Access Rights

In STP Documents On Premise, you can assign access rights to files, folders, documents, processes, search profiles, and quick searches for users and groups. The process of assigning access rights is largely the same for all object types, but managing access rights requires a different approach for each object type.

Terms

Read Access

Only read rights are granted. The user can view the object, open it for reading (documents are opened as read-only), and view the access rights.

The object cannot be edited.

Write Access

Read and write rights are granted. The user can view the object, open it for editing, and view the access rights. However, editing register structures requires full access rights to the file or folder.

Full Access

Read, write, and administrative rights are granted. The user can view the object, open it for editing, and change the access rights.

When you create a new object in STP Documents, the group "Everyone" is automatically assigned full access rights to this object.

Assign full access rights to another group (e.g., the "Administrators" group) and then remove the "Everyone" group from the authorized area.

At least one user or group must be assigned full access rights to the object. If this condition is not met, the "Everyone" group cannot be removed from the authorized area.

If the "Restricted Rights" checkbox is activated for a user in the user and group management, the access rights of the "Everyone" group are not evaluated. If no further access rights are assigned to the user, they have no access to objects.

No Access

The "No Access" right cannot be assigned to a user or group. However, users and groups not listed in the authorized area will not see the object.

No access rights should be granted to the "Everyone" group, as otherwise, the rights of the "Everyone" group will be assigned to the unlisted user. Remove the "Everyone" group from the authorized area if unlisted groups and users should not see the object.

Determining Access Rights

Initially, full access rights are assigned to the "Everyone" group for files, folders, documents, processes, search profiles, and quick searches in STP Documents. All users can assign access rights to the object and edit the object without restrictions.

Access rights for users and groups are cumulative. The highest access right for the user is always used.

Assigning a document to a file or folder does not inherit the access rights of the file or folder for the document. However, the access rights of the file or folder restrict the possible access rights for the documents.

A user's access rights to an object can be influenced by the following factors:

  • Different access rights have been granted to the user and the groups to which the user belongs for an object.

  • In this case, the highest access right applies: the object is assigned to another object (file or folder). The container's access rights restrict the access rights for the assigned documents.

    In such a hierarchy (one object is subordinate to another), the lowest right always applies.

Access rights for users from the "Administrators" group and the group itself cannot be restricted.

Preferably work with the access rights of the file or folder. Use the document access rights only to further restrict the access rights of individual users to specific documents.

Whenever possible, use groups instead of individual users for assigning access rights.

Cumulative Access Rights

Different access rights have been granted to the user and the groups to which the user belongs for an object.

In this case, the access right with the highest rights applies:

Read Access + Write Access + Full Access = Full Access

Read Access + Full Access = Full Access

Write Access + Full Access = Full Access

Read Access + Write Access = Write Access.

Access Rights from Hierarchy

The object is assigned to another object. The cumulative access rights of the file or folder restrict the cumulative access rights for the assigned documents.

In such a hierarchy (one object is subordinate to another), the lowest right always applies:

Read Access + Full Access = Read Access

Read Access + Write Access = Read Access

Write Access + Full Access = Write Access.

You cannot define more extensive access rights for a user or group for a document in a file or folder than the user's or group's access rights to the file or folder.

Example

User/Group

File 1

(cumulative user and groups)

Document 1

Result

(Hierarchy File/Document)

Group 1 Full Access
Group 2 Write Access
Group 3 Read Access
User 1 / 1 + 2

Read Access

+ Write Access

+ Full Access

= Full Access

Read Access

Full Access + Read Access

= Read Access

User 2 / 2

Read Access

+ Write Access

= Write Access

Full Access

Full Access + Write Access

= Write Access

User 3 / 3 Read Access Write Access

Read Access + Write Access

= Read Access

User/Group

User 1 is a member of Group 1 and Group 2.

User 2 is a member of Group 2.

User 3 is a member of Group 3.

File 1 For File 1:

  • User 1 was granted read rights
  • User 2 was granted read rights
  • User 3 was granted read rights
  • Group 1 has full access
  • Group 2 has write rights
  • Group 3 has read rights.

This results in the following for File 1:

  • User 1 has full access to File 1:

    The rights are accumulated from the rights of User 1, Group 1, and Group 2. Only the highest right is considered, in this case, full access from Group 1.

  • User 2 has edit rights for File 1: The rights are accumulated from the rights of User 2 and Group 2. Only the highest right is considered, in this case, write access from Group 2.

  • User 3 has read rights for File 1

    The rights are accumulated from the rights of User 3 and Group 3.

Document 1

For Document 1, the following applies:

  • User 1 has been granted read rights
  • User 2 has been granted full access
  • User 3 has been granted write rights

The group Everyone has full access to the document by default.

Result

If Document 1 is assigned to File 1, the access rights to the document change.

  • User 1 has read rights

    The access rights of the file allow full access for User 1, but the document is only set to read access. Only the most restrictive access right is considered. (Here, User 1 would need to be given full access to the document or Group 1 should be added).

    At least one user must have full access to Document 1.

  • User 2 has write rights. The access rights of the file allow only write rights for User 2, but the document is set to full access for the user. Only the most restrictive access right is considered here.

  • User 3 has read rights

    The access rights of the file allow only read rights for User 3, but the document is set to edit access. Only the most restrictive access right is considered here.

The access rights defined in the access rights management for users and groups can be overridden by additional assigned groups and the access rights of files and folders.

Access rights to documents must not be changed if:

  • multiple documents are selected
  • the current document version is not selected
  • the logged-in user does not have full access, but only read or write access
  • the document is locked.

The access rights of finalized documents can be changed if none of the above cases apply.

Access rights for users from the Administrators group cannot be restricted. Any set restrictions are ignored.

Assigned roles do not affect the access rights of an object. Roles only grant access to windows and functions, such as when accessing the office settings. The access rights of users with the System Administrator role cannot be restricted.

Preferably assign access rights to groups, and avoid assigning access rights to individual users whenever possible.

Preferably assign access rights to files and folders, and avoid assigning access rights to documents whenever possible. The full access right for the group Everyone on the document will then be overridden by the access rights defined for the file or folder.

If STP Documents does not display the file associated with a document to the logged-in user due to lack of access rights, all documents of the file will also not appear in search results, search profiles, and processes. This is true even if the user has been assigned access rights to the document.

Related to