How do I restrict an Internal User to see only one workspace (Matter)?


To restrict an existing Internal User (User A) such that they can only access one or two workspaces, you'll follow these steps.

NOTE: This assumes an "optimistic" or open security model, where most users have access to most documents. Generally, if an Internal User will be accessing only one or two workspaces, it may be easier to remove the Internal User from the repository, and re-add them as an External User. In the rare case that an Internal User cannot be re-added as an External User, follow the steps below. Steps 1 and 2 may differ depending on your security configuration. Learn more about External Users

1) Login to NetDocuments. Select Hi, <your name here>  and then select Admin from the dropdown menu. Once in the Admin Console select Users and Groups from the menu on the left side of the screen.


2) Create a new group for User A. 

Because User A is an Internal User, you will not be able to use the Internal Users group in the cabinet default list (membership list). So, you will also need to create a new group that has all other Internal Users in it, except User A. You will also need to create a separate user group for User A.

User Groups simplify the administration of access controls on documents, folders, CollapSpaces, and cabinets. Each user can belong to one or more user groups. A user must be a member of at least one group to be given access to a Cabinet. 

If the User Group has not already been created you will need to create a new group. You can create a new group by clicking Create Group. To view or to modify a group’s membership, or to delete a group, highlight the group name and click the appropriate button.


3) Now that User A has been assigned to a User Group, that group will then need to be added to the cabinet. Go to the Cabinet Administration page by clicking on the cabinets button at the bottom of the menu. From the cabinets page, select the cabinet that the group should be added to.


On the Cabinet Administration page, scroll down to the section called Cabinet Security. You should see the User Group you just created in the list. 


First, give the "all others" group access to the cabinet, by clicking on the group name and click the Add button to add them to the Cabinet Membership List. Then remove the Internal Users group from the cabinet membership list. 

Next, add User A's group to the cabinet, but give them No Default Access to the cabinet. This means that User A is a member of the cabinet but they do not have access to any folders or documents inside yet. Once that is done, scroll down and click the Submit button. 

4) Now that the users have access at the cabinet level, they will need to be given access at the Profile Attribute level so that any new documents added to the Workspace will get the correct access.  

To do this you will first need to go to the Profile Attributes page in the Repository Admin section, highlight your Workspace Attribute (We will use “Matter” for this tutorial but you may be using a different attribute) and select the row.


Click the Modify Attribute Definition link at the top-left and make sure that the Base Security on this Attribute box is checked and then click OK.    

Locate the Matter that you need to restrict and double-click the row. You will then need to add the access string to the “Matter Access” field. 


The syntax for the Access column is as follows:

[<groupname>|<Access Level>*U:user email address |<Access Level>]    

The Access Level always needs to be in all upper-case.  

Here are some examples of using the access column:




You will want to add User A to the profile access string with whatever rights they need - VE, VESA, etc.  

5) Now that the users have access at the profile level, they will need to be given access to the existing Workspace, folders, and documents that you want them to have access to.

It is best to start with the workspace first. To do this, open up the Workspace and click "Workspace Options” and then choose "Modify Access." This will show you the current Access List of the Workspace, click Modify Access here to add the new group to this list.  


You will need to select User A (or their user group) from the Internal Groups in the drop-down menu on the left. Then you will need to click on the group and click Select.  You can then choose what specific access rights you want them to have; V, VS, VE, VES, or VESA. 

View a list of the various access levels and their rights.


6) The user will now have access to the main Workspace itself and we can move on to give them access to the documents within the Workspace. 

To do this you will need to run a search in NetDocuments for all items in that particular Matter or if you are viewing the Workspace in Summary view, switch to List View and all the documents for that Workspace will appear. When the search results are displayed, click the Search Result Options button and click the Modify Access option.


7) This option will take you to the Mass Access Change dialog that will allow you to modify the access of all documents (up to 10,000) in the search results.  

Modify the access as needed (note the Change Mode option) and click the OK button. This will run in the background and send you an email when it has completed processing.  


8) You may also need to give the Internal User access to any folders or Saved Searches on the workspace. Also, if you are using Workspace Filters in your Workspaces, you will need to open each Filter and modify the access of the Filters as well:


 Workspace filter options:


User A should now have access to only that workspace(s) that you gave them access to and any items added to the Workspace going forward.  

For further information on this topic, please see the following articles: