Enhanced permission control in Practice

Who can do what with enhanced permission control in cattaDoc and how to enable it

With enhanced permission control enabled - see how to do it below - every object in cattaDoc has its own access rights - or permissions - defined by the object´s Access Control List, or ACL. What does this mean in practice?

 

Who can create new objects and what happens

All users in the author or system administrator categories in basic access control can create new objects.

When you create a new object, the following permission-related data are defined by default:

  • Owner = The creator
  • Group = The creator´s primary group
  • Group permissions = Author
  • Permissions for others = Reader

You can change these things afterwards by clicking on the Access button in the object´s book display, ref. below. Every change in permissions are timestamped and the Initials of the one doing it is also recorded for tracking purposes.

 

Who can read which objects

The following criteria defines if a given user can read an existing object, including the object being displayed in search results and in object relations:

  1. The user is a System administrator (basic access control) - or
  2. Only basic access control enabled and the user is at least Reader - or
  3. Enhanced permission control enabled and the user is the object owner - or
  4. Enhanced permission control enabled and the user is at least Reader and is assigned to a group with at least reader permissions for the object - or
  5. Enhanced permission control enabled and the user is at least Reader and other groups have at least reader permissions for the object

 

Who can write which objects, i.e. update information and relations

The following criteria defines if a given user can update an existing object, including change the object´s relations to other objects:

  1. The user is a System administrator (basic access control) - or
  2. Only basic access control enabled and the user is an Author - or
  3. Enhanced permission control enabled and the user is the object owner - or
  4. Enhanced permission control enabled and the user is an Author and is assigned to group with at least author permissions for the object - or
  5. Enhanced permission control enabled and the user is an Author and other groups have at least author permissions for the object

 

Who can change object permissions

The following criteria defines if a given user can change an object´s permissions / access rights:

  1. Enhanced permission control enabled - and at least one of the following criteria are met:
  2. The user is a System administrator (basic access control) - or
  3. The user is the object owner - or
  4. The user is assigned to group with system administration permissions for the object - or
  5. Other groups have system administration permissions for the object
Permissions for a single object can be changed in the Edit [object] Permissions screen, accessible from the object's book screen by clicking the button with the user icon: . Here you can see an example from a document:

Small screen dump

Edit Document Permissions screen
Click to see screen dump in full size

 

Permission groups

At installation, cattaDoc only contains one permission group: Everyone.

System administrators can create new groups by selecting Permission Groups in the System administration menu under User Administration. Here you can also inactivate groups.

 

Assigning users to groups

There is a special input element to the user administration form in System administration: Assign permission groups to user XYZ. It has two parts:

  1. Assign user to available permission groups
  2. Select primary permission group

Only assigned groups can be selected as primary group. I.e. you have to save group assignments before defining primary group.

 

How to enable enhanced permission control

Enhanced permission control is not enabled as default when you install cattaDoc. You will have to enable it yourself.

You can enable enhanced permission control in System administration --> System constants under Configuration. Simply set "Use cattaDoc enhanced permission control" to Yes.

At the same time, do consider if the default values for the constants

  • CDGACL defining the default value for enhanced permission control permissions for own group (it is '2' for author permissions) and
  • CDOACL defining the default value for enhanced permission control permissions for others - not own group - (it is '1' for Reader permissions)

suit your needs. If not, change them.

With enhanced permission control enabled, the security cookie values are encrypted, so they are more difficult to tamper with. The key used for encryption is defined in the constant CDENCKEY, also in System constants. Change it!

 



Leave a Comment

 
Revised: 2015-12-15