Arcentry Enterprise - Groups & Permissions

Introduction

Arcentry 1.9 introduces granular access management via groups and permissions. This makes it possible to determine which group of users, e.g., all employees belonging to a given customer, can access a given document or embed or which user within an organization can create user accounts or groups to manage access for other users.

Key Concepts

• User - A user is a single Arcentry account. It can either be created explicitly via the user management GUI or implicitly by logging in with a valid Active Directory token. Each access to Arcentry now requires a valid account, including access to embeds, which used to be public.
• Group - A group is a container for a set of permissions. Arcentry groups can be created individually or mapped to existing Active Directory groups. All groups are global, meaning any user with the EDIT_GROUP permission can view, assign, or manipulate any groups.
• Permission - A permission is a single right to do something. There are two kinds of permissions: Admin permissions such as EDIT_USER, EDIT_GROUP, and VIEW_LOG apply without context, whereas other permissions such as VIEW_EMBED, VIEW_DOCUMENT, EDIT_DOCUMENT, EDIT_FOLDER, or EDIT_EMBED are specific to one or more documents, folders or embeds.

Relationships and Mechanisms

Users, Documents, and Embeds can be members of zero or more groups. A user has access to a given document or embed if she is either:

1. the owner/original creator of that document or embed or
2. a member of a group that is also assigned to the document or embed and has the related VIEW_DOCUMENT, VIEW_EMBED, EDIT_DOCUMENT ,or EDIT_EMBED permissions.

Permissions are additive. If e.g., both a user and a document are members of Group A with EDIT_DOCUMENT permission and Group B with VIEW_DOCUMENT permission, the user will be able to both view and edit this document.

Installation

Arcentry 1.9.x requires changes to the database structure. To apply these, simply run:

Getting Started

Arcentry 1.9.0 introduces a new button in the view menu toolbar in the bottom right that brings up the group and user management GUI. By default, however, no user has permissions to edit users or groups.

To get around this chicken and egg problem, Arcentry 1.9.0 introduces a new command-line option that allows you to create an admin account programmatically.

You can invoke it via

Then, log in with the newly created admin user and assign roles and permissions as you see fit.

Managing Groups

Groups can be edited in the Group section of the access control panel. Each group has a unique name and optionally a description and a related active directory group. Groups can have zero or more associated permissions. Editing groups requires the EDIT_GROUP permission.

Managing Users

Users can be edited in the user section of the access control panel. Each user has a first and last name as well as an email that can be used when logging in via the login form. In addition, each user can have either an Active Directory Id (Subject) and/or a password for form-based login. Users can be assigned to one or more groups.

Assigning Groups to Documents

You can assign groups to documents or folders using the context menu next to each entry in the document tab. Folder permissions are applied to all documents in that folder. Individual documents within a folder can have additional permissions, however, as permissions are always additive, there is no way to have a document with fewer permissions than the folder holds. Documents that are accessible to you, but haven't been created by you will show up in the "shared with me" tab.

Assigning Groups to Embeds

You can assign groups to embed in the embed preview dialog that opens when you create a new embed or select an existing embed from the list under export->static embed for website