Document Access

The document access is the means by which access is granted to users for using documents in IFS Document Management. The primary use of it is to control the access to the files connected to the documents but it also controls for example edit access to some of the attributes on the document record itself.

Access Levels

There are three different access levels for a document revision, from the "lowest" to the "highest" access. They are:

• View Access – Enables a person or group to view or print a document file. Operations like Send by E-mail andCopy File To are granted through this access level.
• Edit Access – Adding to what view access alreay allows, edit access gives a person or group the rights to edit and check in a document file and change the document attributes. Someone with edit access can also completely delete the document file (but not the complete document revision).
• Admin Access – Gives a person or group the administrator access rights. This includes edit access as well as the rights to change the status of documents, delete document revisions, add approval steps, and change the access rights for other persons and groups.

The operations allowed for each access level are listed below.

Possible Operations/Access	View	Edit	Administrator
View	X	X	X
Edit		X	X
Check In		X	X
Print	X	X	X
Undo Check Out		X	X
Status Changes			X
Create New Revision		X	X
Create New Sheet		X	X
Delete Document File		X	X
Delete Document			X
Set As Template	X	X	X
Document Distribution	X	X	X
Define Approval Routing			X
Define Document Access			X

Access is defined per document revision for persons, groups and objects and each access line can be enabled and disabled when necessary. The ability to disable access lines is convenient during the development of the document, before it is released. In this way, the access template can include persons that has no access during the preliminary stage, by having the Enabled option cleared. When the document is later released the disabled access lines can be enabled, opening up the access to a wider audience.

The value asterisk (*) in the Person ID field will give access to the revision to all persons not otherwise given access through a person ID, group ID or an object.

Access to Document's General Information

General access to a document can be divided into two groups:

• Access to a document - settings described in the Access Levels section above.
• Access to information that a document exists - the ability to see the document and its general information (visible in, e.g., the Document Revision window).

Restricted Access

If other persons should not be aware that a document exists in the system, it can be protected via the Restricted Access option. If this option is enabled, it will hide the document from everyone who does not have at least View Access to that particular document revision.

This property is set in the document title. Any user with administrator access to any document revision of a given document title should be able to change the Restricted Access option.

Priority of Defined Access, Per Source of Access

The highest priority is given to person access, over the group access and object access. For example, if a person ID is defined and given view access and the same person belongs to a group which has edit access, he or she will only get view access.

Since person access has the highest priority, you can also use this when denying someone access. If you want to make sure that someone does not get access to a document revision you can add a person access record for that person and then clear the View Access, Edit Access and Admin Access options, but make sure that the record is enabled. Even if this person gets access to the document revision through a group or object, the person access record will have the highest priority and the result will be that the person will not have access to the document revision.

The group access and object access are equal in priority. If a user gets access from groups and objects, then the user receives the maximum access level of them all. For example, if user gets view access from a group and edit access from an object, he or she will get edit access to the document. Also, if user gets edit access from a group and view access from an object, then he or she will still get edit access.

When the person ID is given as *, the lowest priority is given to the persons represented by it, which is all persons that has not got access granted through a person ID, group or object.

Object Controlled Access

Description

Object controlled access is a concept where another business object can affect the access on a certain document. The functionality is generic in the way that, in theory (please read on below for details), any kind of business object in the system can be configured to control the document access, as long as there is a database method that can be called on the object's main API that is developed for the purpose of returning the access level for the connected document. IFS Cloud comes with some predefined configuration if certain components are installed, for projects, invoicing and the B2B contracting workflow. To let other objects control the access, a small customization has to be done for each type of object, such that there is a method that can be called to get the access. The rest can be done through configuration.

How it works

The concept works like this: when the necessary configuration is in place, and when a document is connected to a certain kind of object, a new access line will be added to the document's access definition. If the user making the connection is an administrator of the connected document, the initial access level on the new access line will be given by the configuration in Document Basic/Default Object Access Levels. If the user is not an administrator of the document, then no access will be given through the new access line that is added (all Enable optiona are cleared). An administrator of the document can later update these levels on the document itself, making the access higher or lower or clearing it completely. The document might have other access definition lines however, that grants access to persons or groups of persons.

When an object that controls the document access is disconnected from the document, the object access line will be removed from the document's access definition. This will also happen if the object type's possibility to control the access is disabled or removed from Document Basic/Object Types for Access Control.

This means that object access lines cannot be manually added to or deleted from the Document Revision/Access/Definition tab. They are inserted and deleted automatically by the system. They can however be updated in the sense that the access levels themselves, on each access line, can be modified by an administrator of the document.

Actual access given from an object

The maximum available document access derived from the object, for a certain document, will be set from the Definition tab. This means that, regardless of what level the object tries to grant the document, from the defined API method, the access level set on the access line on the document will set the maximum limit. For example, if the access granted from the object side is Admin, but the object access line on the document only has View selected, the resulting access from that line will never be higher than View. If the object access line on the document is instead set to grant Admin access, the object can grant this too, if needed. However, if the object does not grant as high access as the access line defines, the user will only get as high access as the object grants. This way, the document administrator always have control over the access, since he can control the access definition.

