Workspace Security Manager


Table of Contents


Workspace Security Manager (WSM) simplifies security management by creating policies that contain users and groups with assigned permissions, and controls for locking the permissions to create walls, and for sharing confidential data.

To access the Workspace Security Manager page, go to Admin Console > Security Center.
Note: If Workspace Security Manager is not able to be clicked on, you are not yet a member of an appropriate WSM Enabled security group which are applied per cabinet. See the steps below for creating that or speak to your repository administrator.

To access WSM with user rights:

  1. On the Home page, select the Hi, <username> dropdown menu, and then select Admin.


  1. Select WSMRepositoryThree Repository.
  2. Select Manage WSM Policies.


WSM policies are created, managed, and applied at the Cabinet level. A policy can be applied to many workspaces within a cabinet but a workspace and its contents may only have a single policy applied to them.

When a WSM policy is applied, the permissions in the policy are published to all containers and content items within the workspaces to which the policy is applied.

Note: If the workspace contains tens of thousands of objects, this will take some time to complete.

If the control has been set to lock these permissions to create a wall, then these permissions cannot be canceled by other NetDocuments governance mechanisms. In that case, they must be managed by editing the permissions granted by the policy.

Understanding WSM security:

  • WSM policies apply permissions by overwriting existing permissions (removing and replacing), including permissions put in place by:
    • Folder inheritance
    • Filing to workspace or folder
    • Link to Author
    • Profile-based Security
  • WSM includes an inheritance mechanism, if you move or copy a content item to a Workspace that is governed by a WSM policy, the content item will inherit the permissions put in place by the policy
  • If a Wall control is set in the policy, and locking the permissions is applied by the policy, then no other NetDocuments method can change the Access Control List on items in the Workspaces to which the policy is applied
  • The permissions applied by a WSM policy will override those applied by the user via NetDocuments client software:
    • ndOffice Save as Private — the user will receive a warning message and if the document is saved into a workspace where a WSM policy is applied, then the permissions from the policy are applied to the document
    • ndMail Save as Recipient — the user will receive a warning message and if the email is saved into a workspace where a WSM policy is applied, then the permissions from the policy are applied to the document

WSM Policy Manager Groups

The ability to create, edit, and manage WSM policies can be delegated to those who best suit that role. This can be achieved by creating a single Group for the WSM Policy Managers or by creating a different Policy Manager group per cabinet. The ability to manage WSM policies is one of the options available when creating a group:


When you add a user to the group for which the WSM Policy management is enabled, the user account is automatically modified to give them the Membership Admin capability to apply new permissions:


WSM Admin Page

The WSM Admin page has two tabs: the Policies tab and the Workspaces tab.

The Policies tab is used for creating, editing, and managing policies.

The Workspaces tab is used for finding and applying an existing policy to one or more workspaces. Before you start work with either tab, use the drop-down menu in the upper-right corner to select a cabinet.


To enable more cabinets in the drop-down menu:

  1. Go to the Navigation pane, and then select Cabinets.
  2. Select any cabinet you want to enable.
  3. In the Cabinet Security section, select the All groups option, and then select Add next to the needed group.
  1. Specify the access level, and then select Apply.


5. Go to the bottom of the page, and save your changes.


Now, you can see this cabinet on the Workspace Security Manager page.

The Policies Tab

On the Policies tab, you can see a scrollable list of the existing policies with applied workspaces.

Using the search box, you can find any policy.


Create a Policy

To create a new WSM policy, select the Create Policy button, and a corresponding window appears.


Details Tab

  • Policy Name: Give your policy a suitable unique descriptive name
  • Description: Provide a description to help other WSM policy managers understand the potential for applying this policy to the workspaces
  • Settings:
      • Toggle the Send an effective rights report by email option if you wish to receive an email with the effective rights report, detailing the permissions, and controls set by this policy
      • Toggle the Allow need to know collaboration via CollabSpaces option on if you wish to add CollabSpaces to the Workspaces where this policy is applied. Leave toggle off if you do not want to allow need to know sharing via CollabSpaces.
      • Toggle the Set the policy as a Wall option to lock the permissions and prevent them from being changed by Profile-Based Security or other permission inheritance methods.

