Privileges, Roles, and Groups

A user's ability to access containers and documents and perform actions iManage Work is controlled using privileges, roles, groups, and security access levels.

The relationship between privileges and security access levels is often misunderstood. The two are related but not the same.

Privilege

Security access level

Privileges define which actions users are allowed to perform for containers and documents that they have access to.

Security access levels define which containers and documents users have access to and to which degree they can modify those items.

The following topics describe these concepts in more detail:

Privileges

Privileges are individual actions a user can perform on containers, documents, or the iManage Work system. There are a set number of privileges defined by the iManage Work system. Privileges cannot be created or deleted. They can be only granted or denied. Privileges are contained only in roles. Roles are named sets of privileges. The roles are then assigned to users. There are categories, that include p rivileges for individual container or documents, such as Create/Import content as files, Delete content as files, and Create Public Workspaces, among others. Privileges or actions implemented for the iManage Work system include Search Using Web to allow a user to perform Web searches, Allow Full-Text Searches to search using full text, or Tier 2 to allow that user tier 2 help support functions.

Privileges are divided into the following categories based on the operations performed:

  • Content: Privileges to work with the documents.

  • Folder: Privileges to work with the folders, tabs, and workspaces.

  • Administrative: Privileges to work with the administrative tools.

  • Web Operations: Privileges to perform operations through the iManage Work Web client application.

For a detailed list of privileges that can be assigned to users, see Roles.

Tiered privileges

Tiers are predefined sets of privileges for iManage Work system administrators, product support, or help desk team members when performing activities in Control Center, and are assigned per iManage Work library.

For more information, see Understanding tiers.

Roles

A role enables you to group a set of privileges. When you create a role, you then assign to one or more users to the role.

For more information, see Roles.

Roles can be created, deleted, or modified as required, with the exception of the Default role; see Default Role. A role's privilege set may be changed at any point later by an NRTADMIN.

  • Default role: iManage Work automatically creates a Default role. This role cannot be deleted and the iManage system administrator can edit that set of privileges at any time . All users are automatically assigned to this group and they cannot be deleted from it. As a result, each user will have a default set of privileges, typically minimal for security reasons .

  • Owner/operator: The owner, also called the operator, is a role that is automatically assigned to the user who creates a new document or initially uploads a document. That user has Full Access privileges to the document. A document can have only one owner at time, and the current owner can assign the role to another user.

  • Author: An author of a document is role that is assigned by the document's owner. It does not grant ownership to the document (see Owner) but grants Read/Write access to the document. This is identical to the access level of Read/Write. However, the owner can grant or deny this level directly and does not have to change other settings.

Groups

Groups are collections of multiple users. Groups can be assigned to workspaces, folders and tabs, and documents, and with a specific access permission. This allows that a precise set of users can be assigned to the same item and all with the same access permission. Groups can be maintained by adding or removing users, or changing the access permission, rather than modifying individual users and their access permission. Users can be member of multiple groups.

Groups do not have access privileges assigned to them. Keep in mind that each user will be assigned a role (which does have associated privileges) and that this role is independent of being assigned to a group.

Groups can be created, and modified as required, with the exception of the NRTADMIN group. See NRTADMIN Group for more information. Groups cannot be deleted.

If the directory server from which the user list is maintained already includes groups, those groups and members can be imported into iManage Work. This is a one-way synchronization only; groups and memberships cannot be updated from iManage Work back to the directory service.

Using groups on security access permissions instead of individual users also has an implicit performance improvement for searching. When using groups to manage security, the object's security only has to be indexed once in the indexer when the group is assigned. Changes made to the underlying group do not trigger a reindex. Whereas if you managed user security individually on the objects, each change would require the object to be re-indexed.

NRTADMIN group

The NRTADMIN group is available through the iManage Work system automatically, it does not need to be created. Any user assigned to the NRTADMIN group becomes by definition an NRTADMIN, regardless of their current role. A user who is removed from the NRTADMIN group retains the library role they previously had. Only another NRTADMIN is allowed to add or remove users from this group. See also Tiered Privileges.

A provisional administrator is an NRTADMIN with additional privileges. These are defined at the time of an iManage Work installation and provided by your custom service manager (CSM) or designated service provider.

Security access levels

Security access level is a term that collectively refers to default security and access rights. Security access levels define the access a user has to the content of containers and to documents.

See Container and Document Security for additional information.

Access conflict models

An access conflict is when a user has conflicting or contradicting access to an object, such as a container or document.

Depending on your iManage Work environment, one of the following models is used to resolve access conflicts:

  • An optimistic model resolves conflicts by applying the most permissive access level from among the conflicting levels.

  • A pessimistic model resolves conflicts by applying the most restrictive access level from among the conflicting levels.

  • A hybrid model uses the optimistic model unless any of the conflicting access levels are No Access. If one of the security access level conflicts on the object is No Access, the user is revoked access for the object.
    Refer to the examples below for more information about these different models.

For iManage Work in the Cloud, contact cloudsupport@imanage.com to confirm which security model is applied in your environment.

For iManage Work in an on-premises environment, refer to the following registry key setting in the iManage Work Server:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Interwoven\WorkSite\imDmsSvc\

Name: Security Model
Values:
0 – Optimistic Security (Default)
1 – Pessimistic Security
2 – Hybrid Security

Example 1

For a specific document, the user Anthony may have the following access for a document as he belongs to both GROUP1 and GROUP2:

User

Read

GROUP1

Read/Write

GROUP2

No Access

There is a conflict because at least two of the access levels are contradictory. This resolves automatically depending on the Access conflict model.

Access conflict model

Resolution

Reason

Optimistic

Read/Write

The most accessible level of the three possibilities is Read/Write from Group1.

Pessimistic

No Access

The most restrictive level of the three possibilities is No Access from Group2.

Hybrid

No Access


The most restrictive level of the three possibilities is No Access from Group2.

This is because Hybrid access gives the Optimistic result if there is no denial (No Access) from among all the options. If there is a denial option, Hybrid grants that denial.

Example 2

For a specific document, the user Hanna may have the following access for a document as she belongs to both GROUP1 and GROUP2:

User

Read

GROUP1

Read/Write

GROUP2

Full Access

There is a conflict because at least two of the access levels are contradictory. This resolves automatically depending on the Access conflict model.

Access conflict model

Resolution

Reason

Optimistic

Full Access

The most accessible level of the three possibilities is Full Access from Group2.

Pessimistic

Read

The most restrictive level of the three possibilities is Read from the user's direct permissions.

Hybrid

Full Access


The most accessible level of the three possibilities is Full Access from Group2.

This is because Hybrid access gives the Optimistic result if there is no denial (No Access) from among all the options.