Configure permissions for employees in Paperless-ngx intelligently. All permissions at a glance! User configuration explained with examples.
Last updated: Oct 17, 2024
In Paperless-ngx, you can create users and groups for your team and configure permissions intelligently. You can define roles and grant access rights based on responsibilities. This is important to prevent data loss or unauthorized changes to the system. Paperless allows fine-tuning to your requirements.
In this article, you will learn about possible roles and examples. You will also get an overview of all available permissions in Paperless and how you can control them.
Before you start configuring permissions, you should first assign a role to your team members. The roles presented are typical in small and medium-sized enterprises (SMEs). It is helpful if you define the roles in your company in advance.
The admin has full access to all functionalities and settings. They manage users, configure the system, and handle administrative tasks. This job is undertaken by an IT employee or the head of the company, depending on who is responsible for managing the Paperless-ngx instance.
The manager has access to most functionalities but does not have full admin rights. They can view, edit, and delete documents. They can also assign documents to other users. Additionally, they can manage workflows and add tags.
However, the manager cannot manipulate system settings. In smaller teams, the admin and manager can be the same person.
The employee uploads documents and adds missing details. They cannot delete documents. The editing of documents may be restricted. The employee can search for documents and share them with another team member.
The viewer has read-only rights to selected documents. They cannot upload, edit, or delete documents. This role is suitable, for example, for external persons (e.g., tax advisors, notaries, etc.). They usually need access to documents or information as a reference, but do not need to modify them.
The auditor is only relevant in some cases. For example, they could be an accountant. The role is similar to that of the viewer. For compliance purposes, the auditor can also track access to documents and changes to documents.
In Paperless, there are two types of permissions: global permissions and object-level permissions.
Global permissions regulate which parts of the app the user has access to (e.g., documents, tags, settings).
Object-level permissions regulate which documents are visible and editable. Each document has an owner, view, and edit permissions. These permissions can be granted to a user or a group.
Global permissions do not change object-level permissions.
In Paperless, the toggle for superuser can be set in the Edit user account dialog. Superusers receive all available permissions and can access all parts of the app (frontend, backend, all documents).
Set the superuser permission for the admin
All: Grants all listed permissions (Add, Change, Delete, View). If this is marked, the user has full control over the associated feature or area.
All permissions toggle
Add: Allows the user to create or upload new items within the category (e.g., adding a new document).
Change: Allows the user to make changes to existing items (e.g., editing the metadata of a document).
Delete: Allows the user to remove items from the system (e.g., deleting a document).
View: Allows the user to see the items but not to edit, add, or delete them.
Explanation of all global permissions
Click HERE to copy this overview.
In Paperless, you can set permissions individually for each document.
Explanation of all object-level permissions
Click HERE to copy this overview.
When a document is uploaded via the web interface, the current user is the default owner of the document. You can change these rules under Settings → Permissions.
When a document lands in the Paperless consume folder (e.g., through a scanner import), the document has no owner or additional permissions by default. This means the document may be visible to all users! You can control this rule through a workflow.
Select Workflows in the sidebar and open the dialog by clicking on Add Workflow.
Choose Consumption Started as the trigger and Consume Folder as the source. This means the automation will start as soon as a document is loaded from the consume folder.
Trigger automation on import from consume folder
Next, you add an action. For the action type, choose Assignment. Then assign an owner. In our example, we choose the Admin. In your case, it could be the Manager or a specific employee responsible for the imported documents.
If you wish, you can directly grant view or edit permissions to specific users or groups / roles.
Assign owner to imported documents
Based on the roles initially presented, we give you an example configuration of the permissions. You are free to adapt these to your requirements.
The admin gets the Superuser role. With this, he gets all possible permissions. After installing Paperless, a Superuser already exists. This is the user with whom you log in for the very first time.
The manager gets the following permissions:
Setting permissions of the manager role
The employee gets the following permissions:
Setting permissions for the employee role
The viewer gets the following permissions:
Setting permissions for the viewer role
The auditor gets the following permissions:
Setting permissions for the auditor role
We hope this article gave you an overview of the types of permissions available in Paperless-ngx. You can now design access management for your team.
It is important that you adapt the roles based on the requirements of your organization and your security criteria. You might need more roles or define more granular access rights, depending on the complexity of your workflows and the sensitivity of your documents.
Tip: In Paperless-ngx, you could create a group for each role and then only need to assign a user to a group. This automatically gives them the permissions of the group.
We’re here to help you seamlessly integrate and set up Paperless-ngx, and more. We specialize in tailored solutions to optimize your business processes and automate workflows.
Get in touch with us today for a consultation or to discuss your specific requirements!
Keep reading
Discover the latest trends in the automation industry and how they can impact your business.
View moreChris
Jul 15, 2024, 12:38 PM
Thanks for this article. Now I ran into the issue that once I set the owner to User X, a User Y can't delete or change permissions on the document he's not owner of. Changing every other property is possible. The document has "Edit" on User Y and the user has AddChangeDeleteView permissions. Not sure what I have missed here but this is kinda crucial as User X is an automation user that sometimes makes an error a human has to fix by deleting its document. Any idea?
Chris
Jul 15, 2024, 12:38 PM
Thanks for this article. Now I ran into the issue that once I set the owner to User X, a User Y can't delete or change permissions on the document he's not owner of. Changing every other property is possible. The document has "Edit" on User Y and the user has AddChangeDeleteView permissions. Not sure what I have missed here but this is kinda crucial as User X is an automation user that sometimes makes an error a human has to fix by deleting its document. Any idea?
Tobias Wupperfeld
Jul 22, 2024, 11:52 AM
Hi Chris, I understand your problem. A possible solution is to remove any owner when documents are added. You can achieve that with a workflow. Use as a trigger "Document Added". For the action choose "Removal". There you can remove the user and optionally give edit rights to user Y. For newly added documents the user Y can now change permissions and remove documents.
Your email address won't be published.