Document security and document user permissions refer to permissions assigned to specific roles. This functionality ensures that users can only access the documents and functions that are appropriate for them.

Vault determines user access levels based on their license type (Full User, Read-Only User, etc.), their security profile, and their role on each document. Access limits based on license type and security profile will override access granted based on assigned roles. Role-based permissions can change based on the lifecycle state of a document.

For example, Tracy Lee’s license type is Read-Only User and she’s in the Editor role for a document. Although the Editor role has permissions to edit document fields, she cannot edit fields because her license type prevents access to that action.

Accessing Security Settings

You can view the current security settings for a lifecycle state from Admin > Configuration > Document Lifecycles > [Lifecycle] > States > [State] > Security Settings. This grid, sometimes referred to as the security matrix, shows the permissions available to each role for the selected lifecycle state.

Lifecycle State Security Settings

How to Edit Security Settings

To configure settings in the security matrix:

  1. Click the Edit button. Each permission/role intersection becomes an editable checkbox.
  2. Set or clear checkboxes to modify the permissions assigned to each role. Some permissions include others by default (for example, the Edit Fields permission gives access to the View Document permission). Because the selected permission depends on the other included permission, the checkbox for the included permission is disabled.
  3. Click Save to save the current status of all checkboxes.

Permissions & Enabled Actions

The following permissions appear in the security matrix for each role:

View Document

Enabled actions:
  • Search for the document
  • View Where Used
  • View version history for any previous versions which the user has permission to view
  • View fields, relationships, and security
  • View document’s audit trail
  • View and download attachments

View Content

Enabled actions:
  • View annotations
  • Download renditions
  • View version history, including content, for any previous versions which the user has permission to view
  • View document content
  • Download document with annotations
  • Export binder if the document is in a binder
  • View document thumbnails
Includes:
View Document

Edit Relationships

Enabled actions:
  • Add, edit, or remove document relationships
  • Add, delete, or version attachments
Includes:
View Document

Edit Fields

Enabled actions:
Edit all document fields, Add or remove renditions
Includes:
View Document

Edit Sharing Settings

Enabled actions:
Add or remove users from roles on a document
Includes:
View Document

Annotate

Enabled actions:
  • Add annotations
  • Reply to annotations
  • Add document level comments
  • Move annotations
Includes:
View Content

Version

Enabled actions:
Create a new draft of the document
Includes:
View Document

Create Anchors

Enabled actions:
Create anchors on the latest version of a document
Includes:
View Content

Download Source

Enabled actions:
Download the source file for a document
Includes:
View Content

Edit Document

Enabled actions:
  • Check out the document
  • Check in the document
  • Edit binder (structure, not document fields)
  • Upload new version
  • Upload a file to a content placeholder
Includes:
View Document, Download Source

Manage Viewable Rendition

Enabled actions:
  • Delete viewable rendition
  • Re-render document to create viewable rendition
  • Upload viewable rendition
  • Save page rotations
Includes:
View Document

Reclassify

Enabled actions:
Modify the type, subtype, and classification of the document
Includes:
View Document, Edit Fields

Multi-Channel Actions

Enabled actions:
Ability to use the Create Presentation action on a document; this option is only available if your Vault uses Atomic Security for Documents
Includes:
View Document, Edit Fields

Distribute Controlled Copy

Enabled actions:
Access user actions (from Actions menu) to distribute controlled copies
Includes:
View Document

Change Owner

Enabled actions:
Change the user assigned to the document owner role
Includes:
View Document, Edit Sharing Settings

Change Coordinator

Enabled actions:
Change the user assigned to the document coordinator role
Includes:
View Document, Edit Sharing Settings

Delete

Enabled actions:
Delete the document
Includes:
View Document, View Content

Best Practices

When setting up your security rules, we recommend to:

  • not give the Version permission on states that will have in-progress workflows if the workflow will create a new major version
  • not give the Edit Document permission on states that have in-progress workflows if the workflow changes the document’s state

About Changes to Active Vaults

Sometimes, Admins make changes to the security matrix that result in users immediately losing the View Document permission for a document that they can currently access. When permission changes like this occur, Vault immediately prevents users from performing any actions for which they don’t have permissions, including opening the Doc Info page for a document. However, documents for which users no longer have the View Document permission may continue to appear in those users’ search results and reports for several minutes.