The following table shows the actual, resulting access for the user, given the access that the object grants (via the API method defined in basic data) and the access defined on the access line itself:

	View Access (from Object)	Edit Access (from Object)	Admin Access (from Object)
View Access (from access line)	View Access	View Access	View Access
Edit Access (from access line)	View Access	Edit Access	Edit Access
Admin Access (from access line)	View Access	Edit Access	Admin Access

Access granted through more than one object

If a person only receives his or her access through two different objects, then he or she will get the maximum defined access from those objects. For example, if the person has view access through one object and administrator access through the other, the person will receive administrator access to the document.

Standard Object Types Available for Access Control

When installing IFS Document Management, if certain components are available, they will be able to control document access. Here is a list of the objects that can control the access in the standard installation (more can be created through a customization):

• Projects (object types Project, SubProject and Activity) - To control document access through the project a document is connected to, for the members of the project. To define what access each member/team should be granted, for each level in the project, go to Project Info / Project Access / Access Definition
• Work Orders (object type WorkOrder) - Used in the B2B Contracting workflow, where a contractor must be able to access documents connected to a work order he is working on.
• Quotations (object types QuotationLineNopartOrd and QuotationLinePartOrd) - Used in the B2B Contracting workflow. During the quotation phase the contractor can view, add or remove documents.
• Invoices (object types IncomingInvoice and ManSuppInvoice) - The access to the invoice document file connected to the actual invoice in IFS Finance is controlled by the invoice object. The access to the invoice document is based on who has access to the invoice in Finance but also includes rules that can grant a manager access to his employees invoices.
• Human Resources - when setting up document access, if you attach a document to an LU under HR Access Protection, then a record will be automatically generated for the object connection. The record will grant access to users who have proper organizational access. As a result, a person can see only documents of employees to whom they have access.
  The object connection line is generated if a document is attached through a selected set of Logical Units listed below:
  • Organization - Company Person, DisciplinaryAndGrievance, DiscGrievAction, DiscGrievParticipants, EmpAdditionalPay, EmpEmployedTime, EmpJobAssign, EmployeeSalary
  • Career and succession planning - EmpCareerCounseling, EmpCareerPath, EmpCareerPlan, EmpCareerPotentiality, EmpDevelopmentPlan, EmployeeObjective, EmployeeActivity, Emp Performance Appraisal
  • Training and development - CounselingPlan, EducationScholarship, JobRotation, SpecialAssignment, TrainingDevelopment
  • Training Administration - EmpTrainingHistory
  • Time and attendance - Absence plan, Absence request, Absence registration
  •  Strategic HR base - EmpStrength, EmpAreaOfInterest, EmpWeakness, Employee competency
  •  Travel Expense - TravelRequestOption, TravelOptionDetail, ExpenseHeader
  •  Schedules and rules - WorkSchedAssign
  •  Employee Payment - Emp Payment Trans
  •  Benefit - Employee Benefit Plan

Note: Access through these predefined objects can be disabled and enabled but it is not recommended. You should not edit the API or method on these lines since that will result in unsupported behavior.

Enable/Disable Access Lines

The enabled setting makes it possible to prepare a document by adding access lines and enabling them when releasing the document. When releasing more than one document at once, access can be kept on each document as it is, all enabled lines can be disabled, or you can choose to edit access.

Roles and Access Rights

When working with documents, users are given roles which determine their document access levels. Some of those roles are described below.

• Document Management Administrator – The document management administrator will always have administrator access to all documents. This access level is a system privilege that can be granted to users. The document management administrator can check in/check out any document and also unreserve any document checked out by any user.
• Document Responsible Person – The document responsible person will always have administrator access to the revision. There can only be one responsible person at a time. The document revision creator is automatically set as the responsible person, but this value can be changed afterwards.
• Document Revision Creator – This is the person who creates the revision. This value is automatically set by the system, together with the date created. These values cannot be changed. The document revision creator will automatically be set as the document responsible person as well. It is possible to remove all access rights from the document revision creator.

Access for Creating Documents

Access to create documents of a certain class can be granted to a person by creating records in the Persons and Groups tab in the Document Class Management form. By default, if there are no records in this form, all persons can create documents of that class. As soon as there are records in this form, the person needs to have a record defined or needs to be part of one of the groups defined.

If a certain person is not granted access for a particular class, the class will not be displayed in the list of values of the Document Class field in the Create Document Assistant, Create Documents assistant and Attachment panel's Create New Document assistant. If the document class is manually entered, an error will be displayed mentioning that the person does not have access to create a document of that class.

All the other forms other than the mentioned ones will list all the document classes (including the ones that the user does not have access to) in order to support the search functionality.

Pages

Default Object Access Levels
Document Access Template
Document Details
Document Overview
Document Revision
Document Revisions
My Documents In Progress
Object Types for Access Control

Activity Diagrams

Set Document Access