Overview of Object Permissions

Viewing and Editing DocuShare Object Permissions

Adding Users and Groups to an Object's Access List

Unifying DocuShare Object Permissions

Changing an Object's Owner

Working with Write-Only Objects

Table of Contents	Becoming a DocuShare User	DocuShare Collections

Every DocuShare object has a set of associated permissions called its Access Control List. Permissions are the authorization level that a defined set of users or groups has to view, delete or modify a DocuShare object. These object permissions are not assigned or maintained by the Site Administrator; rather, they are maintained by the owner of the object or any user with Manager level access to the object.

There are three permission categories:

• Reader---Allows the user or group to read the contents of a file or object and view its associated properties and permissions. The user can open a file from the DocuShare site and can also save this file to their local computer. However, a user with only Reader access to an object cannot change its properties or add new content. No writing or editing of any kind is granted by Reader-level access. Users will only see objects in collection, Contents or What’s New listings for which they have Reader-level access.
• Writer---Allows the user or group to edit an object’s properties and add new objects to a container object (e.g., a collection). Writer level access to an object does not grant permission to delete it or edit its permissions. Granting users or groups Writer permission without granting them Reader permission enables advanced features like blind submission collections, but requires that special steps be taken to make those features accessible. See the section entitled Working with Write Only Objects at the end of this chapter.
• Manager---Grants the user or group full read/write access to the object. In addition to read/write permission, a Manager can delete the object and edit its access permissions. Users with Manager permission can also change ownership rights of an object from its current owner to another user.

The user who initially creates an object in the DocuShare repository, known as the owner, receives automatic Manager level permission after creating the object. The owner can now assign which users and groups can access the object and what level of access they have to this object. Permissions are assigned at the individual object level.

You specify permissions using one or more user names, group names, or both. When you are working with more than a few individuals or objects, user groups can make creating and maintaining access permission lists easier. A user group is a named set of users and/or groups. See Creating a User Group in Chapter 2 for more information on creating a user group in DocuShare.

Permissions work with your logged in status on DocuShare. If you are not logged in to DocuShare, you are considered a Guest and the user name Guest appears on each page. Guests cannot add objects or perform any edit operations.

Within access permissions, the user Anyone represents anyone accessing a DocuShare object, either a logged-in user or a guest. Granting write access to Anyone gives any logged in user write permission; Guest is always denied edit capability. For example, if you give Reader and Writer level access to Anyone for a collection, then user Mary Smith can view the contents of the collection, even if she is not logged in (i.e., a guest). However, if Mary Smith wants to add an object to that collection, she must log in. If she is not logged in, when she attempts to add that object, DocuShare will present a warning message stating that Guest cannot perform that operation. It will also present a login box to allow the user to log in and complete the operation. The user will only be able to complete adding the object if they have Writer access permissions to the object.

Object permissions can be inherited from higher-level parent or container objects. Collections, Calendars and Bulletin Boards are considered container objects because they hold other objects. Calendars hold Events, Bulletin Boards hold Bulletins, and Collections hold every other type of DocuShare object, including other collections. By initially setting the access permissions for a higher level container object, any object subsequently added to that container object automatically inherits those higher-level permissions from the container object.

For example, if you create a collection and give user Joe Smith both Reader and Writer access to the collection, then any object (file, Collection, Calendar or Bulletin Board) subsequently added to that collection automatically contains Reader and Writer access permissions for user Joe Smith. Inheriting permissions from container objects can be a very powerful tool to quickly set access permissions for new DocuShare objects.

To view the current permissions on a DocuShare object, click on the Services link for the object, then click Permissions in the Edit pull-down menu. If you have Manager access permissions to the object, you see the Edit Permissions page (shown below). Otherwise, you see the View Permissions page, a read-only version of the same information. You must be logged in to DocuShare to edit permissions in any manner.

The Permissions page has the following properties:

1. At the DocuShare object whose permissions you want to change, click the Services link. The Services page appears.

2. Click the Permissions selection in the Edit pull-down menu. The Permissions page appears. If you have Manager level access, you can edit the contents of the page.

