Permissions and access control in cattaDoc
From the beginning in version 1, cattaDoc had basic access control. Version 2 added enhanced permission control to cattaDoc as an option. From cattaDoc version 6.0 only enhanced permission and access control is included.
Every object in cattaDoc has its own access rights defined by the object´s Access Control List, or ACL. You can define that a certain group of users have author rights to a document, while others only have reader rights or cannot even see it. And this is not limited to documents: It also includes projects, organisations and contact persons.
Access control in cattaDoc is based on on the Unix/Linux security scheme where each object belongs to one group so that you can define access rights for users belonging to this group combined with another set of access rights for all others. The access rights are:
- No access - cannot even see the object
- Reader - read-only
- Author - read/write
- Permissions - read/write/change permissions
These permissions can be defined for own group and for others, i.e. for all other groups. One typical scenario is where own group has author access and others have reader access.
In addition, all objects have an owner, by default the object creator. The owner can change permissions for the object.
Users belong to one or more groups. For access rights, all the groups are equal. One of the groups, however, are defined as the user's primary group. Objects created by the user inherits by default the user's primary group. This can, however, be changed afterwards.
From the outset cattaDoc users are divided into 3 categories:
- Readers: They are users limited to reading objects in cattaDoc. They cannot change anything. Neither can they create new objects like documents.
- Authors: These users have read & write permissions in cattaDoc: They can read and change objects, including create new documents, projects, organisations and contact persons.
- System administrators: They are "root" users in cattaDoc - they can do anything, including changing and creating new master data as well as change and create new users in cattaDoc. They have access to System Administration (in the Search screen menu).
These categories define a user's basic permissions.
However, the specific permissions for users in the Readers and Authors categories are limited by an object's access control list. If a user in the Authors category only have read access to a given object, he or she cannot change this object (ie cannot write it). Similarly, if an Authors user have No access to an object, she or he cannot see the object. It will not even be included in searches.
System administrators have read/write/change permissions to all objects in cattaDoc, irrespective of the object's access permissions.
All users in the author or system administrator categories can create new objects.
When you create a new object, the following permission-related data are defined by default:
- Owner = The creator
- Group = The creator´s primary group
- Group permissions = Author
- Permissions for others = Reader
You can change these things afterwards by clicking on the Access button in the object´s book display, ref. below. Every change in permissions are timestamped and the Initials of the one doing it is also recorded for tracking purposes.
A system administrator can change the standard behavior for the last two default permissions:
- CDGACL defining the default value for permission control permissions for own group (it is '2' for author permissions) and
- CDOACL defining the default value for permission control permissions for others - not own group - (it is '1' for Reader permissions)
Do consider if the default values for the constants suit your needs. If not, change them.
The following criteria defines if a given user can read an existing object, including the object being displayed in search results and in object relations:
- The user is a System administrator - or
- The user is the object owner - or
- The user is in the Readers or Authors category and is assigned to a group with at least reader permissions for the object - or
- The user is in the Readers or Authors category and other groups have at least reader permissions for the object
The following criteria defines if a given user can update an existing object, including change the object´s relations to other objects:
- The user is a System administrator - or
- The user is the object owner - or
- The user is an Author and is assigned to group with at least author permissions for the object - or
- The user is an Author and other groups have at least author permissions for the object
The following criteria defines if a given user can change an object´s permissions / access rights:
- The user is a System administrator - or
- The user is the object owner - or
- The user is an Author and is assigned to group with change permissions rights for the object - or
- The user is an Author and other groups have change permissions rights for the object
Permissions for a single object can be changed in the Edit [object] Permissions screen, accessible from the object's book screen by clicking the button with the user icon: . Here you can see an example from a document:
At installation, cattaDoc only contains one permission group: Everyone.
System administrators can create new groups by selecting Permission Groups in the System administration menu under User Administration. Here you can also inactivate groups.
There is a special input element to the user administration form in System administration: Assign permission groups to user XYZ. It has two parts:
- Assign user to available permission groups
- Select primary permission group
Only assigned groups can be selected as primary group. I.e. you have to save group assignments before defining primary group.