One of the ways access rights can be applied to a document or folder is through the document's container. We call this Access Inheritance because the document's access is inherited from its container. There are different types of "containers" in NetDocuments and access inheritance works differently in each one.
Documents can also have their access determined by the profile values assigned to the document. Learn more about Profile-based Security.
A distinction should be made here between "filing" and "profiling". For example, when using the Move/Copy option, the document is being filed (because a location/container is being specified). If simply changing one or more profile values on a document, then it is being profiled. When uploading a new document, if a destination is selected on the import page, then the document is being filed. If no destination workspace or folder is selected on the upload page, but profile values are applied to the document, then it is being profiled.
In all cases where a document can be filed, the document will also inherit the profile values of the destination container. In cases such as this, both access inheritance and profile-based security may come into play.
A distinction should also be made between Share (S) rights and Administer (A) rights. "S" Share rights are required to add a user to a document's access list, but can only be used to add users up to the current user's access rights, and cannot be used to lower another user's rights. "A" Administer rights are required to remove or lower a user's access rights, or to give another user A rights.
See our Access & Security Guide for more information.
When moving a document to a folder, the destination folder's access will replace the document's existing access list. Generally, users need E rights to Move items, unless the item's access will change as a result of the move, then they need S or A rights to move the item, depending on how the document's access will change.
When moving a folder to another folder, no access changes will be applied. Folder access inheritance only applies to documents, not folders.
Folder Access Inheritance can be turned on/off at the cabinet level. If enabled, whenever a document is filed in a folder, its access rights automatically change to match the access rights of the folder.
Learn more about Folder Access Inheritance.
Generally, when re-profiling a document, it will not move to another folder. But, when documents in workspaces are organized by auto-created folders, then a user can re-profile the document to another auto-created folder and the item will be relocated.
Profiling a folder will not move the folder or change the profiles of the folder's existing contents.
When moving a document or folder to a workspace using the Move/Copy option, the workspace's access will replace the existing document or folder's access list.
This means users will need A rights to Move items to a workspace if the access will change as a result of the Move.
Workspace Filing can be turned on/off at the cabinet level. It is generally enabled when workspaces are enabled for a cabinet. If enabled, when a workspace is selected as a filing destination, the document inherits the workspace's profile values and the internal members of the workspace's ACL, but the document isn't actually filed in a folder.
Generally, if users re-profile a document to another workspace, then they only need E rights.
When re-profiling a document to another workspace, the document will retain its access list if the user does not have rights to change it. If PBS is being applied, the user will need A rights to change the profile in cases where PBS would cause a user's access to be removed or elevated to A rights. The PBS change is allowed if the user has S rights and is just adding users with VES rights or less.
When filing or moving a document to a filter, the document will inherit the filter's full access list, but keep the user with VESA rights (if the user who moved it has A rights). Otherwise, the document retains the original access list but it is moved anyway.
Folders cannot be moved or filed into a filter.
When re-profiling a document to another filter, the document will retain its access list if the user does not have rights to change it. If PBS is being applied, the user will need A rights to change the profile in cases where PBS would cause a user's access to be removed or elevated to A rights. The PBS change is allowed if the user has S rights and is just adding users with VES rights or less.
Because a Saved Search is not a container, users cannot file or move items to a Saved Search, so documents will not inherit any access from a Saved Search.
When re-profiling a document to a Saved Search, no access is applied unless PBS has been configured on a profile value that is applied.
Documents in a ShareSpace all share the same access rights. When documents are moved or filed into a ShareSpace, they inherit the ShareSpace's access list.
Documents cannot be profiled to a ShareSpace.