Mayan EDMS uses a role based permission system (https://en.wikipedia.org/wiki/Role-based_access_control) that provides a mechanism to control access to the contained documents and system functions.
The role access control system is divided into two main groups:
- Permission grants to roles for the entire system.
- ACLs (access control lists). These are permission granted to a role for a specific object or group of objects.
Mayan EDMS provides very fine control over which actions users can
perform. Action control works by allowing
roles, that are composed of
users to be granted a
permission such that the holder of
that permission can exercise it throughout the entire system.
In other words, users themselves can’t hold a permission, permissions are granted only to roles. Users can’t directly belong to a role, they can only belong to a group. Groups can be members of roles. Roles are system permission units and groups are business organizational units.
Access control lists¶
Besides the permissions system explained in Permissions, Mayan EDMS provides per object permission granting. This feature is used to grant a permission to a role, but this permission can only be executed for a limited number of objects (documents, folders, tags) instead of being effective system-wide.
In this scenario only users in groups belonging to the
would be able to view the
2015 Payroll report.txt document.
Inherited access control¶
It is also possible to grant a permission to a role for a specific document type (Document types). Under this scheme all users in groups belonging to that role will inherit that permission for all documents of that type.
Accountants is given the permission
document view for the
Payroll reports. Now all users in groups belonging to the
Accountants role can view all documents of the type
without needing to have that permissions granted for each particular
Payroll reports type document.
If access control for the
Payroll reports documents needs to be updated it
only needs to be done for the document type and not for each document of the type