Security (Access) Features in NetDocuments


There are many ways to configure access rights in NetDocuments. We offer a variety of security features or methods, which are described below. A user's access to a particular document or folder will depend on which combination of features are applied.

Refer to our Security Made Simple document for more information.

Basic Levels of Access

View: A user can View the contents of a document, folder, Saved Search, ShareSpace, etc. either in the application or with the Viewer. The user cannot Edit the document or the Profile. A user who only has View rights to a folder cannot place items into that folder. An External User who has View only rights to a document cannot make a Copy of a document, or Email a copy of a document from NetDocuments (the external user can use the Email Link option to send a link to others who have access to the document unless the Cabinet flag to not allow this has been set by the Cabinet Administrator).

Edit: A user can modify the contents of documents in a Cabinet or ShareSpace. A user can create or modify versions of a document. A user can edit a document's profile including renaming the document or item. A user has to have Edit AND Share to view the History of a ShareSpace. A user can add new documents (but not subfolders) into a folder.

Share: A user can share a document in a Cabinet with other users of the Cabinet. This means that with Share rights you can add other users but cannot remove existing users' access and you cannot give any user more rights than you have. A user can share a ShareSpace with other users (inside or outside of the cabinet). A user has to have Edit and Share rights to a folder to create a subfolder. An External user with Edit and Share rights can see the History of a document. An External User who does NOT have S rights, cannot see the Access List.

Administer: A user can delete a document or a ShareSpace. A user can delete a version of a document. A user can force the check in of a document. A user can remove other users from the Access List of a document or a ShareSpace, change the rights of users already in the Access List and add people to the Access List with full rights (VESA). A user can rename a folder.

No Access: A user cannot see a document or ShareSpace, or folder, etc. when their name is listed as "No Access" in the access list. So one user may see several documents in a folder while another user may see only one or no documents in a specific folder depending on the rights.

No Access Means NO ACCESS

When "No Access" (N) is applied to a user or group, the document is completely invisible to the user(s). Suppose you want to grant rights to a document or ShareSpace™ to the Sales user group. However, there is a new sales associate named Jim Bob who should not be included in the shared list. What is the quickest way to do this?  First add the Sales group to the access list. Next, select Jim Bob from the list of users. Add him to the access list and change his rights to No Access. What you have done is included the Sales group, which originally defined Jim Bob with access, but then added him separately and granted him, individually, No Access. This is called Negative Security.

NOTE: A user will have VESA access to all documents they import, in addition to the cabinet default access. However, if Folder Inheritance is turned on, the document will inherit the access of the folder it is placed in. 

Rights are Cumulative

If you are a member of a User Group that has V rights in a Cabinet, and you are a member of another User Group that has VES rights in the same Cabinet, your actual default access to the Cabinet is VES.  Now suppose that, as a member of the "Sales" user group, Frank has VS rights to the Marketing Cabinet. In addition, as a member of the "Design Committee" user group, he has VE rights to the same Cabinet. Though VE rights are "higher" than VS, Frank does not lose his Share rights to the Marketing Cabinet. Instead, his VE rights are added to his VS rights, giving Frank VES rights to the Marketing Cabinet.

NOTE: There is an exception to the cumulative rights concept. When a user's access level has been set to "No Access" by a document's, the user's default rights as a user group member do not apply to that document. 

Cabinet Default Access

A Cabinet Administrator can define the default level of access that documents receive when they are imported. Also called the Cabinet Membership List, this includes at least one Internal User Group, and could include one or more External user groups.

NOTE: All External groups MUST have "No Default Access" on the cabinet level. External groups are given access on the folder, workspace, and document level. 


Folder Inheritance

A Cabinet Administrator can set documents to inherit the access of the folder they are filed into. In this case, the folder's access will overwrite the cabinet's default level of access. 

Profile-Based Security

A Repository Administrator can restrict access based on a particular profile attribute. This can only be used if you have custom profile attributes enabled for your cabinet. For example, a user group can have its access limited for a specific set of clients, or document types. Learn more about Profile-based Security

Using Auto-Created Containers on Workspaces (Filters, Saved Searches, or Folders)

For your workspaces, the Cabinet Administrator can choose from three types of containers to organize your documents: 

  1. With Filters (marked by a blue icon), access behaves more similar to that of a search than that of a folder. Folder inheritance will not apply to filters.
  2. With Saved Searches (marked by a red icon), items receive the access of the workspace they are filed in. It can also be common for profile-based security to be a factor, because a search can reach across containers. For example, a user may have View-only rights to any documents of a particular document type, but can still have full access to all other documents that display in that search.
  3. With Folders (marked by a yellow icon), one must consider folder inheritance as well as profile-based security. 

Depending on which container is involved, access rights may vary. A Cabinet setting is also available that when a workspace is selected as a filing location, the document inherits the workspace's profile values, and the internal members of the workspace's access list.

Saved Search (or Filter) Security Basics

When you save a search criteria as a Saved Search, the same rights that can be applied to a document can be applied to the Saved Search. A Saved Search's access list deals with the ability to view, edit, and delete, etc. the Saved Search – not necessarily the documents that may appear in that search. You may always manually modify the access list and restrict its access further if you choose.  

The same concepts apply to a workspace – having access to a workspace means you can view or edit the workspace itself – not the documents that may appear under a workspace.  

E-mail Management Service (EMS)

With EMS Folders, emails imported to NetDocuments will receive the Cabinet Default access with the creator of the document listed with VESA rights.

With EMS Profiler, a user has the option of choosing between Standard and Private access when importing emails. 'Standard' will give the Cabinet Default access as well as VESA access for the creator. 'Private' access will give only the creator VESA access.

'Standard' will be overridden by any profile-based security that is enabled. 

Emailing to a Folder Email Address

Documents forwarded from an Email system to a folder email address will inherit both the profile values and the security of that folder. The security will default to the folder security regardless of whether the option is set at the Cabinet level for documents to inherit the Access of the folder.