How do I restrict an Internal User to see only one workspace (Matter)?



To restrict an existing Internal User (User A) such that they can only access one or two workspaces, you'll follow these steps.

NOTE: Generally, if an Internal User will be accessing only one or two workspaces, it may be easier to remove the Internal User from the repository, and re-add them as an External User. In the rare case that an Internal User cannot be re-added as an External User, follow the steps below. Steps 1 and 2 may differ depending on your security configuration. Learn more about External Users

1) Go to the Admin link at the top right and then click the second menu option titled "Add and Remove Users and Groups." 


2) Create a new group for User A. 

Because User A is an Internal User, you will not be able to use the Internal Users group in the cabinet default list (membership list). So, you will need to create a new group that has all other Internal Users in it, except User A. You will also need to create a separate user group for User A.

User Groups simplify the administration of access controls on documents, folders, Sharespaces, and cabinets. Each user can belong to one or more user groups. A user must be a member of at least one group to be given access to a Cabinet. 

If the User Group has not already been created you will need to create a new group. You can create a new group by entering the name and clicking Create Group. To view or to modify a group’s membership, or to delete a group, highlight the group name and click the appropriate button.


3) Now that User A has been assigned to a User Group, that group will then need to be added to the Cabinet. Go to the Cabinet Admin page by clicking on the Cabinet name at the bottom of the Repository Admin page:


On the Cabinet Administration page, scroll down to the section called “Cabinet Security.” You should see the User Group you just created in the list on the left. 


First, give the "all others" group access to the cabinet, by clicking on the group name and click the “Add” button to add them to the Cabinet Membership List. Then remove the Internal Users group from the cabinet membership list. 

Next, add User A's group to the cabinet, but give them No Default Access to the cabinet. This means that User A is a member of the cabinet but they do not have access to any folders or documents inside yet. Once that is done, scroll down and click the Submit button. 

4) Now that the users have access at the Cabinet level, they will need to be given access at the Profile Attribute level so that any new documents added to the Workspace will get the correct access.  

To do this you will first need to go to the “Define Profile Attributes” page in the Repository Admin section, highlight your Workspace Attribute (We will use “Matter” for this tutorial but you may be using a different attribute) and click the “Edit” button. 


Click the “Modify Attribute Definition” link at the top-left and make sure that the “Base Security on this Attribute” box is checked and then click OK.    

Locate the Matter that you need to restrict and double-click the row. You will then need to add the access string to the “Matter Access” field. 


The syntax for the Access column is as follows:

[<groupname>|<Access Level>*U:user email address |<Access Level>]    

The Access Level always needs to be in all upper-case.  

Here are some examples of using the access column:




You will want to add User A to the profile access string with whatever rights they need - VE, VESA, etc.  

5) Now that the users have access at the profile level, they will need to be given access to the existing Workspace, folders, and documents that you want them to have access to.

It is best to start with the workspace first. To do this, open up the Workspace and click "Workspace Options” and then choose "Modify Access." This will show you the current Access List of the Workspace, click Modify Access here to add the new group to this list.  


You will need to select User A (or their user group) from the Internal Groups in the drop-down menu on the left. Then you will need to click on the group and click Select.  You can then choose what specific access rights you want them to have; V, VS, VE, VES, or VESA. 

Here is a list of the various access levels and their rights:


A user can:

View the contents of a document, folder, Saved Search, discussion, workspace, etc. in a cabinet or ShareSpace either in the application or with the Viewer.

A user cannot:

Edit a document or its Profile.

Place items into a folder that they have only V rights to. 

Make a Copy of a document, or Email a copy of a document from NetDocuments (the external user can use the Email Link option to send a link to others who have access to the document unless the Cabinet flag to not allow this has been set by the Cabinet Administrator).


A user can:

Modify the contents of documents in a cabinet or ShareSpace.

Create or modify versions of a document.

Edit a document's profile.

Rename a document.

View the History of a document.

Add new documents (not subfolders) into a folder.


A user can:

Share a document in a Cabinet with other users of the cabinet. This means that with Share rights you can add other users but cannot remove existing users' access and you cannot give any user more rights than you have.

Share a ShareSpace with other users (inside or outside of the cabinet). This means that with Share rights you can add other users but cannot remove existing users' access and you cannot give any user more rights than you have.

A user has to have Edit AND Share to view the History of a ShareSpace.

A user has to have Edit and Share rights to a folder to create a subfolder in that folder.

See the Access Lists.


A user can:

Delete a document or a ShareSpace.

Delete a version of a document.

Force the check in a document.

Remove other users from the Access List of a document or a ShareSpace, change the rights of users already in the Access List and add people to the Access List with full rights (VESA).

Rename a folder.

6) The user will now have access to the main Workspace itself and we can move on to give them access to the documents within the Workspace. 

To do this you will need to run a search in NetDocuments for all items in that particular Matter or if you are viewing the Workspace in Summary view, switch to List View and all the documents for that Workspace will appear. When the search results are displayed, click the “Search Result Options” button and click the “Modify Access” option.


7) This option will take you to the Mass Access Change dialog that will allow you to modify the access of all documents (up to 10,000) in the search results.  

Modify the access as needed (note the “Change Mode” option) and click the OK button. This will run in the background and send you an email when it has completed processing.  


8) You may also need to give the Internal User access to any folders or Saved Searches on the workspace. Also, if you are using Workspace Filters in your Workspaces, you will need to open each Filter and modify the access of the Filters as well:




User A should now have access to only that workspace(s) that you gave them access to and any items added to the Workspace going forward.  

For further information on this topic, please see the following articles:

Back to Top

Was this article helpful?
0 out of 0 found this helpful


Have more questions? Submit a request
Powered by Zendesk