Paperless Workflow With Employees: Configure Permissions
Configure permissions for employees in Paperless-ngx intelligently. All permissions at a glance! User configuration explained with examples.
Last updated: Nov 7, 2024
In Paperless-ngx, you can create users and groups for your team and configure permissions intelligently. You can define roles and grant access rights based on responsibilities. This is important to prevent data loss or unauthorized changes to the system. Paperless allows fine-tuning to your requirements.
In this article, you will learn about possible roles and examples. You will also get an overview of all available permissions in Paperless and how you can control them.
Before you start configuring permissions, you should first assign a role to your team members. The roles presented are typical in small and medium-sized enterprises (SMEs). It is helpful if you define the roles in your company in advance.
The Admin
The admin has full access to all functionalities and settings. They manage users, configure the system, and handle administrative tasks. This job is undertaken by an IT employee or the head of the company, depending on who is responsible for managing the Paperless-ngx instance.
The Manager
The manager has access to most functionalities but does not have full admin rights. They can view, edit, and delete documents. They can also assign documents to other users. Additionally, they can manage workflows and add tags.
However, the manager cannot manipulate system settings. In smaller teams, the admin and manager can be the same person.
The Employee
The employee uploads documents and adds missing details. They cannot delete documents. The editing of documents may be restricted. The employee can search for documents and share them with another team member.
The Viewer
The viewer has read-only rights to selected documents. They cannot upload, edit, or delete documents. This role is suitable, for example, for external persons (e.g., tax advisors, notaries, etc.). They usually need access to documents or information as a reference but do not need to modify them.
The Auditor
The auditor is only relevant in some cases. For example, they could be an accountant. The role is similar to that of the viewer. For compliance purposes, the auditor can also track access to documents and changes to documents.
In Paperless, there are two types of permissions: global permissions and object-level permissions.
Global permissions regulate which parts of the app the user has access to (e.g., documents, tags, settings).
Object-level permissions regulate which documents are visible and editable. Each document has an owner, view, and edit permissions. These permissions can be granted to a user or a group.
Global permissions do not change object-level permissions.
Global Permissions
In Paperless, the toggle for superuser can be set in the Edit user account dialog. Superusers receive all available permissions and can access all parts of the app (frontend, backend, and all documents).
All: Grants all listed permissions (Add, Change, Delete, View). If this is marked, the user has full control over the associated feature or area.
Add: Allows the user to create or upload new items within the category (e.g., adding a new document).
Change: Allows the user to make changes to existing items (e.g., editing the metadata of a document).
Delete: Allows the user to remove items from the system (e.g., deleting a document).
View: Allows the user to see the items but not to edit, add, or delete them.
| Type | Details |
|---|---|
| Create or manage rules for the automatic processing of documents received via email. | View or higher allows access to logs and system status. |
| AppConfig | Change or higher allows access to the Configuration area. |
| Correspondent | Manage and edit the sender or recipient of documents. |
| CustomField | Define and manage additional metadata fields for documents. |
| Document | Interaction with the documents themselves (Upload, Edit, View, Delete). |
| DocumentType | Categorization of documents by their type (e.g., invoices, contracts) and management of these categories. |
| Group | Management of user groups for organizing permissions for multiple users. |
| MailAccount | Add or manage email accounts used for importing documents. |
| MailRule | Definition and management of workflows for processing documents. Workflows do not have an object level. |
| Note | Add or manage additional notes attached to documents. |
| PaperlessTask | View or dismiss file tasks. |
| SavedView | Creation or modification of filtered search queries or views. |
| ShareLink | Generation or management of shareable links for documents. |
| StoragePath | Management of file paths where documents are stored. |
| Tag | Creation and assignment of tags for organizing documents. |
| UISettings | Customize user interface settings. |
| User | Management of user accounts within the system. |
| Workflow | Definition and management of workflows for processing documents. Workflows do not have object level. |
Object-Level Permissions
In Paperless, you can set permissions individually for each document.
| Type | Details |
|---|---|
| Owner | By default, documents are only visible and editable by their owner. Only the object owner can grant permissions to other users or groups. Additionally, only document owners can create share links and add or remove custom fields. Superusers can always view and edit all documents. |
| View | Allows the user to view the document. |
| Edit | Allows the user to edit the document. |
When a document is uploaded via the web interface, the current user is the default owner of the document. You can change these rules under Settings → Permissions.
When a document lands in the Paperless consume folder (e.g., through a scanner import), the document has no owner or additional permissions by default. This means the document may be visible to all users! You can control this rule through a workflow.
Automatically Assign an Owner to a Document Upon Processing
Select Workflows in the sidebar and open the dialog by clicking on Add Workflow.
Choose Consumption Started as the trigger and Consume Folder as the source. This means the automation will start as soon as a document is loaded from the consume folder.
Next, you add an action. For the action type, choose Assignment. Then assign an owner. In our example, we choose the Admin. In your case, it could be the Manager or a specific employee responsible for the imported documents.
If you wish, you can directly grant view or edit permissions to specific users or groups/roles.
Based on the roles initially presented, we give you an example configuration of the permissions. You are free to adapt these to your requirements.
Admin Permissions
The admin gets the Superuser role. With this, he gets all possible permissions. After installing Paperless, a Superuser already exists. This is the user with whom you log in for the very first time.
Manager Permissions
The manager gets the following permissions:
- Add, Change, Delete, View: Document, Correspondent, CustomField, DocumentType, Note, SavedView, Tag
- View: MailAccount, MailRule, PaperlessTask, ShareLink, Workflow
- Change, View: UISettings
Employee Permissions
The employee gets the following permissions:
- Add, Change, View: Document, Note, Tag (you can restrict deletion to prevent accidental loss of documents)
- View: Correspondent, CustomField, DocumentType, SavedView
Viewer Permissions
The viewer gets the following permissions:
- View: Document, Correspondent, CustomField, DocumentType, Note, SavedView, Tag
Auditor Permissions
The auditor gets the following permissions:
- View: Document, Correspondent, CustomField, DocumentType, Note, PaperlessTask, SavedView, Tag, MailAccount, MailRule, ShareLink, Workflow
- Edit: Some editing permissions may be required if they need to add or update annotations or markings related to compliance.
We hope this article gave you an overview of the types of permissions available in Paperless-ngx. You can now design access management for your team.
It is important that you adapt the roles based on the requirements of your organization and your security criteria. You might need more roles or define more granular access rights, depending on the complexity of your workflows and the sensitivity of your documents.
Tip: In Paperless-ngx, you could create a group for each role and then only need to assign a user to a group. This automatically gives them the permissions of the group.
Keep reading
Related Articles
Discover the latest trends in the automation industry and how they can impact your business.
View more
Leave a comment
Your email address won't be published.
