From time to time, you may be required to hide a workspace from an Internal User (usually for the purposes of an ethical wall) but the user may still need access to most other workspaces.
This can be done for one user and one workspace, one user and several workspaces, or several users and several workspaces. The steps below can be repeated for any number of users and workspaces.
To restrict an Internal User's access to a workspace:
1) First, the user's access will need to be removed at the Profile Attribute level so that any new documents added to the Workspace (or profiled to the Matter) will get the correct access.
To do this you will need to go to the “Define Profile Attributes” page in the Repository Administration section.
Highlight your Workspace Attribute (we will use “Matter” for this tutorial but you may be using a different attribute).
Click the “Edit” button:
Click the “Modify Attribute Definition” link at the top-left.
Make sure that the “Base Security on this Attribute” box is checked, then click OK.
In your Matter table, locate the Matter that you need to restrict and double-click the row. You will then need to add the profile-based security string to the “Matter Access” field:
The syntax for the Access column is as follows:
[<groupname>|<Access Level>*U:user email address |<Access Level>]
The Access Level always needs to be in all upper-case.
To remove a user's access, use N for No Access:
Here are some examples of using the access column:
Things to remember when using Profile-based security:
"No Access" Rights - When you give a user or group "No Access" rights for a document or a folder, using the Profile-based security, the No Access will override any other rights they may have been given.
Absolute Rights - When using Profile-based security as described above, it is "additive" to the cabinet default or whatever the security is currently set to. You can also use an absolute security model, which will change the current access of the items and replace it with the new absolute security. For each row in your table where you want to use absolute security, precede it with an exclamation mark as follows: !Finance|VES*Legal|V*U:firstname.lastname@example.org|VES. The exclamation mark will affect the entire entry, not just the entry with the exclamation mark.
Once you have added the Access information to the “Edit Matter” dialog, click “Save” to save your changes and close the dialog.
From now on any documents added to this Matter will receive the access specified in the “Matter Access” column.
2) Now that the user's access has been removed at the profile level, they will need to be removed from the existing Workspace.
To do this, open up the Workspace and click "Workspace Options” and then choose "Modify Access." This will show you the current Access List of the Workspace, click Modify Access here to change the access list.
You will need to select the User and/or any User Group they are in from the drop-down menu on the left. Move the user or user group to the right, and select No Access. This will override any access the user has to that workspace.
NOTE: You do not simply want to remove the user from the list, because they may have access to workspace through another group, such as the Internal Users group.
3) The user will now no longer have access to the main Workspace itself but we must remove their access to the documents within the Workspace.
To do this you will need to run a search in NetDocuments for all items in that particular Matter or if you are viewing the Workspace in Summary view, switch to List View and all the documents for that Workspace will appear. When the search results are displayed, click the “Search Result Options” button and click the “Modify Access” option.
4) This option will take you to the Mass Access Change dialog that will allow you to modify the access of all documents (up to 10,000) in the search results.
Modify the access in the same manner as above (note the “Change Mode” option) and click the OK button. This will run in the background and send you an email when it has completed processing.
5) You may also need to remove their access to any folders or Saved Searches on the workspace. Also, if you are using Workspace Filters in your workspaces, you will need to open each filter and modify the access of the filters as well:
NOTE: If you are a cabinet administrator, you can search for filters by using the search criteria =11(ndflt). This will allow you to change the access on a group of filters all at once. Otherwise, they will need to have their access modified individually.
The Internal User should now have No Access to all items currently in the Workspace and any items added to the Workspace going forward.
For further information on this topic, please see the following articles: