The rights described in the previous chapter can be conveniently assigned to users with profiles, roles and groups - especially in companies with many employees.
Groups (as sets of users) and roles (as sets of rights) are different ways of looking at one and the same thing. From one perspective, the employees are the starting point. From the other, the starting point is the workflows and functions in the DocuWare system.
Profiles and Roles
Profiles and roles enable you to assign sets of rights in "containers," instead of a lot of individual rights. The assignment of rights to profiles and roles has two advantages:
First, detailed sets of rights can be assigned at the touch of a button to as many users as required, without the administrator having to customize the rights structure manually for each user.
Second, sets of rights also exist without users, so when an employee leaves the company, their successor can be effortlessly assigned the same rights, regardless of how specific the rights assignment is.
Profiles
Functional rights can be combined to functional profiles, file cabinet rights to file cabinet profiles. Both can be assigned to individual users and roles.
File cabinet rights are always combined into profiles, meaning, they cannot be assigned directly to individual users. Only file cabinet profiles can be assigned to users or roles.
As with functional rights, file cabinet profiles are additive. If several profiles of a file cabinet are assigned to a user, this user receives all the rights that are shared by these profiles. This procedure is explained in more detail in section Interaction of Rights and Permissions.Roles
Roles are sets of several profiles. A role can include both profiles with functional rights and profiles with file cabinet rights. Roles can be assigned to groups and to individual users.
Predefined Roles and Profiles
For a quick start with DocuWare predefined roles with predefined profiles are available after a system installation. This means that administrative tasks are also subject to the authorization concept. These predefined roles can be assigned to different users or user groups.
System Administrator
The system administrator manages the system with regard to the hardware and the basic components which are generally needed. The system administrator can be defined so that he or she cannot access individual organizational data, and specifically cannot intervene in the details of the user administration. However, only he/she can assign the "System Administrator" role to other users. This cannot be done within the organization's user administration. It is only possible in the system section of DocuWare Administration.
After DocuWare has been installed, he/she assumes the role of organization administrator for all organizations simultaneously. As each new organization is created, the system administrator initially automatically assumes the role of organization administrator. This can then be assigned to another person.
Tasks of a system administrator
Providing and maintenance of hardware, operating system and databases
Installing of the DocuWare Server Modules
Configuration of system-wide settings for servers, connections for databases and file directories, storage systems and user directories
Insight into auditing at system level
Organization Administrator
A DocuWare system can include one or more organizations, each with its own organization administrator. The organization administrator manages the rights, users and user groups of their organization. The role does not include access rights to file cabinets and their administration.
This role does not require any detailed technical knowledge of the IT environment. The organization administrator can also assign or remove the role to and from other users. In particular, the role can even be removed from a system administrator.
Tasks of an organization administrator
Assignment of the licenses
Creating of users and groups
Configuration of clients, viewer and document trays, stamps and signatures, select lists
Insight into auditing at organization level
Default File Cabinet Rights
After DocuWare has been installed, four file cabinet profiles are predefined that can be assigned to users and groups:
Owner
Edit
Read
Delete
In addition, you can create your own user-defined profiles in the file cabinet settings.
Details on the file cabinet rights
Users and Groups
DocuWare users can be combined into different groups. A user can be a member of more than one group.
User
As a rule, one user is created for each staff member who needs to work with DocuWare. Users receive a range of rights through the assignment of individual rights or sets of rights in the form of profiles and roles. Users can belong to groups.Groups
Groups are sets of users. It is a good idea to combine users into groups which need to use the same program functionalities and be assigned the same file cabinet rights. Individual users receive these rights through their membership of the group, to which the appropriate role has been assigned.
Inherited Rights and Explicit Rights
When assigning rights to users, DocuWare distinguishes between inherited rights and explicit rights.
Inherited Right
Rights that a user has received through membership of a group or through a role or a profile are called inherited rights.Explicit Right
Rights which a user receives directly (and not via a role, profile, or group), are explicit rights. Only functional rights can be assigned as explicit rights.
Rights are always additive, in other words, the total of all a DocuWare user's assigned rights constitute this user's activity scope.
Interaction of Rights and Permissions
If a user is a member of several groups, he or she has all the rights that are available through assignment to these groups and their roles. If several roles or profiles are assigned to a user, this user has all the rights that have been assigned to these roles or profiles.
Examples:
A user has received his set of rights via a role. If you now assign this user an additional role that has fewer rights, it does not change anything for that user, since rights are additive. In order to restrict his rights, you would have to remove the original role from him. The same applies to groups.
A user is a member of two groups and has received his set of rights via the roles of these groups. If you now remove the membership of one group from him, he does not automatically lose all the rights that are assigned to him via the roles of this group, but only those that are not assigned via the other group.
The scope a user has in a file cabinet result from the file cabinet rights and access to the dialogs.
Example:
Two users have a result list which provides the Download a PDF with annotations button in its toolbar. One user has the Export-file cabinet right and can make use of this option. The other has not been given this right. The Download a PDF with annotations button is greyed out then and the user cannot make use of it.
The settings for the individual file cabinet fields and assigned file cabinet rights overlap in some areas. It is therefore possible to make special rights available to designated users, while "normal" user rights are controlled by means of field settings.
Example:
A file cabinet field has been specified as a Fixed value in the Store dialog, and a user has the right to modify index entries. This user is authorized to change the fixed field entry in the store dialog and/or in the index dialog of the result list.
Summary: a user's file cabinet rights always override the field rights. Using a combination of both schemes should therefore be done with care.
Restricting Document Access Using Index Data
You can use index value profiles to assign rights according to index entries within a file cabinet. The limitation of document access via index data is particularly useful when documents with sensitive content are combined in a file cabinet.
Example:
The documents of the employees are stored in a personnel file cabinet. The employee name is available as an index entry. Human Resources employees have access to all documents, while individual employees only have access to documents that are stored with their names in the index data.