Open Documentation Menu

Permission model

You can assign permissions to a contract file in a variety of ways. For permissions, SharePoint permissions are used. Both individual users and groups can be given permissions.

Permissions are applied consistently to an entire contract file. This affects all documents and sub-items (e.g. tasks). Individual assignment of permissions to individual sub-items is not supported.

Various settings can be configured for the permissions:

  • Standard

    • Permission inheritance

  • Alternatively

    • Creator permission

    • Individual permissions

    • Set of rules

A permission is always a combination of user/group and a role (e.g. owner, read).

Permission inheritance

By default, the site collection permissions are inherited by new contract files. These can then be found and, if necessary, edited by all users and groups with permission in the site collection.

Creator permission

At the time of creation, only the person who created the contract file has permission. This can be useful, for example, if the permission rule set is activated and you want to prevent information from the contract file from being visible to unauthorized persons for a short period of time until after the rule set has been applied.

Individual permissions

With single permissions, certain users or groups can be give permission individually for each contract in addition to the set of rules or creator permission. This is done by selecting individuals or groups in the contract file and saving them in a designated field. Users with write permissions to a contract can fill this field and thus assign or change further permissions.

The support of single permissions can optionally be activated for an instance.

Technically, processing is mapped using the set of rules. The time of execution of the set of rules is therefore also relevant here. Likewise, the creator permission is used here first to prevent the contracts from becoming visible to unauthorized persons for a potential, short time until the individual permission is applied.

Set of rules

The set of rules assigns permissions for users or groups according to certain conditions. The conditions depend on the metadata of a contract file.

Examples of rules:

  • Additionally always give permission to the person responsible for the respective contract.

  • Always give permission to one specific person for all contracts.

  • Always give permission to a specific group if a certain metadata item has a specific value.

Conditions can be concatenated using the boolean operators AND and OR.

In the mid-term, administration will be enabled by specialist admins or administrators on the customer side. Currently, the configuration of the set of rules can be carried out by d.velop in cooperation with an existing implementation partner.

A single rule consists of

  • Priority

    • The higher it is, the sooner it is executed.

  • Condition

    • Link

      • AND

      • OR

    • Comparison operator

      • equal, not equal

      • larger (or same), smaller (or same)

  • contains, does not contain

  • Action

    • Delete all permissions.

  • Adding permissions.

    • User, group

      • Clearly defined users or groups.

      • Users or groups named in a field content.

    • Permission level

      • A SharePoint permission level to be granted to the user or group.

Each rule always refers to a contract file. The fields of the contract can be used in the condition.

Execution date

The set of rules is executed at certain times:

  • After a contract file is created.

  • After changing metadata of a contract file.

  • After changing the set of rules (for all contract files).

The set of rules is executed (asynchronously) by an independent service account after a contract has been created and when it is modified. As a result, there is a time lag between changing the contract and the effect on the permission.

Supported fields

The following fields are supported for metadata comparisons:

  • Text (single and multiline)

  • Number

  • Currency

  • Person or group (simple)

  • Managed metadata (simple)

  • Choice (single)

Reading from the "person or group" fields as a source for persons or groups to be given permission is supported for both single and multiple values.

Concrete examples

  • If the field Organizational classification = Controlling, give the group Controlling the permission level Editing.

  • If the contract type = Consulting agreement, give the group Consulting the permission Reading.

  • If the Sales territory field = DE South, give the group Sales_DE_South_Field the permission Reading.

  • Always give the contract manager the permission Full access.

  • Always give the data protection officer the permission.