user must belong to an access group in Documaster in order to gain access.
An access group in Documaster either has global rights that give access to all sections (typically for administrators), or limited access (access to some sections). If a group has limited access, the starting point is no access, until you explicitly grant access.
If Documaster is configured to use Azure AD as the identity provider, you can link access groups in Azure to access groups in Documaster (see description below).
Full vs limited access
Each access group in Documaster have settings for "Service permissions" and "Global permissions".
If Global Permissions is set to "Full Access" the users of this group can see all sections and classifications.
If access should be restricted to only certain sections or tags, the Global Permissions should be set to "User".
Service Permissions should be set to "User" unless the group is dedicated to administrators.
Note: When creating new access groups it can sometime take time until the documents are ready for users of those groups. Documents are "indexed" for each access groups. When there are many documents in Documaster the indexing of files might take some time before it's ready.
Use case: Limit user access to selected sections
Access to documents is limited to certain sections.
Goal
We want to limit access so that certain people only have access to view and upload documents in a certain section.
Step 1
Navigate to Access Control under Settings.
You need to be an administrator to view and use this functionality.
Step 2
Click Add new access group.
Fill in an appropriate name and description.
For the Claim, you need to create (or use an existing) an access group in Azure or the Documaster identity provider. Copy and paste the identifier for this group into the Claim field.
Any user you add to this access group in Azure or Documaster IDP will be granted access via this tag in Documaster.
Step 3
Once the access group is added, click on the Service Permissions.
Select User and click OK.
This will allow users to upload documents and modify the color statuses on entries.
The Global Permissions should be left to User.
Step 4
Move on to the tab Sections and locate the section you want the user group to be able to access.
Select Add permissions.
Step 5
Select Custom and then CC, DC, RC, RO, UC and then hit OK.
These settings will allow the users view the section and view, upload and modify documents.
At this step users will be able to see the section, but not the classifications for that section. Access to view the classifications must be explicitly set up (see next steps).
Note: In order to make the Outlook Add-in work, UCSF must be set.
Step 6
In order to make the classifications in the section visible to users, access must be explicitly granted for each classification.
Move on to the tab Classifications and Tags.
In this example, the section Delivery Projects includes the classifications Projects, Topic and Discipline.
First, locate the classification Projects and click Add permissions.
Step 7
Set the permissions to Read Only and hit OK.
Now users will be able to view the classification.
If you want users to be able to add new tags to the classification, select Can Edit.
Repeat this step for all the classifications in the section.
Use case: Limit user access to selected tags
Access to documents is limited to certain tags.
Goal
We want to limit access so that certain people only have access to view and upload documents when the tag “Ericsson” is present.
We assume the tag Ericsson is already present.
Step 1
Navigate to Access Control under Settings.
You need to be an administrator to view and use this functionality.
Step 2
Click Add new access group.
Fill in an appropriate name and description.
For the Claim, you need to create (or use an existing) an access group in Azure or the Documaster identity provider. Copy and paste the identifier for this group into the Claim field.
Any user you add to this access group in Azure or Documaster IDP will be granted access via this tag in Documaster.
Step 3
Once the access group is added, click on the Service Permissions.
Select External User and click OK.
The Global Permissions should be left to User.
Step 4
Move on to the tab Sections and locate the section you want the user group to be able to access.
Select Add permissions.
Step 5
Select Custom and then CC, DC, RO, UC and then hit OK.
These settings will allow the users view the section and upload and modify documents, provided the Shared with Ericsson tag is present, which we’ll get to shortly.
Note: In order to make the Outlook Add-in work, UCSF must be set.
Step 6
Move on to the tab Classifications & Tags.
Locate the Shared with classification and click on Add permissions.
Step 7
Set the permissions to Read Only and hit OK.
Now users will be able to view the classification.
Step 8
Now click on the expand icon to the left of the Shared with classification.
Select Use this classification for access control.
Then, locate the tag Ericsson and select Add permissions.
Step 9
Set the permissions to Can Read Entries.
This will allow users to view entries in our section provided the tag Ericsson is present.
Users will have permission to view, upload and modify documents because of the settings we applied in step 5.
Step 10
We will now make sure that the users can view the rest of the classifications in this section.
First, locate the Projects classification and click Add permissions.
Step 11
Select the access group (in our case Shared with – Ericsson) and select Read Only and hit OK.
Repeat this step for the classifications Topic and Discipline.
