System Level Security Asite System Administrators can manage Application level activities at System level
The Asite SaaS Platform is a multi-tenanted software solution that allows multiple parties to share and manage information across the internet. By virtue of its multi-tenanted nature, robust security is in place to ensure protection of user data. This is achieved using a hierarchical security model.
The User Access within Asite is controlled at two levels:
System Level Security
Asite System Administrators can manage Application level activities at
System level
Workspace Level Security
Administrators can manage access and security of a Workspace Site within Asite
1. System Level Security
System Privileges and their functionalities:
Privilege Name |
Description |
Functionality Impact |
Manage Role Templates |
Enables User Manage System Level Roles |
If this privilege is not assigned the “Manage Application Role Templates” option is not visible in Drop-down List of “Admin”. |
Manage Application Form Templates |
Enables User Manage System Level Form Templates |
If this privilege is not assigned the “Manage Application Form Templates” option is not visible in Drop-down List of “Admin”. |
Manage Workspaces – All Orgs |
Enables User Manage Workspaces across all Client organisations |
If this privilege is not assigned the “Manage Workspaces” option is not visible in Drop-down List of “Admin”. |
Manage User Subscription |
Enables User Manage User level subscription information |
If this privilege is not assigned the “Manage User Subscription” option is not visible in Drop-down List of “Admin”. |
Manage System Notices |
Enables User Manage System Level Notices |
If this privilege is not assigned the “Manage System Notices” option is not visible in Drop-down List of “Admin”. |
Manage Drawing Series Template |
Enables User Manage System Level Drawing Series across Organisations |
If this privilege is not assigned the “Manage Drawing Series” option is not visible in Dropdown List of “Admin”. |
2. Workspace Level Security
Graphical representation of how security can
be hierarchically managed within an Asite workspace
:
3. Accessing a Workspace :
A workspace is only accessible to users who have been assigned a “Role” on the workspace by another user. If a user has not been assigned a role on a workspace, the workspace is not visible in the workspace listing page and remains completely inaccessible. Having a role on a workspace does not mean that users have access to all of the information stored within the workspace. Access can be granted at a more granular level using roles and Access Control Layers and described in the remainder of this document.
At workspace creation, a workspace Administrator must be assigned who will be assigned the relevant permissions to amend and customize the security profile of the workspace and assign roles to other users.
Workspace Roles
It is possible to create an unlimited number of roles within a workspace. Roles have an associated set of workspace level privileges. As each user is assigned a role (as described in diagram above) roles can be used to quickly assign and edit privileges for groups of users.
Workspace Privileges and their functionalities:
Privilege Name |
Descriptions |
Functionality Impact |
Allow Custom Distribution - All Org
|
Enables User distribute to users of "Distribution Groups" AND "Companies". |
If this privilege is not assigned the “Companies” option is not visible in Dropdown List at the Distribution page (Documents / Apps) |
Allow Custom Distribution - Own Org |
Enables User distribute to users of "Distribution Groups" AND Own "Company" only |
If this privilege is not assigned the “Companies” option will display in Dropdown List at the Distribution page (Documents / Apps) only your own Company |
Amend Folder Permissions
|
Enables User Reactivate Deactivated folders. |
If this privilege is not assigned, the “Reactivate Folder” option is not visible in the “Admin” dropdown list to enable reactivate Deactivated Folders. |
Assign Document Metadata |
Enables User edit the Document Metadata from the Document Basket / Document Audit History |
The “Edit Document Metadata” icon at the Document Audit History page is visible only if the user has “Admin” rights in the folder in which the Documents are uploaded OR User Role has privilege of “Assign Document Attributes” set to YES OR is the Publisher of the document. Similar validation is applicable to display selected documents at the Action Page of the "Assign Document Attributes" option from Document Basket. |
Assign Forms to Workspace |
Enables User assign App Templates to selected Workspace |
If this privilege is not assigned the “Apps – Assign to Workspace” option is not visible in Dropdown List of “Admin”. |
Can Access Audit Information |
Enables User to View Document Audit History |
If this privilege is not assigned,
the icon |
Can Access Deactivated Documents
|
Enables User access the deactivated documents within Folder / Sub-Folder. |
