Authorization

Kronodoc has a versatile mechanism for authorizing access to documents and folders. The system recognizes four types of users: system and project administrators, registered users and guests. The system and project administrators have unlimited access to all data and configuration information in the system and project respectively. Registered users are normal users whose access rights are enumerated by the target document or folder. If access to an object cannot be granted based on a registered user's identity or group memberships, guest access rights are applied.

Users and groups can selectively be granted the right to view, edit or delete a document. Access to document attachment files can be restricted by assigning add and delete file rights. For folders, access can be restricted by assigning view, edit, delete, list folder, create subfolder and create document rights.

Administrators can create pre-defined sets of access rights called access profiles. Using access profiles eases administration and improves security by relieving users from having to assign long lists of access rights to objects. Revoking rights from a large set of objects is also made easy with access profiles.

A user or group can also be granted the right to perform any of the above-mentioned document or folder operations for all the target objects in a project through the use of project roles. Document based roles allow finer grained control by granting access defined by a role only to a certain document instead of a whole project.

Please see the Kronodoc user and configuration guides for full details on the Kronodoc access control model.