Giving Clients (External Users) access to a Workspace


To grant access to External Users (such as a client) to items inside NetDocuments, you will first need to add the users to your NetDocuments Repository. 

You must be a Repository Administrator or a Member Administrator to add a new user.  To add a new user:

1) Go to the "Admin" link at the top right next to "Settings."


2) Go to the second menu option titled "Add and Remove Users and Groups." 

3) Enter the new user's email address in the space at the top. 


If the person is a currently registered NetDocuments user, you will receive a message that the person already exists and it will ask you if you want to add them to your repository. If they have not been registered previously, you will be asked to create an account for them by entering some general information such as the full name of the person and assign the person a login Username.  We recommend that you make the username the full email address of the person. 

4) Make sure you set them as an External User. The person will then be sent a notification by e-mail with the Login Username and a link so they can enter their password and login.

5) Once the new user has been added as an External user they will then need to be added to a User Group in the repository that is designated as an external group.

User Groups simplify the administration of access controls on documents, folders, Sharespaces, and cabinets. Each user can belong to one or more user groups. A user must be a member of at least one group to be given access to a Cabinet. 

If the User Group has not already been created you will need to create a new group.  You can create a new group by clicking Create Group.  To view or to modify a group’s membership, or to delete a group, highlight the group name and click the appropriate button.


6) Now that the user or users have been added to the Repository and are assigned to a User Group, that group will then need to be added to the Cabinet. 

NOTE: In some cases, firms may choose to create a separate cabinet as an extranet to be used solely for external user access. 

Go to the Cabinet Administration page by clicking on the Cabinet name at the bottom of the Repository Admin page:


On the Cabinet Administration page, scroll down to the section called “Cabinet Security”.  You should see the User Group you just created when selecting to "display all groups". 


7) Give the User Group access to the cabinet. Find the group, then click the “Add” button to add them to the Cabinet Membership List.  External groups will automatically be given No Default Access to the Cabinet.  This means they are members of the cabinet but they do not have access to any folders or documents inside yet.  Once that is done, scroll down and click the Submit button. 

NOTE: If you are using workspaces, we highly recommend giving all External User groups 'No Default Access'. If you do not use workspaces, skip to Step #9 and stop there. Steps #8 and #10-12 only apply to workspaces. 

8) Now that the users have access at the Cabinet level, they will need to be given access at the Profile Attribute level so that any new documents added to the Workspace will get the correct access.  To do this you will first need to go to the “Define Profile Attributes” page in the Repository Admin section, highlight your Workspace Attribute (We will use “Matter” for this tutorial but you may be using a different attribute) and click the “Edit” button. 


Click the “Modify Attribute Definition” link at the top-left and make sure that the “Base Security on this Attribute” box is checked and click OK.    

Locate the Matter that you need to restrict and double-click the row.  You will then need to add the access string to the “Matter Access” field. 


The syntax for the Access column is as follows:

[<groupname>|<Access Level>*U:user email address |<Access Level>]    

The Access Level always needs to be in all upper-case.  

Here are some examples of using the access column:





Things to remember when using Profile-based security:

"No Access" Rights - When you give a user or group "No Access" rights for a document or a folder, using the Profile-based security, the No Access will trump any other rights they may have been given.

Absolute Rights - When using Profile-based security as described above, it is "additive" to the cabinet default or whatever the security is currently set to.  You can also use an absolute security model, which will change the current access of the items and replace it with the new absolute security.  For each row in your table where you want to use absolute security, precede it with an exclamation mark as follows:


The exclamation mark will affect the entire entry, not just the entry with the exclamation mark.

In this example, any documents added to this Matter will receive the access specified in the “Matter Access” column.

9) Now that the users have access at the profile level, they will need to be given access to the existing Workspace (or folder) and documents that you want them to have access to.  It is best to start with the workspace first. To do this, open up the Workspace and click "Workspace Options” and then choose "Modify Access". This will show you the current Access List of the Workspace, click Modify Access here to add the new group to this list.  


You will need to select External Groups in the drop-down menu on the left.  Then you will need to click on the new group and click Select.  You can then choose what specific access rights you want them to have; V, VS, VE, VES, or VESA. 

View a list of the various access levels and their rights.

10) The users will now have access to the main Workspace itself and we can move on to give them access to the documents within the Workspace.  To do this you will need to run a search in NetDocuments for all items in that particular Matter or if you are viewing the Workspace in Summary view, switch to List View and all the documents for that Workspace will appear.  When the search results are displayed, click the “Search Result Options” button and click the “Modify Access” option.


11) This option will take you to the Mass Access Change dialog that will allow you to modify the access of all documents (up to 10,000) in the search results. Modify the access as needed (note the “Change Mode” option) and click the OK button. This will run in the background and send you an email when it has completed processing.  


12) You may also need to give the External User access to any folders or Saved Searches on the workspace. Also, if you are using Workspace Filters in your Workspaces, you will need to open each Filter and modify the access of the Filters as well:


Any container (Folder, Filter, Saved Search) created on a Workspace will inherit the ACL of the Workspace, MINUS any External entities so if a new container is created and you need the External user/group to have access to it, you would need to manually change the ACL of that cointainer. 

NOTE: If you are a cabinet administrator, you can search for filters by using the search criteria =11( ndflt ). This will allow you to change the access on a group of filters all at once. Otherwise, they will need to have their access modified individually. 


The External Users should now have access to all items currently in the Workspace and any items added to the Workspace going forward. 

NOTE: You may also want to hide your lookup table from External Users.  This can be done by going to "Admin > Define Profile Attributes", selecting your attribute and clicking Edit.  Then you can click "Modify Attribute Definition" at the top-left and check the box to hide the lookup table from External Users.

Logging In

If an external user is added to a cabinet, when that user logs in...

If they do not have access to any folder or workspace, they will be taken to the cabinet's Home page.

If they have access to only one workspace, they will go directly to that workspace.

If they have access to more than one workspace or more than one cabinet, they will go to their Home Page, just as an Internal User would. Those workspaces will automatically be Favorited for the user, and will be added to their Home Page.