Document Access

The document access is the means by which access is granted to users for using documents in IFS Document Management. The primary use of it is to control the access to the files connected to the documents but it also controls for example edit access to some of the attributes on the document record itself.

Access Levels

There are three different access levels for a document revision, from the "lowest" to the "highest" access. They are:

The operations allowed for each access level are listed below.

Possible Operations/Access View Edit Administrator
View X X X
Edit   X X
Check In   X X
Print X X X
Undo Check Out   X X
Status Changes     X
Create New Revision   X X
Create New Sheet   X X
Delete Document File   X X
Delete Document     X
Set As Template X X X
Document Distribution X X X
Define Approval Routing     X
Define Document Access     X

Access is defined per document revision for persons, groups and objects and each access line can be enabled and disabled when necessary. The ability to disable access lines is convenient during the development of the document, before it is released. In this way, the access template can include persons that has no access during the preliminary stage, by having the Enabled option cleared. When the document is later released the disabled access lines can be enabled, opening up the access to a wider audience.

The value asterisk (*) in the Person ID field will give access to the revision to all persons not otherwise given access through a person ID, group ID or an object.

Access to Document's General Information

General access to a document can be divided into two groups:

Restricted Access

If other persons should not be aware that a document exists in the system, it can be protected via the Restricted Access option. If this option is enabled, it will hide the document from everyone who does not have at least View Access to that particular document revision.

This property is set in the document title. Any user with administrator access to any document revision of a given document title should be able to change the Restricted Access option.

Priority of Defined Access, Per Source of Access

The highest priority is given to person access, over the group access and object access. For example, if a person ID is defined and given view access and the same person belongs to a group which has edit access, he or she will only get view access.

Since person access has the highest priority, you can also use this when denying someone access. If you want to make sure that someone does not get access to a document revision you can add a person access record for that person and then clear the View Access, Edit Access and Admin Access options, but make sure that the record is enabled. Even if this person gets access to the document revision through a group or object, the person access record will have the highest priority and the result will be that the person will not have access to the document revision.

The group access and object access are equal in priority. If a user gets access from groups and objects, then the user receives the maximum access level of them all. For example, if user gets view access from a group and edit access from an object, he or she will get edit access to the document. Also, if user gets edit access from a group and view access from an object, then he or she will still get edit access.

When the person ID is given as *, the lowest priority is given to the persons represented by it, which is all persons that has not got access granted through a person ID, group or object.

Object Controlled Access


Object controlled access is a concept where another business object can affect the access on a certain document. The functionality is generic in the way that, in theory (please read on below for details), any kind of business object in the system can be configured to control the document access, as long as there is a database method that can be called on the object's main API that is developed for the purpose of returning the access level for the connected document. IFS Cloud comes with some predefined configuration if certain components are installed, for projects, invoicing and the B2B contracting workflow. To let other objects control the access, a small customization has to be done for each type of object, such that there is a method that can be called to get the access. The rest can be done through configuration.

How it works

The concept works like this: when the necessary configuration is in place, and when a document is connected to a certain kind of object, a new access line will be added to the document's access definition. If the user making the connection is an administrator of the connected document, the initial access level on the new access line will be given by the configuration in Document Basic/Default Object Access Levels. If the user is not an administrator of the document, then no access will be given through the new access line that is added (all Enable optiona are cleared). An administrator of the document can later update these levels on the document itself, making the access higher or lower or clearing it completely. The document might have other access definition lines however, that grants access to persons or groups of persons.

When an object that controls the document access is disconnected from the document, the object access line will be removed from the document's access definition. This will also happen if the object type's possibility to control the access is disabled or removed from Document Basic/Object Types for Access Control.

This means that object access lines cannot be manually added to or deleted from the Document Revision/Access/Definition tab. They are inserted and deleted automatically by the system. They can however be updated in the sense that the access levels themselves, on each access line, can be modified by an administrator of the document.

Actual access given from an object

The maximum available document access derived from the object, for a certain document, will be set from the Definition tab. This means that, regardless of what level the object tries to grant the document, from the defined API method, the access level set on the access line on the document will set the maximum limit. For example, if the access granted from the object side is Admin, but the object access line on the document only has View selected, the resulting access from that line will never be higher than View. If the object access line on the document is instead set to grant Admin access, the object can grant this too, if needed. However, if the object does not grant as high access as the access line defines, the user will only get as high access as the object grants. This way, the document administrator always have control over the access, since he can control the access definition.

The following table shows the actual, resulting access for the user, given the access that the object grants (via the API method defined in basic data) and the access defined on the access line itself:

  View Access (from Object) Edit Access (from Object) Admin Access (from Object)
View Access (from access line) View Access View Access View Access
Edit Access (from access line) View Access Edit Access Edit Access
Admin Access (from access line) View Access Edit Access Admin Access

Access granted through more than one object

If a person only receives his or her access through two different objects, then he or she will get the maximum defined access from those objects. For example, if the person has view access through one object and administrator access through the other, the person will receive administrator access to the document.

Standard Object Types Available for Access Control

When installing IFS Document Management, if certain components are available, they will be able to control document access. Here is a list of the objects that can control the access in the standard installation (more can be created through a customization):

Note: Access through these predefined objects can be disabled and enabled but it is not recommended. You should not edit the API or method on these lines since that will result in unsupported behavior.

Enable/Disable Access Lines

The enabled setting makes it possible to prepare a document by adding access lines and enabling them when releasing the document. When releasing more than one document at once, access can be kept on each document as it is, all enabled lines can be disabled, or you can choose to edit access.

Roles and Access Rights

When working with documents, users are given roles which determine their document access levels. Some of those roles are described below.

Access for Creating Documents

Access to create documents of a certain class can be granted to a person by creating records in the Persons and Groups tab in the Document Class Management form. By default, if there are no records in this form, all persons can create documents of that class. As soon as there are records in this form, the person needs to have a record defined or needs to be part of one of the groups defined.

If a certain person is not granted access for a particular class, the class will not be displayed in the list of values of the Document Class field in the Create Document Assistant, Create Documents assistant and Attachment panel's Create New Document assistant. If the document class is manually entered, an error will be displayed mentioning that the person does not have access to create a document of that class.

All the other forms other than the mentioned ones will list all the document classes (including the ones that the user does not have access to) in order to support the search functionality.