Rights Matrix
Introduction
The following sections explain individual permissions for the API along with their corresponding conditions. These permissions are frequently reused in other permissions and are therefore listed here centrally.
Permission Levels
Group Admin
Group admins are primarily responsible for managing users within a group. They can add and remove users for all groups they are assigned as group admins for.
They can also create new users and assign them to the group.
To be a group admin for a group, one must also be assigned to that group.
Group admins can modify certain global permissions of users within their group, provided they are enabled in the tenant settings.
Admin
The admin permission, or administrative right, is possessed by a user when explicitly assigned the global right of "Administration". Superadmins and the Lantech user implicitly possess the admin permission.
Superadmin
The superadmin permission is explicitly marked for the user at the tenant level with the superadmin flag.
Depending on the setting in the tenant, only superadmins or ordinary admins can perform the following three actions:
- Modify a user's permissions retrospectively
- Grant folder permissions to users
- Adjust program settings or tenant settings The superadmin also implicitly possesses the admin permission.
LANTECH
The LANTECH user is a special account for LANTECH employees, used for the initial setup of DocSecBox as well as remote maintenance.
The most important actions that only the LANTECH user can perform are:
- Setting password policies
- Viewing login and logout actions
- Viewing user changes
- Viewing error messages
The LANTECH user implicitly possesses the superadmin permission and therefore also the admin permission.
Application Configuration
Here are the permissions listed for configuring the application settings that are predefined for all tenants.
Application Configuration
Reading and editing the complete application configuration is only possible for the Lantech user. A limited selection of the configuration is publicly accessible, see Reading public application configuration.
Reading public application configuration
Some information from the application configuration is publicly accessible.
This includes the following information:
- Application URL
- Application name
- Application owner (Displayed on the login page under "Licensed for")
- Minimum password requirements:
- Minimum length
- Minimum number of lowercase letters
- Minimum number of uppercase letters
- Minimum number of digits
- Minimum number of special characters
Rights Matrix
The rights matrix presented here assumes that the listed users are assigned to the given tenant.
Access to different objects of another tenant (e.g., users, folders, or files) is not possible.
Footnotes
| Abbreviation | Explanation |
|---|---|
| (1) | User must be assigned to a group that is assigned to the corresponding folder |
| (2) | User must have read permission |
| (3) | Either possible due to assignment, like a regular user (1), or possible with corresponding parameters for admins |
| (4) | User must have upload permission |
| (5) | User has the right to edit their own files |
| (6) | User has the right to edit other users' files |
| (7) | User must have download permission |
| (8) | The "Grant folder permissions to users" right must be allowed for admins in the tenant settings |
| (9) | User has uploaded the file |
| (10) | User must have history permission |
| (11) | User must have notification permission |
| (A) | Admin can assign themselves to any group and any folder and set permissions as desired |
| (G) | Group admin can edit this object if editing is enabled for group admins in the tenant settings |
| Right/Permission | Public | User | Group Admin | Admin | Superadmin |
|---|---|---|---|---|---|
| Edit group | ✘ | ✘ | ✘ | ✔ | ✔ |
| User assignment | ✘ | ✘ | ✔ | ✔ | ✔ |
| Delete group | ✘ | ✘ | ✘ | ✔ | ✔ |
| Query groups for a user | ✘ | (✔ self) | (✔ assigned) | ✔ | ✔ |
| Query groups for a folder | ✘ | ✘ | ✘ | ✔ | ✔ |
| Logs | |||||
| Read system logs | ✘ | ✘ | ✘ | ✘ | ✘ |
| Delete system logs | ✘ | ✘ | ✘ | ✘ | ✘ |
| Read user change logs | ✘ | ✘ | ✘ | ✘ | ✘ |
| Read file logs/history | ✘ | (9) or (1+10) | (9) or (1+10) | ✔ | ✔ |
| Delete file logs | ✘ | ✘ | ✘ | ✔ | ✔ |
| Read login logs | ✘ | (✔ own) | (✔ own) | ✘ | ✘ |
| Read mail logs | ✘ | ✘ | ✘ | ✔ | ✔ |
| Read unsent mail/mail error logs | ✘ | ✘ | ✘ | ✔ | ✔ |
| Notifications after uploading | |||||
| Read notifications for a user | ✘ | ✘ | ✘ | ✔ | ✔ |
| Read notifications for a folder | ✘ | ✘ | ✘ | ✔ | ✔ |
| Create/edit notification | ✘ | ✘ | ✘ | ✔ | ✔ |
| Delete notification | ✘ | ✘ | ✘ | ✔ | ✔ |
| Send notification | ✘ | (1+11) | (1+11) | (A) | (A) |
| Mail Templates | |||||
| Get main template | ✘ | (1+11) | (1+11) | ✔ | ✔ |
| Edit main template | ✘ | ✘ | ✘ | ✔ | ✔ |
| Get folder template | ✘ | (1+11) | (1+11) | ✔ | ✔ |
| Create/edit folder template | ✘ | (1+11) | (1+11) | ✔ | ✔ |
| Delete folder template | ✘ | (11) | (11) | ✔ | ✔ |