How the “Control” step restrictions work for View and Modify permissions

The control step allows you to create two types of restrictions to prevent a user from viewing or modifying a document, even when folder and category security allows it. There are two types of controls (both restrictive):

• Controls Allow only some: “Control that only”.
• Controls Deny: “Prevent”.

The controls seem symmetrical but they are not because the “Allow” control implies “deny the rest”, i.e., it is also restrictive.

How is the control step combined with folder or category permissions?

The control step is designed to add additional restrictions to folder and category security. Therefore:

• If a document is not visible by folder and category security, the control step can NOT make the document visible.
• If a document is not modifiable by folder and category security, the control step can NOT make the document modifiable.

Tip: Design the security of your R2 Docuo repository with permissions on folders and categories. Use the control step to configure additional restrictions to these permissions.

Combination of several controls of different types affecting the same user

When there are several “Prevent that” controls or a single “Control that only” control, the result is clear.

Tip: Try to define your restrictions with several “Prevent that” controls or with a single “Control that only” control.

However, it is possible to create controls of both types for the same user, in this case the “Control that only” controls will prevail over the “Prevent that” controls, but the reading is less clear.

The steps Docuo follows to calculate whether the restriction applies or not, when several controls of both types affect the same action, are explained below:

1. The “Prevent” controls that apply to the user or a group of the user are searched for.
   • If users or groups are specified:
     “Prevent USER from seeing document X” → USER does not see it.
   • If neither users nor groups are specified:
     “Prevent ANYONE from viewing document X” → the control is ignored.
2. The “Control that only” controls that do not apply to the user or to any user group are searched for. Note that the “Control only” controls created for one user, are really a way to create “Prevent that” controls for the rest of the users that are not included in that control:
   • If users or groups are specified:
     “Control that only John can see document X” → USERS other than John do not see it.
   • If neither users nor groups are specified:
     “Control that only NO ONE can see document X” → no user can see it.
3. The “Control that only” controls that apply to the user or a group of the user are searched for .
   • “Control that only USER can see document X” → USER sees it (if he can see it because of permissions and folder security).
4. Combination of the resulting controls. Once all the controls that apply to the user have been obtained, proceed as follows:
   • If there are no “Prevent that” or “Control that only” controls → It is seen (if it can be seen by the security of permissions and carptas).
   • If there are only “Prevent that” controls (come from step 1 or indirectly from step 2) → Not seen.
   • If there are only “Control that only” controls → It is seen (if it can be seen by permissions and folder security).
   • If there are both “Prevent that” controls (come from step 1 or indirectly from step 2) and “Control that only” controls that affect the user → It is seen (if it can be seen because of permissions and carptas security).

When is the control step applied?

The control step restrictions are calculated for each action, based on the folder and category permissions.

Is there a difference between applying a control on a user or on one of the groups to which the user belongs?

Unlike the security in Folders and Categories, in the Control step there is no priority of the controls applied to a user over the controls applied to a group to which the user belongs.

How efficient is the security of the control passage?

Folders and Categories security uses an internal cache to ensure performance. This means that a change in folder and category permissions may take a few minutes to apply, but once applied, it ensures optimal performance.

On the other hand, the restrictions of the control step are calculated for each access, based on the resulting security of folders and categories. This means that:

• The control step constraints are applied immediately (there is no delay to calculate a cache).
• Control step constraints, if excessive or overly complex, can adversely affect the performance of R2 Docuo.