Why are there rights?
In an electronic archive, documents are more easily and quickly accessible to users company-wide than in a paper archive. It is all the more important to determine who should have access to which documents. In PROXESS, this is done through user rights to databases, document types and individual documents. Rights can be assigned not just to individual users but also to groups. This saves valuable working hours in systems with several hundred users.
Must and can
You must assign rights in each case, since the system won’t grant any rights to new users and groups by default. The system offers numerous differentiation options to assign rights. Whether and to what extent you use these depends on the number of PROXESS users and on your company’s document and task structure.
Rights management levels
Level 1: Database rights
PROXESS supports setting up and managing various archive databases. This makes it possible for you to keep large sectors like Procurement or Payroll entirely separate. Users and groups first need the relevant database access rights before they can work with these archive databases.
Level 2: Document type rights
You can control the access options available to users within an archive database via document type rights. These cover the following distinct action rights: View, New, Edit and Clear, as well as “Grant document rights” and Grant document type rights. Generally speaking, you can choose any combination of these actions, whereby View is obviously the necessary foundation for the other action rights.
Level 3: Individual document rights
Rights to individual documents can also be granted in the four categories “View”, “New”, “Edit” and “Clear”. The purpose of this is to give users the option to decide for themselves in individual cases whether other users should receive access to a specific document. This respects the decision-making competence of the company employees and thus enables more efficient workflows without the need for intervention by the supervisor or area administrator. It is only valid for individual documents, so it does not replace the rights hierarchy set by the supervisor, rather simply expands it. Users grant rights to individual documents themselves in the PROXESS Standard Client.
Example
You grant user A the access right to the “Job” database. In this database, you give him the right to access the document types Offer, Job, Purchase agreement, Customer invoice and Complaint.
The user may not only view the offers but also create, edit and delete them.
The user may view, create and edit orders but not delete them.
The user may only view and create purchase agreements.
The user may only view customer invoices and complaints.
For customer invoices, user B gets the right to assign rights. To enable user A to edit invoice 4711 for a particular process, user B gives user A the “processing right” for this invoice.
This way user A can see all customer invoices but only process invoice 4711.
Rights statuses and prioritization of rights
Normally, “Right granted” and “Right not granted” are all that are needed to work with rights management. However, overlaps and contradictions may arise when a user is a member of multiple groups. For this reason, you can also work with the right “Forbid” in rights management, in order to quickly and safely withdraw a right that a user possesses through group membership.
This is why the system differentiates between three basic rights statuses and represents them as follows:
There are three statuses when assigning rights:
|
|
Right is granted |
|
(or grayed-out check box in the classic Windows design) |
Right is not granted (= default setting). However, a user may have corresponding rights through group membership. |
|
|
Right is explicitly revoked (= forbid). “Forbidding” a right for an individual user overrides the right that the user would have due to group membership. |
Example:
You want to revoke access to the “Wages” database for user X. This user is a member of 10 different groups.
If you only had to make do with the two rights statuses “Authorization” and “No authorization”, the following would need to be done:
Control the rights for each of these 10 groups. Three groups have the right to the wage database. Remove user X from the three authorized groups.
The additional right status “Forbid” reduces this process to one work step:
You just revoke access to the “Wages” database for user X explicitly. This means that all the rights that the user has from the group membership are automatically canceled.
Prioritization of rights
There are a few simple rules that prioritize rights. These rules are graded by strength; i.e., the first is stronger than the second, and the second stronger than the third:
User rights take precedence over group rights
Forbidding takes precedence over “authorization”
“Authorization” takes precedence over “No authorization”
Possible constellations of rights can be represented by a combination table. If you aren’t entirely sure of the effects of your specifications, it can help to create an overview first before you assign rights in the PROXESS Administrator.
The following table shows the combination options for a user X who is a member in two groups. Depending on how many user groups there are, of course the options increase. The right column shows the respective result for user X resulting from the prioritization of rights.
|
Case |
User X |
Group 1 |
Group 2 |
Can user X see object Y? |
|
1 |
Not authorized |
Not authorized |
Not authorized |
No |
|
2 |
Not authorized |
Not authorized |
Authorized |
Yes |
|
3 |
Not authorized |
Authorized |
Authorized |
Yes |
|
4 |
Not authorized |
Authorized |
Forbidden |
No |
|
5 |
Authorized |
