We have created several Cabinets and we need to secure them with ACLs (i.e. project cabinets for access with project team only). So I have set a role to that Cabinet which leads to the point that the team users can only see their cabinets they habe been assigned for: perfect!
BUT: documents that are “inside” the Cabinet are still accessible via document search or “All Documents”. What have I missed to configure? Ob course no one of Cabinet A should be able to find documents of Cabinet B.
Additionally the same would be true for tags. An invoive tagged with “Top Secret” should be not accessible for everyone. So if ACLs are set for several dimendions (Cabinets, Types, Tags,…) and the user meets all requirements, then of course He can access the file.
I guess I did not find the correct way of setting this up.
You need to set the access control at the document or document type level.
Setting the access control of the cabinet or tag does not affect if users can access the documents. The document access is not dictated or modified by the access of the location in which they are located (cabinet, index, smart links) or tagged (tags). This is the paradigm used in file systems where a file can only be in one directory. This does not work well with complex systems where a single object (a document in this case) can be found in many places.
Thanks for this post, I understand this approach. So what would be a best practice to automate setting ACLs dependent on certein locations? Does it need to create workflows which trigger ACL assignment when adding/removing tags/cabinets or is there a better way?
To not create a workflow for each document type/tag/cabinet combination, is there a more generic option for the action (i.e. when document assigned to cabinet then add/inherit ACL from cabinet)?
Yes, workflows are the correct approach. There are workflows actions to grant or remove access control to roles when a state is activated or deactivated. Workflows are the core of the automation because they allow a single generic way to do so instead of adding automation intelligence to each document container type.
The advantage of using workflows is that they more closely match what happens at the organization level. Instead of being a technical configuration, they map your business processes inside Mayan.
A problem with having containers trigger changes in access control is the high probability for conflicts. A cabinet addition grants a permission that conflicts with the same permission being removed by a tag. In this case which trigger has higher priority?
If you map your processes to a workflow, their permission grants are independent of document containers and will continue to work even if these document container apps are remove or disabled, or if new ones are added in the future.
I have a case where it looks difficult - at least for me - to deal with workflow when speaking about permissions.
The example is a sales department with several salesmen. Each one need to have access to the documents relating to his own customers (for example in a regional area), but not to the documents relating to his colleagues’ customers, whereas the head of the department needs access to all documents.
In this case, the documents in question are in a way in the same state in a workflow (as far as I understand the workflow). For example an approved order. But the person who has to deal with it is different from one customer to the other.
How would you handle this quite common study case within Mayan ?
In order to set permissions on documents according to the cabinets they are located in I created the following workflow. Is this the intended way to go? It seems a bit complicated to handle it this way. Is there a more generic way?
The idea:
in the workflow I created a state for every cabinet (Project 1, …)
for each state I created two actions
on entry for assigning the role permission to view documents
on exit for deleting the role permission to view documents
for each state I have two transitions: one from unassigned to cabinet and the way back
automatic trigger for “enter cabinet”
automatic trigger for “leave cabinet”
for each transition I entered a condition to select only the right ones like so: {{ workflow_instance.document.cabinets.filter(label='Projekt1') }}
Note: this is not tested yet since I’m sot sure about the condition above and if this is the correct attempt at all. Is there any better solution to “inherit” permissions from cabinets?