If this privilege is not assigned, logged in User cannot access deactivated documents at the listing pages. The criteria of "Inactive Docs" at Advanced Search is disabled with option of "Only Active Docs" pre-populated. "Reactivate Documents" icon will also not be visible at the listing page |
Can Assign Proxy Users
|
Enables User assign Proxy Users to Online / Paper Users. |
If this privilege is not assigned the “Proxy Users” section is not visible at the Manage Workspace Roles and Users |
Can be assigned Action - Change Status |
Enables User assign "For Status Change" action to users on a document distribution. |
If this privilege is not assigned the “For Status Change” action will not be visible at the Action dropdown at the Distribution page. |
Can Change Status |
Enables User change the Status of the Document |
If this privilege is not assigned the user will not be able to change the status of the document from the Listing and Audit History pages. |
Can Clear Actions - Organization |
Enables User clear incomplete actions for users of the logged in Organisations only (other than own actions). |
If this privilege is assigned, Incomplete Actions of logged in Users Organisations only can be cleared. However, the "Can Clear Actions - Workspace" privilege supercedes this. |
Can Clear Actions - Own |
Enables User clear incomplete actions for logged in user. |
If this privilege is assigned, Incomplete Actions of the logged in User can be cleared. |
Can Clear Actions – Workspace
|
Enables User clear incomplete actions for users of the Workspace (across all Organisations (other than own)). |
If this privilege is assigned, Incomplete Actions of Users across all active Organisations of the Workspace can be cleared. |
Can Configure Document Numbering Scheme |
Enables User to construct Document Numbering or Naming Convention rules at Project or Folder Levels. |
The “Manage Doc Numbering Scheme” privilege in Admin option allows Administrators the ability to define multiple document reference rules at Project or Folder Levels. Rules can contain multiple labels (e.g. “Project, “Discipline”, “Doc Type” etc), allowing complete flexibility in rules. Users are notified if their Document Reference does not adhere to the rules while publishing, and can amend the reference to match the rule. |
Can Create Comments |
Enable User to Create Comments on the documents on which user has access |
If this privilege is not assigned, the Add Comment icon will not be visible for the user, hence user will not be able to create a comment on any documents. |
Can Deactivate Users from Workspace |
Enables User mark User Inactive on the Workspace. |
If this privilege is not assigned the Inactive option is disabled and users cannot be marked inactive on the Workspace by logged in user. |
Can Delegate Actions – Organization |
Enables User delegate incomplete actions of users of the logged in Organisation only (other than own). |
If this privilege is assigned, Incomplete Actions of logged in Users Organisation only can be delegated. However, the "Can Delegate Actions - Workspace" privilege supercedes this |
Can Delegate Actions – Own
|
Enables User delegate incomplete actions for logged in user. |
If this privilege is assigned, Incomplete Actions of the logged in User can be delegated. |
Can Delegate Actions – Workspace
|
Enables User delegate incomplete actions of users of the Workspace (across all Organisations (other than own)). |
If this privilege is assigned, Incomplete Actions of Users across all active Organisations of the Workspace can be delegated. |
Clear Comments
|
Enables User clear Unread Comments for selected recipient. |
If this privilege is not assigned, Unread Comments icon will not be visible at the Comment Register / Deactivate User from Workspace pages. |
Create Parent Folders |
Enables User create new folders at the Root Level |
If this privilege is not assigned the “Create New Parent Folders” icon will not visible in “All Workspace Documents" root level folder. |
Deactivate Documents |
Enables User deactivate the document from the Document Basket only. |
Selected documents are permitted to be deactivated only if user has “Admin” rights in the folder in which the Documents are published OR User Role has privilege of “Deactivate Documents” set to YES. Else the selected documents will not visible in Action Page of Deactivate Documents. |
Edit Workspace Details |
Enable user to edit the Workspace Settings at the Workspace Level. |
If this privilege is not assigned the “Edit Workspace” option is not visible in Dropdown List of “Admin” |
Edit Workspace Form Settings
|
Enables User edit the Workspace App Settings |
If this privilege is not assigned the “Apps – Manage Workspace Settings” option is not visible in Dropdown List of “Admin”. |
Manage Notices
|
Enables User create / edit / deactivate/ reactivate Workspace Notices |
If this privilege is not assigned the “Manage Workspace Notices” option is not visible in Dropdown List of “Admin” |
Manage Organization PlaceHolders
|
Enables User Create, Edit, Distribute, Populate a Placeholder. The Placeholders created by organisation of logged in User only can be deactivated. |