Access Tab

On the Access tab, use the search box to find individual users and groups and add them to your policy. You can use filtering to narrow the search to users, or groups, internal or external.


Note: In accordance with good practice the default is to search for groups, and the User box is clear by default.

If you wish to add individual users to a policy, use the filters and select the User checkbox to include individual users in your search.

To change user rights, select a check box next to a user name, select Rights and choose the option from the drop-down list.

To apply the same access to each member, select the Selected Users and Groups checkbox, and then select Rights and choose the option from the drop-down list.


When you add users and groups, you can assign permissions to them using the standard VESA security model. This includes the No Access permission which is used if creating exclusionary Walls (applying Set the policy as a Wall option that locks permissions).

Edit an Existing Policy

Select the existing policy, and the information pane for the policy will appear. The information pane has 3 tabs: Details, Access, and History that allow you to examine the controls set in the policy, the permissions assigned, and the history of changes made to that policy.

Select the Edit button to change the data on the Details or Access tabs.

On the Access tab, you can add or remove a user or group, and change rights.


When you are in the edit mode for the existing policy, the APPLIED tab appears. This allows you to check which workspaces this policy has been applied to before making any changes to the controls and permissions:


Select the Save button after making your changes. Before saving, you may use the Cancel button at any point to discard any changes.

On the History tab, you can see all the changes made to the policy. That tab provides the ability to download a .csv file of the history for audit or other governance purposes:


To delete one or more policies, select the Delete button, which is used in conjunction with the multi-select check boxes.

When you want to delete a policy, you will receive a notification, where you can download the history.


The Workspaces Tab

As WSM is applied at the Cabinet level, when you select the Cabinet to work with, the Workspaces tab will be configured to search by the organizing attribute or attribute pairs (parent-child) used within that Cabinet.

If you do not have any workspaces, the following message appears.


Use the search box to find the workspaces with applied attributes.

Select the Begin with option or Contain option to enter either the beginning or the containing value of the name.


Workspaces that meet the search criteria appear in a scrollable list on the main part of the page. If the workspace already has a WSM Policy applied, you can see it in the list.

You can also sort any column in ascending or descending order by selecting an arrow next to the column name.


To assign a workspace to a policy, select one or more check boxes next to the workspace name, and then, on the right side of the page, select the Manage Policies link:


After you select the Manage Policy link, the assignment pane will appear from the right side of the page:


The assignment pane provides a scrollable list of existing WSM policies that can be applied to this workspace. The search box allows you to search for a policy. If you cannot find an existing policy you wish to apply, select the Create Policy button to create a new policy. See Create a Policy.

When you hover over a row with WSM policies, the row will be highlighted and an Apply link will appear so that you can immediately apply the appropriate existing policy to this workspace.


Select the policy name to view the details of the policy before applying it to the workspace.

If control settings and assigned permissions of this policy are appropriate, select the Apply button to apply it to the workspace, or select the Cancel button to return to the previous page.

After you have applied the policy, you can see the changes:

  • on the Workspaces tab


  • on the Policies tab


  • on the Applied tab, when you are editing the policy


If you apply the same policy to multiple workspaces, on the Policies tab, the number will indicate that there are more workspaces applied, for example (+2).


If you want to delete a policy from the workspace, you do not necessarily need to apply a new policy:

  1. You can just go to the Applied tab
  2. Select Remove
  3. Select Save


Now, the connection between the workspace and policy is removed.

Note: When a policy is removed from a workspace, or a policy is deleted, the permissions assigned via the policy remain in place until they are changed by another mechanism.

Bulk Application of a Policy to Many Workspaces

To apply WSM policies to many workspaces at a time, it is possible to upload a list of workspaces in CSV format with WSM policy identifiers.

The .csv file will use the format of the workspace Parent, workspace Child (if appropriate), and Policy name:


To Bulk Apply Policies:

  1. On the right side of the page, select Bulk Apply Policies.
  2. Select the .csv file, and you will get the message Bulk policies apply operation successfully queued for X cabinet.
  3. You will receive an email confirming that the bulk policies apply operation was completed.

For more information, see this file.