Every document in your Vault has its own sharing settings, meaning that the roles a user has can vary by document. These roles, together with each user’s security profile, determine the user’s permissions (allowed actions) on the document. Permissions for a specific role can change depending on the document’s current lifecycle state.
Viewing Sharing Settings
To see what users have access to a document, open the Doc Info page and expand the Sharing Settings section in the fields panel. To see a detailed view, or to see the full list if there are more than ten (10) assignments, click View access details.
Role Permissions
Hover over a role to see the permissions that it grants. This view shows the permissions for the lifecycle state on the version of the document you are currently viewing. An error displays upon hover over if the role is not available on the document’s lifecycle.
Role permissions may change depending on the lifecycle state of the latest document version. For example, if a role has permissions on version 0.1 of a document, but the document is reclassified to a document type with a new lifecycle state in version 0.3, the role may lose permissions on the document if it is not available on the new lifecycle state. When opening a previous document version, keep in mind that any role permissions on that version may not be applicable if the lifecycle state classification is different from the current version.
If you reclassify to a document type within the same lifecycle, the new document version will retain the roles in the Sharing Settings. However, custom and standard roles added through Sharing Rules may lose access on the new and old document version. If so, manually assign the role in the Sharing Settings to add it back if needed.
Note: Access assigned through Atomic Security is not shown here.
Access Details for a Single User
Some users will have access to a document through multiple role assignments, including group role assignments. Search for a user from the detail page to see all of that user’s assignments for the document.
Access Type
The Access field in the detail page shows whether an assignment occurred through a sharing rule in Dynamic Access Control (DAC) or through “manual assignment.” Manual assignment includes all of the ways that users can default into roles that are not dependent on DAC. For example, a default user for the Editor role set up through document type configuration would show as a manual assignment.
If a user was assigned through a DAC sharing rule, you can click on the link to see the specific rule that was responsible.
How to Assign a User Role
To manually add a user to a role on a document:
- Navigate to the Sharing Settings section on the Doc Info page, or select Sharing Settings from the Actions menu for the document.
- Click the plus (+) or Add.
- In the Add Manual Assignment dialog, select a Role from the dropdown menu.
- Select a User or Group from the list. The permissions available to the selected user or group depend on the role.
Manual assignment respects the Allowed Group setting on the role configuration. If a role without access on the current document lifecycle appears for selection, set the role’s Allowed Group to blank to remove it.
About User Roles
The user roles available for a document, as well as the associated permissions, are configurable and depend on the document’s lifecycle. Some roles are included in Vault or your application by default. Admins can also create custom roles. Security profiles may also override role assignments. Generally, users will need access to an action through their security profiles and through document-level permissions. However, certain administrator permissions assigned to security profiles can bypass document-level permissions. See About Permission Sets.
Users with Multiple Roles
Users with multiple roles on a document have all permissions associated with those roles. For example, if you have the Viewer role and the Editor role, but only the Editor role has access to reclassify the document, you can reclassify the document.
Auto-Assignment of Document Owner
Vault automatically assigns the user who created a document to the Owner role. With the Change Owner permission, you can reassign this role on classified and unclassified documents. Admins can also manage which users can be assigned as the new owner.
Each document can only have one Owner at any given time. The Owner role is governed by the auto-assignment upon creation or manual updates using the Change Owner permission. This role is not impacted or controlled by other security functionality such as DAC.
Role Defaulting & Automatic Assignment
Role defaulting can occur in a number of ways:
- For roles that use Dynamic Access Control (DAC), Vault automatically assigns Auto Managed groups to the role. This assignment occurs during document creation, but updates dynamically based on changes to the User Role Setup object record and sharing rules for the role. Users cannot remove these assignments from a document’s sharing settings.
- Admins can configure default users that Vault assigns either during document creation or when a user starts a workflow on the document. Unlike DAC assignments, any user with the correct permission can remove these assignments at any time. If Vault assigns users during document creation, the document owner can also change the assignments before saving. If Vault assigns users during workflow start, the workflow owner can change the default assignments before starting the workflow. Vault does not support role defaulting, defaulting on creation time or workflow start, for custom roles.
Role Restriction
Admins can configure a subset of users or groups as allowed users for a specific role. When you attempt to add users to a restricted role, only the allowed users and groups are available. Admins can set up this restriction for roles with and without DAC enabled.
Access for Assigned Tasks
Changes that you make to the Sharing Settings panel do not affect assigned workflow tasks. By editing sharing settings, it’s possible to remove a user’s access to a document and prevent that user from completing tasks. If DAC is enabled for the role, editing document fields can also result in the user losing access and being unable to complete a task.
FAQ
What happens if I’m in more than one document lifecycle role?
When you have more than one role, you have the permissions for all of your roles.
I used to be able to do ___ for this document, but I can’t anymore. Why?
If you are still in the same document lifecycle roles as before (and same groups, if those groups are in roles), those roles’ permissions may have changed. Permissions can change based on the lifecycle state of the document. Your license type, security profile, or associated permission sets may also have changed, although this will result in different access across documents, rather than on a single document. Vault also disables some actions automatically when the document is checked out or in an active workflow.
What permissions do I have?
The roles you have on the document determine your permissions on that document. You can see your roles from Sharing Settings in the Doc Info page. To learn about the permission settings for a specific role and the document’s lifecycle state, contact your Vault administrator.
What permissions do workflow participants have?
All tasks in a workflow are associated to a specific document lifecycle role. The Workflow Owner can assign users to these roles when starting the workflow, by adding participants to an active workflow, or by reassigning tasks. As a workflow participant, you have the permissions available to the roles you’re in.
Who can add content?
Document type settings determine which users can add content of that type. License Type and Security Profile can also prevent some users from adding content.
Can I protect the identities of different users in my Vault?
Yes. You can choose to hide information for external or cross-domain users.
Can I reassign the Owner role on classified and unclassified documents?
Yes, if you have the Change Owner permission, you can manually reassign the Owner role to a different user.