The document access is the means by which access is granted to users for using documents in IFS Document Management. The primary use of it is to control the access to the files connected to the documents but it also controls for example edit access to some of the attributes on the document record itself.
There are three different access levels for a document revision, from the "lowest" to the "highest" access. They are:
The operations allowed for each access level are listed below.
|Undo Check Out||X||X|
|Create New Revision||X||X|
|Create New Sheet||X||X|
|Delete Document File||X||X|
|Set As Template||X||X||X|
|Define Approval Routing||X|
|Define Document Access||X|
Access is defined per document revision for persons, groups and objects and each access line can be enabled and disabled when necessary. The ability to disable access lines is convenient during the development of the document, before it is released. In this way, the access template can include persons that has no access during the preliminary stage, by having the Enabled option cleared. When the document is later released the disabled access lines can be enabled, opening up the access to a wider audience.
The value asterisk (*) in the Person ID field will give access to the revision to all persons not otherwise given access through a person ID, group ID or an object.
General access to a document can be divided into two groups:
If other persons should not be aware that a document exists in the system, it can be protected via the Restricted Access option. If this option is enabled, it will hide the document from everyone who does not have at least View Access to that particular document revision.
This property is set in the document title. Any user with administrator access to any document revision of a given document title should be able to change the Restricted Access option.
The highest priority is given to person access, over the group access and object access. For example, if a person ID is defined and given view access and the same person belongs to a group which has edit access, he or she will only get view access.
Since person access has the highest priority, you can also use this when denying someone access. If you want to make sure that someone does not get access to a document revision you can add a person access record for that person and then clear the View Access, Edit Access and Admin Access options, but make sure that the record is enabled. Even if this person gets access to the document revision through a group or object, the person access record will have the highest priority and the result will be that the person will not have access to the document revision.
The group access and object access are equal in priority. If a user gets access from groups and objects, then the user receives the maximum access level of them all. For example, if user gets view access from a group and edit access from an object, he or she will get edit access to the document. Also, if user gets edit access from a group and view access from an object, then he or she will still get edit access.
When the person ID is given as *, the lowest priority is given to the persons represented by it, which is all persons that has not got access granted through a person ID, group or object.
Object controlled access is a concept where another business object can affect the access on a certain document. The functionality is generic in the way that, in theory (please read on below for details), any kind of business object in the system can be configured to control the document access, as long as there is a database method that can be called on the object's main API that is developed for the purpose of returning the access level for the connected document. IFS Cloud comes with some predefined configuration if certain components are installed, for projects, invoicing and the B2B contracting workflow. To let other objects control the access, a small customization has to be done for each type of object, such that there is a method that can be called to get the access. The rest can be done through configuration.
The concept works like this: when the necessary configuration is in place, and when a document is connected to a certain kind of object, a new access line will be added to the document's access definition. If the user making the connection is an administrator of the connected document, the initial access level on the new access line will be given by the configuration in Document Basic/Default Object Access Levels. If the user is not an administrator of the document, then no access will be given through the new access line that is added (all Enable optiona are cleared). An administrator of the document can later update these levels on the document itself, making the access higher or lower or clearing it completely. The document might have other access definition lines however, that grants access to persons or groups of persons.
When an object that controls the document access is disconnected from the document, the object access line will be removed from the document's access definition. This will also happen if the object type's possibility to control the access is disabled or removed from Document Basic/Object Types for Access Control.
This means that object access lines cannot be manually added to or deleted from the Document Revision/Access/Definition tab. They are inserted and deleted automatically by the system. They can however be updated in the sense that the access levels themselves, on each access line, can be modified by an administrator of the document.
The maximum available document access derived from the object, for a certain document, will be set from the Definition tab. This means that, regardless of what level the object tries to grant the document, from the defined API method, the access level set on the access line on the document will set the maximum limit. For example, if the access granted from the object side is Admin, but the object access line on the document only has View selected, the resulting access from that line will never be higher than View. If the object access line on the document is instead set to grant Admin access, the object can grant this too, if needed. However, if the object does not grant as high access as the access line defines, the user will only get as high access as the object grants. This way, the document administrator always have control over the access, since he can control the access definition.
The following table shows the actual, resulting access for the user, given the access that the object grants (via the API method defined in basic data) and the access defined on the access line itself:
|View Access (from Object)||Edit Access (from Object)||Admin Access (from Object)|
|View Access (from access line)||View Access||View Access||View Access|
|Edit Access (from access line)||View Access||Edit Access||Edit Access|
|Admin Access (from access line)||View Access||Edit Access||Admin Access|
If a person only receives his or her access through two different objects, then he or she will get the maximum defined access from those objects. For example, if the person has view access through one object and administrator access through the other, the person will receive administrator access to the document.
When installing IFS Document Management, if certain components are available, they will be able to control document access. Here is a list of the objects that can control the access in the standard installation (more can be created through a customization):
Note: Access through these predefined objects can be disabled and enabled but it is not recommended. You should not edit the API or method on these lines since that will result in unsupported behavior.
The enabled setting makes it possible to prepare a document by adding access lines and enabling them when releasing the document. When releasing more than one document at once, access can be kept on each document as it is, all enabled lines can be disabled, or you can choose to edit access.
When working with documents, users are given roles which determine their document access levels. Some of those roles are described below.
Access to create documents of a certain class can be granted to a person by creating records in the Persons and Groups tab in the Document Class Management form. By default, if there are no records in this form, all persons can create documents of that class. As soon as there are records in this form, the person needs to have a record defined or needs to be part of one of the groups defined.
If a certain person is not granted access for a particular class, the class will not be displayed in the list of values of the Document Class field in the Create Document Assistant, Create Documents assistant and Attachment panel's Create New Document assistant. If the document class is manually entered, an error will be displayed mentioning that the person does not have access to create a document of that class.
All the other forms other than the mentioned ones will list all the document classes (including the ones that the user does not have access to) in order to support the search functionality.