Basic and Enhanced permission control

Read about the two security models built into cattaDoc

From the beginning in version 1, cattaDoc had basic access control. Version 2 added enhanced permission control to cattaDoc. Enhanced permission control is optional, you´ll have to enabled it to take advantage of its facilities.

In this document:


Basic Access Control

Basic access control is enabled by default in cattaDoc. It divides all users in cattaDoc into 3 categories:

  • Readers: They are the users who can read everything in cattaDoc, but cannot change anything. Neither can they create new documents.
  • Authors: These users have read & write permissions in cattaDoc: They can read everything and they can change all objects, including create new documents, projects, companies and contact persons.
  • System administrators: They are "root" users in cattaDoc - they can do anything, including changing and creating new master data as well as change and create new users in cattaDoc. They have access to System Administration (in the Search screen menu).


Enhanced Permission Control

Enhanced permission control is built on top of basic access control. It does not replace basic access control, but enhances it. Enhanced permission control adds granularity to basic access control: With enhanced permission control you can define permissions or access control lists (ACL) to every individual object in cattaDoc. You can define that a certain group of users have author rights to a document, while others only have reader rights or cannot even see it. And this is not limited to documents: It also includes projects, companies and contact persons.

Enhanced permission control is based on on the Unix/Linux security scheme where each object belongs to one group so that you can define access rights for users belonging to this group combined with another set of access rights for all others. The access rights - or permissions - are:

  1. No access - cannot even see the object
  2. Reader - read-only
  3. Author - read/write
  4. System administration - read/write/change permissions

These permissions can be defined for own group and for others, i.e. for all other groups. One typical scenario is where own group has author access and others have reader access.

In addition, all objects have an owner, by default the object creator. The owner can always change permissions for the object, even though the group he or she is assigned to may only have author permissions.

Users belong to one or more groups. For access rights, all the groups are equal. One of the groups, however, are defined as the user's primary group. Objects created by the user inherits by default the user's primary group. This can, however, be changed afterwards.

Basic access control still applies when working with enhanced permission control:

  • Users in the reader category in basic access control can only read objects irrespective of object ownership or access control lists allowing more than reading.
  • Only users in the author or system administrator categories in basic access control can create new objects.
  • System administrators in basic access control have access to everything irrespective of group belongings, including change of object permissions. They are still "root" users in enhanced permission control.
  • Even with enhanced permission control enabled, system administrators in basic access control are the only ones with access to System Administration (in the Search screen menu).

Read more about how you work with enhanced permission control in cattaDoc.


Basic or Enhanced permission control?

Enhanced permission control is an obvious choice in a number of cases:

  • A group of users, e.g. management, shall have exclusive access to a number of documents.

  • You are running a "secret" project to which only project members must have access.

  • You will share access to a project with partners and/or the customer, but only with limited permissions and no access to all your other projects.

  • You are running a project web site with many users and many projects, but there shall be "firewalls" between them.

All this can be accomplished in cattaDoc, but only through the use of enhanced permission control.

In principle, there should be a little performance penalty in using enhanced permission control. For every action and every event there are more checks and control mechanisms. More joins between tables in the database are necessary when using enhanced permission control. However, in reality this potential performance penalty is marginal, if at all measurable.

But in general: Only use enhanced permission control if you need it.


Leave a Comment

Revised: 2015-12-14