Access control list

Secure access to components
An access control list (ACL) defines a list of entries (ACE) used to assign permissions to identities.

Permissions

In general, the following permissions are allowed:

Permission Description
CREATE Authorises creation
READ Authorizes read access
UPDATE Authorises update
DELETE Authorises deletion
READ_HISTORY Access to history
READ_TASK_HISTORY Access to task history
READ_OBFUSCATION Authorises reading of hidden data

Document-specific permissions:

Permission Description
READ_CONTENT Read content
UPDATE_CONTENT Update content
DOWNLOAD_CONTENT Download content (viewer)
PRINT Print (viewer)
CREATE_ANNOTATION Create annotation (viewer)
READ_ANNOTATION Read existing annotations (viewer)
BUILD_NEW_DOCUMENT Activate document clipping (viewer)
OBFUSCATE Create obfuscation annotations (viewer)


Note : obfuscation actions can only be activated with the CREATE_ANNOTATION and OBFUSCATE permissions.

Task-specific permissions:

Permission Description
APPROPRIATE Appropriate an unassigned task
APPROPRIATE_ALREADY_ASSIGNED Appropriate an already assigned task
ASSIGN Assign a task to a user
APPLY_ANSWER Apply an answer
UPDATE_CONTENT Update attachments
DELETE_CONTENT Delete attachments
READ_CONTENT View attachments

Identities

For FlowerDocs, an identity is either a user, a group or a team. The team concept has been introduced to centralise and pool the management of authorisations common to one or more identities.

ACL Proxy


This feature is in beta. For any integration requirements using ACl’s proxies, please contact the FlowerDocs team to help you find the best solution for your needs.

ACLProxy type objects are used to add a business aspect to authorisation management.

A proxy is also a SecurityObject used to define the security to be applied to a component. It relies on conditions to determine which ACL to apply to a component.

Example:

For an Invoice document class, the following proxy could be used:

  • if amount < €100: everyone has read-only permission for the document
  • if amount > €100: everyone has view/modify permissions for the document

Diagram

                      SecurityObject
                            |
         _______________________________
        |                               |
 AcessControlList  <-----            ACLProxy
        |                |              |
        | 1:N            |              | * rules : List<ACLRule>  ---
        |                |                                           |
AccessControlEntry       |                                           |
                         |                                           |
                         |           ACLRule  <-----------------------
                         |              |
                         |              | * conditions : List<String>
                         |____1:1_______| * aclId : Id

Default setting

Defining an unconditional entry in a proxy allows you to define which ACL should be evaluated to create a component from FlowerDocs GUI.

Roles

Roles give access to FlowerDocs features through the team concept.

To assign a role to a user:

  • create a team whose identifier is the role name
  • add users to a team
Role Description
ADMIN Administers a scope
DOCUMENT_CREATOR Accesses the Insert tab