Privileges, Roles, and Groups
A user's ability to access containers and documents and perform actions iManage Work is controlled using privileges, roles, groups, and security access levels.
The relationship between privileges and security access levels is often misunderstood. The two are related but not the same.
Privileges | Security access level |
---|---|
Privileges define which actions users are allowed to perform for containers and documents that they have access to. | Security access levels define which containers and documents users have access to and to which degree they can modify those items. |
The following topics describe these concepts in more detail:
Roles
A role enables you to group a set of privileges. When you create a role, you then assign one or more users to the role.
For more information, refer to Roles.
Roles can be created, deleted, or modified as required, except for the Default role; refer to Default Role. A role's privilege set may be changed at any point later by an NRTADMIN.
Default role: iManage Work automatically creates a Default role. This role can't be deleted and the iManage Work system administrator can edit that set of privileges at any time. All users are automatically assigned to this group and they can't be deleted from it. As a result, each user will have a default set of privileges, typically minimal for security reasons.
Privileges
Privileges are individual actions a user can perform on containers, documents, or the iManage Work system. There are a set number of privileges defined by the iManage Work system. Privileges can't be created or deleted. They can be only granted or denied. Privileges are contained only in roles. Roles are named sets of privileges. The roles are then assigned to users. There are categories that include privileges for individual container or documents, such as Create/Import content as files, Delete content as files, and Create Public Workspaces, among others. Privileges allow for Control Center access at the Tier 1 (which provides basic help desk capabilities) or Tier 2 (which provides the ability to manage metadata, trustees, and templates, in addition to providing Tier 1 capabilities) levels.
Privileges or actions implemented for the iManage Work system include Search Using Web to allow a user to perform Web searches and Allow Full-Text Searches to search using full text.
Privileges are divided into the following categories based on the operations performed:
Work application privileges
- Document: Privileges to work with documents.
- Workspace: Privileges to work with workspaces and manage custom metadata.
- Folder: Privileges to work with public folders.
Control Center privileges
- Control Center access: Privileges to access Tier 1 or Tier 2 Control Center capabilities.
Legacy application privileges
- Work client privileges: Privileges to perform full-text and web searches.
- Admin privileges: Privileges to use iManage Work import, monitor, and administrator capabilities.
For a detailed list of privileges that can be assigned to users, see Roles.
Tiered privileges
Tiers are predefined sets of privileges for iManage Work system administrators, product support, or help desk team members when performing activities in Control Center. They're assigned per iManage Work library.
For more information, refer to Understanding tiers.
Groups
Groups are collections of multiple users. Groups can be assigned to workspaces, folders, and tabs, and documents, and with specific access permission. This allows that a precise set of users can be assigned to the same item and all with the same access permission. Groups can be maintained by adding or removing users, or changing the access permission, rather than modifying individual users and their access permission. Users can be member of multiple groups.
Groups don't have access privileges assigned to them. Keep in mind that each user will be assigned a role (which does have associated privileges) and that this role is independent of being assigned to a group.
Groups can be created, and modified as required, except for the NRTADMIN group. See NRTADMIN Group for more information. Groups can't be deleted.
If the directory server from which the user list is maintained already includes groups, those groups and members can be imported into iManage Work. This is a one-way synchronization only; groups and memberships can't be updated from iManage Work back to the directory service.
Using groups on security access permissions instead of individual users also has an implicit performance improvement for searching. When using groups to manage security, the object's security only has to be indexed once in the indexer when the group is assigned. Changes made to the underlying group don't trigger a reindex. Whereas if you managed user security individually on the objects, each change would require the object to be re-indexed.
NRTADMIN group
The NRTADMIN group is available through the iManage Work system automatically, it doesn't need to be created. Any user assigned to the NRTADMIN group becomes by definition an NRTADMIN, regardless of their current role. A user who's removed from the NRTADMIN group retains the library role they previously had. Only another NRTADMIN is allowed to add or remove users from this group. See also Tiered Privileges.
A provisional administrator is an NRTADMIN with additional privileges. These are defined at the time of an iManage Work installation and provided by your custom service manager (CSM) or designated service provider.
Document, workspace, and folder attributes
The following represent attributes associated with documents, workspaces, and folders:
- Owner: A role that's automatically assigned to the user who creates a new workspace or folder. That user has Full Access privileges to the workspace/folder. A workspace/folder can have only one owner, and the current owner can assign the role to another user.
- Operator: A role that's automatically assigned to the user who creates a new document or initially uploads a document. That user has Full Access privileges to the document. A document can have only one operator, and the current operator can assign the role to another user.
Author: A role that's automatically assigned to the user who creates a new document or initially uploads a document. The author can be changed by a document's operator or another user who has full access to the document. The author role doesn't grant ownership to the document (see Operator) but does grant implicit full access to it.
Security access levels
Security access level is a term that collectively refers to default security and access rights. Security access levels define the access a user has to the content of containers and to documents.
For additional information, refer to Container and Document Security.
Access conflict models
An access conflict is when a user has conflicting or contradicting access to an object, such as a container or document.
Depending on your iManage Work environment, one of the following models is used to resolve access conflicts:
- An optimistic model resolves conflicts by applying the most permissive access level from among the conflicting levels.
- A pessimistic model resolves conflicts by applying the most restrictive access level from among the conflicting levels.
- A hybrid model uses the optimistic model unless any of the conflicting access levels are No Access. If one of the security access levels conflicts with the object No Access, the user is revoked access for the object.
Refer to the examples below for more information about these different models.
For iManage Work in the Cloud, contact cloudsupport@imanage.com to confirm which security model is applied in your environment.
For iManage Work in an on-premises environment, refer to the following registry setting in the iManage Work Server:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Interwoven\WorkSite\imDmsSvc\
Name: Security Model
Values:
0 – Optimistic Security (Default)
1 – Pessimistic Security
2 – Hybrid Security
Example 1
For a specific document, the user Anthony may have the following access for a document as he belongs to both GROUP1 and GROUP2:
User | Read |
GROUP1 | Read/Write |
GROUP2 | No Access |
There is a conflict because at least two of the access levels are contradictory. This resolves automatically depending on the Access conflict model.
Access conflict model | Resolution | Reason |
---|---|---|
Optimistic | Read/Write | The most accessible level of the three possibilities is Read/Write from Group1. |
Pessimistic | No Access | The most restrictive level of the three possibilities is No Access from Group2. |
Hybrid | No Access | The most restrictive level of the three possibilities is No Access from Group2. This is because Hybrid access gives the Optimistic result if there is no denial (No Access) from among all the options. If there is a denial option, Hybrid grants that denial. |
Example 2
For a specific document, the user Hanna may have the following access for a document as she belongs to both GROUP1 and GROUP2:
User | Read |
GROUP1 | Read/Write |
GROUP2 | Full Access |
There is a conflict because at least two of the access levels are contradictory. This resolves automatically depending on the Access conflict model.
Access conflict model | Resolution | Reason |
---|---|---|
Optimistic | Full Access | The most accessible level of the three possibilities is Full Access from Group2. |
Pessimistic | Read | The most restrictive level of the three possibilities is Read from the user's direct permissions. |
Hybrid | Full Access | The most accessible level of the three possibilities is Full Access from Group2. This is because Hybrid access gives the Optimistic result if there is no denial (No Access) from among all the options. |