I need help in setting what I want to achieve the right way in Mayan. I addressed this topic already, but not at the right place I guess because it was as answer to another related topic.
The example is a sales department with several salesmen. Each one need to have access to the documents relating to his own customers (for example in a regional area), but not to the documents relating to his colleagues’ customers, whereas the head of the department needs access to all documents.
In this case, the documents in question are in a way in the same state in a workflow (as far as I understand the workflow). For example an approved order. But the person who has to deal with it is different from one customer to the other.
Another similar topic would be the HR documents. Each HR manager is in charged of a group of employees. He needs access to the documents relating to employees he is in charged of, but not documents relating to other employees. The documents per se are of the same types, and even I guess in the same states when dealing with workflows.
How would you handle these typical study cases within Mayan ?
Ideally, access would be granted to a role with a specific metadata value, or label. However, this way seems not possible in Mayan.
I’m evaluating whether to deploy Mayan EDMS for the accounting department of the nonprofit organization I’m working in as an IT guy. They serve about 40 accounting areas, called “mandant”, each of which represents either a branch of our organization or an external customer. Each document, e.g. an incoming invoice, belongs to exactly one mandant, the number of which would become a mandatory metadata field. In a few instances, the mandant of a document can change, e.g. if it had been misidentified during upload, or sent to the wrong email address.
What is a good approach to restrict access of each document to only those accountants who are permitted to see (or find by searching) the documents of this mandant, e.g. by being member of this mandant’s group?
In a file system, or with cabinets capable of inheriting ACLs, this would be easy: create a folder/cabinet for each mandant, restrict access to the corresponding group/role and then move the document into the corresponding folder/cabinet.
But with ACLs only being effective when set on documents, each document needs to be assigned the ACL individually.
I’m sure we are not the only user of Mayan EDMS with this kind of requirement. Is there a good practice to achieve data privacy scaling well to like 40 groups? A high initial setup effort is acceptable, but later additions of a new mandant should need changes in only a few places (e.g. add a group, add users to the group, add a role, add one case with a few lines of code in one central switch statement). If the logic needs slight adjustments (e.g. adding or removing a permission), this should be done in one single place of code/configuration and not require changes in 40 places.
Is there a scriptable action to set ACL “allow document read of this document” to group “mandantNNNN” where NNNN is a variable? This may involve coding the action instead of selecting it in the admin UI. Where can I find documentation of the available commands and where/how to apply them?