V. Users, Groups, Roles & ACL

To show how roles and ACL’s can be used to simplify Mayan users UX (users experience) we will create two groups. One will be for people uploading and supervising the document flow and another with the users that actually do work with the documents.

I. Users

As for users the ones to be used are for:

  • Control Desk – Will receive and upload the documents
  • Analyst – generates the response to the claim
  • Expert – authorizes or rejects the claim

How To

  • [System-Select] > Setup
  • Click ‘Users’
  • Click on ‘Create new user’ or
    [Action-Select] > Create new user
  • Type (for each user)
    Username, First Name, Last Name, email
    Click ‘Save’
  • In the next screen type twice the password you like. It could be the same for all users in this test. (I use Password54321).
    Click ‘Submit’
    Note: You can enforce different levels of complexity for your passwords in [System-Select] > Setup, Click ‘Settings’ then ‘Django’ button and set ‘AUTH_PASSWORD_VALIDATORS’.
UsernameFIRST NameLAST nameEmail

II. Groups

As we said we will use two groups.

How To

  • [System-Select] > Setup
  • Click ‘Groups’
  • Click on ‘Create new group’ or
    [Action-Select] > Create new group
  • Type (for each user)
    Click ‘Save’

The groups are:

  • Control Desk
  • Workgroup

Associate Users to Groups

How To

  • [System-Select] > Setup
  • Click ‘Groups’
  • On each of the [Item Options] click ‘Users’ Button
    Select from the left panel the ‘Available User’
    Click ‘+Add’
  • To return to the Groups page:
    [Acion-Select] > Groups
Group [Item Option]UserFunction in test
Control DeskjsmithReceiver

III. Access Control : Role

Mayan posses a Rol-Based Access Control (RBAC) security approach to configure system privileges to users.

How to

  1. Rol‘ granted permissions allow system wide access.
    For our ‘Control Desk’ group we use a ‘Rol’ with all the permissions will be assigned, except for deleting files, emptying the trash and impersonating other users.
  2. For our two ‘Workgroup’ we use ‘Access Control List (ACL)’, we can select items (Workflows, States, Documents, Indexes, Cabinets, Tags) and then choose the group and permissions specific for that object.

How-To [Roles]

  • [System-Select] > Setup
  • Click ‘Roles’
  • Click on the button ‘Create new role’ or
    [Action-Select] > ‘Create new role’
  • Type:
    Label: Control Desk role
    Click ‘Save’

Repeat for ‘Workgroup Role’.

Now associate our roles to our groups

  • [System-Select] > Setup
  • Click ‘Roles’
  • On ‘Control Desk Role’ [Item Option] click ‘Groups’ button
  • On the left panel select ‘Control Desk’
    Click ‘+Add’
  • To return to the role page
    [Action-Select] > Roles

Then repeat the steps but assign:
– ‘Workflow Role’ to group: ‘Workflow’

After setting the permissions that we will do in the following paragraphs for the group that acts like a ‘supervisor’ the Roles page looks like this:

  • [System-Select] > Setup
  • Click ‘Roles’
  • On the ‘Control Desk’ [Item Option] click on ‘Role permissions’
  • Click on the ‘+Add all’ button
  • Now browse on the right panel for each of the following permissions and click on ‘Remove’ button:
    • Documents > Delete documents
    • Documents > Empty trash
    • Documents > Restore trashed documents
    • Authentication > Impersonate users

Those actions should be done by the administrator or an special account. In that way you browsed over many permissions that the system offers.

How-To [ACL]

For ACL our Workgroup will need permissions to see ‘Document types’, ‘Workflows’, ‘indexes’, ‘Tags’.

First associate our ‘Claim’ document type just to the ‘Workflow 1’:

  • [System-Select] > Setup
  • Click ‘Document Types’
  • On the ‘Claims’ [Item Option] click on the ‘ACLs’ button
  • Click on ‘New ACL’ or
    [Action-Select] > New ACL
    Select ‘Workflow Role’
    Click ‘Save’
  • On the ‘Access control list for: Claim’ page
    And on the ‘Workflow Role’ [Item Option] click on the ‘Permissions’ button
  • On the “Role Workflow Role permissions for ‘Clam'”
    Click ‘+Add All
    Then to reduce de buttons available to users, select from the right panel and click ‘Remove’:
    • Common > Copy object
    • Converter > Create new transformations
    • Converter > Delete transformations
    • Converter > Edit transformations
    • Document types > Delete document types
    • Document types > Edit document types
    • Documents > Delete documents

It should look like this:

Now will be setting special permissions for the ‘Workflow’ group.

So it can see the workflow:

  • System-Select] > Setup
  • Click ‘Workflows’
  • On the [Item Option] ‘Claims Workflow’ click on the ‘LCAs’ button
  • Click on ‘New LCA’ or
    [Action-Select] >
    Select ‘Workflow Role’
    Click ‘Save’
  • On the left panel select three available permissions:
    Document Workflows > Execute workflows tools
    Document Workflows > Transition workflows
    Document Workflows > View workflows
    Document Workflows > Transition workflow instances [New in version 4]
    Click ‘+Add’

So it can see indexes:

  • [System-Select] > Setup
  • Click ‘Indexes’
  • On the [Item Option] ‘Claims’ click on the ‘LCAs’ button
  • Click on ‘New LCA’
    Select ‘Workflow Role’
    Click ‘Save’
  • On the left panel select
    Indexes > View document index instances
    Indexes > View document indexes’
    Click ‘+Add’

And to see the Tags:

  • [left-menu] > Tags
  • Click ‘All’
  • On the [Item Option] ‘On Claim Review’ click on the ‘LCAs’ button
  • Click on ‘New ALC’ button
    Select ‘Workflow Role’
    Click ‘Save’
  • On the left panel select
    Tags > View tags
    Click ‘+Add’
  • [left-menu] > Tags
  • Click ‘All’
  • On the [Item Option] ‘On Expert’ click on the ‘LCAs’ button
  • Click on ‘New ALC’ button
    Select ‘Workflow Role 1’
    Click ‘Save’
  • On the left panel select
    Tags > View tags
    Click ‘+Add’

That is for our example but now you can assign permission to access just a State or documents in that state/tag. With another document type you can work with the same workflow or another one special documents that the other workgroups wont see. And with transitions you can even change privileges (ACL) or even send emails or ask Mayan or other systems to to perform actions via their API.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s