3. Click any check box to select or deselect Reader, Writer, or Manager access for a user or group. A check mark means that the corresponding access right apply.

4. Click the check box Remove From Access List to remove a user or group from the access list.

5. Click Update Permissions to finalize your changes. Click Reset to cancel your changes.

1. At the DocuShare object whose permissions you want to change, click the Services link. The Services page appears.
2. Click the Permissions selection in the Edit pull-down menu. The Permissions page appears. If you have Manager level access, you can edit the contents of the page.
3. Click the Add to Access List selection in the Edit pull-down menu.
4. Select one or more users or groups from the Add Members list. This is a list of users who are currently not members.
5. Click Add Members to Access List.

At first, the users and groups that are added to the access list appear without new access rights. Follow the steps in the previous section to grant specific access rights to the new users or groups.

Occasionally, you may change the permissions for a higher-level container object (Collection, Calendar, and Bulletin Board). Perhaps you may want to add a new user or extend wider access to another user or group. However, the objects within that container object will not reflect those new permissions. You can edit the permissions for each object individually, but that process can be time consuming and error prone, especially if there are a large number of objects within that container object. DocuShare provides the Unify command to make this process easier.

Edit the permissions on the higher level DocuShare container object, then select Unify to set the permissions for all objects within that higher level container object to inherit the revised permission settings. However, if you do not have Manager level access to an object, Unify will not change permissions for that object. DocuShare will list those objects as it performs the Unify command. Permissions for these objects must still be edited individually by someone with Manager access permission.

1. At the DocuShare collection, click the Services link. The Collection Services page appears.

2. Select Permissions from the Edit pull-down menu. The Edit Collection Permissions page appears. Make any changes that are necessary at this time.

3. Select Unify from the Edit pull-down menu on the Edit Collection Permissions page.
   Note: The Do not unify objects that are also located elsewhere option means that the Unify command will not apply to objects that are also located outside of the set being unified. Leave this option checked to prevent the changes performed by the Unify command from propagating into other areas of the DocuShare repository.

4. Click Unify.

Users with Manager access to an object can change the object's owner at any time. The default owner is the user who initially created the object in DocuShare. While all Managers of an object have the same permissions as its owner, it is the owner's name that is shown whenever the object is displayed or an unauthorized access is attempted.

1. At the DocuShare collection, click the Services link. The Collection Services page appears.
2. Select Permissions from the Edit pull-down menu. The Edit Collection Permissions page appears. Make any changes that are necessary at this time.
3. Select Change Owner from the Edit pull-down menu on the Edit Collection Permissions page.
4. Select a new owner from the New Owner list. You can only select one owner.
5. Click Apply.

Ownership of the object is assigned to the new owner. The previous owner is added to the object's access list and is automatically given Reader, Writer and Manager access permissions.

Because Reader and Writer permissions are independent, DocuShare offers the ability to grant write-only access to objects. The primary use of this feature is to create container objects that allow users to add content while preventing them from seeing what other users have added. For example, a "Suggestions" bulletin board can be created that allows users to privately add their suggestions for improving the company. This bulletin board could even be made anonymous by granting write permission only to a special anonymous account to which submitters must log in prior to making their suggestions.

Because users with write-only access to an object cannot open it or even see it, they are unable to reach the object’s regular Add menu. Submission to write-only objects requires going directly to the desired edit form. For example, to add a new bulletin to a write-only bulletin board called BulletinBoard-16, a user must go to:

http://docushare-server/dscgi/ds.py/Add/BulletinBoard-16/Bulletin

This link can be made available to users as a DocuShare URL, or as a link on a custom web page. For blind submission to collections, the link is similar. For example, to add a file to Collection-47, users would go to:

http://docushare-server/dscgi/ds.py/Add/Collection-47/File

Table of Contents	Becoming a DocuShare User	DocuShare Collections