If this privilege is not assigned, the logged in User will not be able to create / edit/ distribute / populate / deactivate placeholders for active organisations on the Workspace other than the logged in user's organisation. The "Create New Placeholder" icon will not be visible at the Document Listing Page irrespective of having "Admin" permissions on the Folder. |
Manage Paper Documents
|
Enables User Publish, Edit, Deactivate a Paper Documents within the Workspace (across all organisations active on the Workspace). |
If this privilege is not assigned, the logged in User will not be able to create / edit / deactivate paper documents across all active Organisations on the Workspace.. The "Publish Paper Document" icon will not be visible at the Document Listing Page irrespective of having "Admin" permissions on the Folder. |
Manage Purpose of Issue |
Enables User manage the Purpose of Issue at the Workspace Level |
If this privilege is not assigned the “Doc Purpose of Issue” option is not visible in Dropdown List of “Admin” |
Manage Workspace Attributes
|
Enables User manage the Attributes at the Workspace Level |
If this privilege is not assigned the “Attributes – Assign to Workspace” option is not visible in Dropdown List of “Admin”. |
Manage Workspace Distribution Groups |
Enables User manage the Distribution Groups at the Workspace Level |
If this privilege is not assigned the “Distribution – Assign to Workspace” option is not visible in Dropdown List of “Admin”. |
Manage Workspace Document Status
|
Enables User manage the Attributes at the Workspace Level |
If this privilege is not assigned the “Doc. Status – Assign to Workspace” option is not visible in Dropdown List of “Admin”. |
Manage Workspace Drawing Series |
Enables User manage the Drawing Series at the Workspace Level |
If this privilege is not assigned the “Drawing Series – Assign to Workspace” option is not visible in Dropdown List of “Admin” |
Manage Workspace Form Status |
Enable User manage the Form Status at Workspace Level |
If this privilege is not assigned, logged in user will not be able to create New Custom Form Status available in Manage Statuses option. |
Manage Workspace Mailbox |
Enable user manage the Mailbox at the Workspace Level |
If this privilege is not assigned the “Manage Workspace Mailbox” option is not visible in Dropdown List of "Admin" |
Manage Workspace PlaceHolders |
Enables User Create, Edit, Distribute, Populate, Deactivate a Placeholder within the Workspace (across all organisations active on the Workspace). |
If this privilege is not assigned, the logged in User will not be able to create / edit/ distribute / populate / deactivate placeholders across all active Organisations on the Workspace. The "Create New Placeholder" icon will not be visible at the Document Listing Page irrespective of having "Admin" permissions on the Folder. |
Manage Workspace Roles and Users |
Enables User assign Roles to Users in the Workspace |
If this privilege is not assigned the “Manager User Role Membership” option is not visible in Dropdown List of “Admin”. |
Access Control Layers (ACLs)
Asite Collaboration application includes an Access Control Layer mechanism which allows Administrators to define permissions to Objects within a Workspace (i.e. Folder, Form Type etc) at the following levels:
Default
Roles
Organisations
Users
Access to an Object is derived based on permissions defined in the following sequence:
User >> Organisation >> Roles >> Default
Folder Level Access Control Layers
Asite Collaboration provides a fully configurable document management system wherein folders / sub-folders can be configured as per Workspace requirements. The Access Control Layer can be defined on a per-folder basis and defines a user’s privileges in a given folder.
Following privileges can be defined within the ACL for a folder within Asite :
Available Folder level privileges
Privilege Name |
Functionality |
No Access |
Restricts user from being able to view the folder or it’s contents |
View Only |
Users can only view the folder and the documents stored within the folder. |
View & Download |
Users can view the folder, view and download documents stored within the folder as well as print and export search result lists. |
View & Link |
As “View” privilege with the addition of the ability to link documents stored in the folder to other modules / Workspaces / folders as required. |
Publish |
Users can view the folder, view and download documents stored within the folder as well as print and export search result lists. In addition, users can upload “Standard Documents” to the folder. Providing the relevant Workspace settings and privileges are available users can also Upload “Document Placeholders”, “Paper Documents” and “IFC Building Information Models” to the folder. |
Publish & Link |
As “Publish” privilege with the addition of the ability to link documents stored in the folder to other modules / Workspaces / folders as required. |
Admin |
As “Publish and Link” privilege with the addition of the ability to undertake the following activities on the folder or folder contents:
|
For folders, the ACL can be defined at Default, Role and User Levels.
