Roles

The meaning of roles differs from version 5.1.x (and below) to 6.x. Up to version 5.1.x users in SeedDMS have one of the predefined roles Administrator, User or Guest. Administrators have unlimited access to all functions, documents and folders. Users are restricted by access rights and will only be able to use those functions, which affect their own data but cannot do any adminstrative tasks. Guest will never have more than read access on documents and folders and cannot use any of the functions except for viewing documents and folders and changing the users interface language. Keep in mind, that users of type user or guest may be allowed by its role to view a document or folder, but the access right of that particular document may still disallow access.

Guest logins have a password, just like any other account, but it is also possible to specify a guest login, which can be used to login without a password (see `Authentication`_). A guest login is only possible if explicitly allowed in the configuration. The login page will then contain a link Login as guest, which will login the configured guest user without asking for a password. You can even allow automatic login, if any other page of SeedDMS is accessed and there is currently no user logged in. Turn this on by checking Enable auto login for guest in the configuration.

Since version 6 of SeedDMS the list of roles can be extended by self defined roles. The definition of a role has also changed. What was called a role in SeedDMS 5 is a now a role type. Any role in SeedDMS 6 must have a role type. There is a list of predefined roles comprising excatly the meaning of roles in SeedDMS 5. Hence, there is role Admin with role type Admin, a role User with role type User and a role Guest with role type Guest. So far it does not differ from SeedDMS 5 except that roles and its types are separated from each other, but roles have additional parameters to restrict access on document level and in terms of functionality of the user interface. The full power of roles is available when advanced access rights are enabled. In that case most functions can be either allowed for users or disallowed for admins, something which was hardcoded before SeedDMS 6 and still is, if advanced access control is disabled. Nevertheless, access restrictions based on roles and regular access rights on documents and folders are different concepts and should not be confused. One cannot replace the other. Also think twice before turning on advanced access rights. It requires a considerably amount of additional configuration to set it up propperly. Especially do not turn it on in a production system, because your regular users will loose most of the functionality, until you reenable it (see Restrict functionality). The following sections will discuss access restrictions based on roles.

Restrict access on documents

Thought roles mainly restrict functionality, there is one aspect of roles which restricts access on documents. By default each user of a certain role may access any document version, whatever status it has. Something, which not even access rights on documents can control. This can be changed by excluding access on document versions by setting one or more status for each role.

A document status can be independant of the document version or be derived from the latest document version. Setting a status comprising the whole document (like obsoleted or expired) will make those documents invisible for users of that role. All other statuses, related to the document version, will only hide that particular version. This may have a different outcome. Documents with just one version will disappear completely. Documents with several version will still be visible if at least one version is visible. Let’s assume a user does not have access on document versions still in the review or approval process. If a document with two versions has a version 1 which was already released and a second version 2 which is currently in approval, then this user will see version 1 as the latest document version. Other users belonging to a role without that restriction will see version 2 as the latest document version. Of course, all this only applies if the document access is allowed by access rights in the first place.

Restrict functionality

Roles can also restrict the functionality of the user interface, if the advanced access control is turned on in the configuration. Once it is turned on, the Access control in the User/Group management menu in the admin tools will show a list of roles and a tree like structure containing all privileges of a role. Be aware, that advanced access controll may lead to considerably more configuration work, as regular users have a very limited functionality by default.

Privileges are seperated into two groups.

Controllers: These are functions which actually perform an action, like modifying a folder, downloading a file, or removing a user
Views: These are functions which display something, like a list of users, a form, or a chart.

Certain operations may have sub privileges, which is a more fine grainted way of allowing access. A prominent example is Controllers->Download, which has various sub privileges to restrict download of versions, attachments, log files, etc. A privilege can either be the default, explicitly be allowed, or denied.

If no access controls have been defined for a certain role, it depends on the type of role which access restrictions apply by default. Admins will have unlimited access, but users and guests will have no access at all. That imposes the need for allowing lots of operations for users in order to accomplish the behaviour without advanced access control. At the time of writing not all operations can be controled this way.

Setting up a new role imposes two major questions

Is this rather an admin or a regular user?
What is the user allowed to do?

For answering the first question it is not enough to look at the functionality the new user shall be able to use. A user with role type user can be given access to all operations, even those usually done by admins. In contrast to that, a user with role type admin can be restricted in terms of allowed operations to be more like a user. But this does not affect the access on documents. Document and Folder access is unlimited for admins and limited for users. Hence, whether a user is a admin or a regular user should depend on the prefered access rights on documents and folders.