Asite Collaboration provides a fully customisable form module enabling users design, configure and manage their Workflow processes. The Access Control Layer for Apps can be defined at App Type level allowing control of whether users can create or view certain types of Apps independently.
Following are the privileges that can be defined within the ACL for an App Type within Asite.
Available Form Type level privileges
Privilege Name |
Functionality |
Create Form |
Enables User create Form Messages |
Control Form |
Enables User control the Form Messages |
View All Private Forms |
Enables User view all private form message data. |
No Access |
Restricts access to the Form Messages of specified Form Type. |
For Forms, the ACL can be defined at Role Level.
Purposes of Issue are meta-data tags that can be assigned to documents stored within Asite. Each Workspace can define its own list of Purposes of Issue. The Access Control Layer for Purposes of Issue can be defined at line item level, meaning access to each Purpose of Issue can be defined independently.
Following are the privileges that can be defined within the ACL for a Purpose of Issue within Asite.
Available
Document Purpose of Issue level privileges
Permission |
Functionality |
Blank |
The blank value in the matrix signifies that no permission has been explicitly assigned to the Role, Organisation or User. |
No Access |
The “No Access” permission signifies that values will not be visible for users to define as metadata during Upload / edit Document Metadata stage |
Access to Use |
The “Access to use” permission signifies that values will be available for users to define as metadata during Upload / edit Document Metadata stage but cannot be managed (edited) at the Workspace Admin level. |
Access to Publish |
The “Access to Publish” permission signifies that values will be available for users to define as metadata during Upload / edit Document Metadata stage but cannot be managed (edited) at the Workspace Admin level. |
Admin |
The “Admin” permission signifies that values will be available for users to define as metadata during Upload / edit Document Metadata stage and ALSO can be managed (edited) at the Workspace Admin level. |
For folders, the ACL can be defined at Default, Role, Organisation and User Levels.
Statuses are meta-data tags that can be assigned to documents stored within Asite. Each Workspace can define its own list of Document Statuses. The Access Control Layer for Document Statuses can be defined at line item level, meaning access to each Status can be defined independently.
Following are the privileges that can be defined within the ACL for a Document Status within Asite.
Available
Document Status level privileges
Permission |
Functionality |
Blank |
The blank value in the matrix signifies that no permission has been explicitly assigned to the Role, Organisation or User. |
No Access |
The “No Access” permission signifies that document statuses will not be visible for users to define as metadata during Upload / status change stage |
Access to Use – Status Change |
The “Access to use – Status Change” permission signifies that document statuses will be available for users to define as metadata during Upload / status change stage but cannot be managed (edited) at the Workspace Admin level. |
Access to Publish |
The “Access to Publish” permission signifies that document statuses will be available for users to define as metadata during Upload / status change stage but cannot be managed (edited) at the Workspace Admin level. |
Admin |
The “Admin” permission signifies that document statuses will be available for users to define as metadata during Upload / status change stage and ALSO can be managed (edited) at the Workspace Admin level. |
For folders, the ACL can be defined at Default, Role, Organisation and User Levels.
Asite Collaboration provides team members with the ability to distribute information to other members of the Workspace team. Distribution groups can be set up to automate the distribution process with pre-defined lists. The Access Control Layer for Distribution Groups can be defined at line item level, meaning access to each Distribution Group can be defined independently.
Following are the privileges that can be defined within the ACL for a Distribution Group within Asite.
Available
Distribution Group level privileges
Permission |
Functionality |
Blank |
The blank value in the matrix signifies that no permission has been explicitly assigned to the Role, Organisation or User. |
No Access |
The “No Access” permission signifies that distribution groups will not be visible for users to define as metadata during Upload / edit Document Metadata stage |
Access to Use |
The “Access to use” permission signifies that distribution groups will be available for users to define as metadata during Upload / edit Document Metadata stage but cannot be managed (edited) at the Workspace Admin level. |
Admin
|
The “Admin” permission signifies that distribution groups will be available for users to define as metadata during Upload / edit Document Metadata stage and ALSO can be managed (edited) at the Workspace Admin level. |
For folders, the ACL can be defined at Default, Role,
Organisation and User Levels.
for Audit History will not be accessible