What is the difference between a named access control list (NACL) and a user group?

M-Files allows you to use named access control lists and user groups to manage information related to a group of individuals, but they essentially serve a very different purpose.

With user groups, administrators can arrange individuals into separate groups based on common features, such as their position in the organization (for example "HR" and "Managers"), their physical location (for instance "Vermont office" and "Chicago office"), or their expertise (such as "Legal matters" and "Translation"). User groups can be managed with M-Files Admin (see User Groups).

Named access control lists, on the other hand, can be used for specifying various access rights to objects in a vault. They contain a list of subjects (individual users, user groups or pseudo-users) coupled with a list of permissions, essentially controlling rights for reading, editing and deleting objects as well as for changing their permissions. Named access control lists can also be managed with M-Files Admin (see Named Access Control Lists).

Example: Employment agreements to be visible to the HR department only

The vault contains a large number employment agreements that are currently visible to all vault users. The HR manager wants them to be visible to the HR team only.

The first thing she needs to do is create a user group for all the users that belong to the HR team. Now, as she cannot use the user group to directly control any access rights, she also needs to create a named access control list for associating the newly created user group with the access rights of her choice.

Note: Users whose login account has the System administrator system role, and users who have either the See and read all vault content or Full control of vault rights are able to see all vault content.

Finally, the HR manager has to associate the newly created named access control list with the employment agreements. She can achieve this via the properties of the employment agreement class.

Opening the properties dialog for a class:

  1. Open M-Files Admin.
  2. In the left-side tree view, expand a connection to M-Files Server.
  3. In the left-side tree view, expand Document Vaults.
  4. Still in the left-side tree view, expand the document vault of your choice, and then expand Metadata Structure (Flat View) and finally select Classes.
  5. Via the listing area on the right, select the class representing the employment agreements.
    If there is no class for employment agreements, you can create a new class for this purpose.
  6. From the task bar on the left side of the listing area, select Properties.

Setting the class to use the named access control list:

  1. Open the Automatic Permissions tab.
  2. Check the Restrict the permissions of objects that refer to this class check box.
  3. Check the Use named access control list check box.
  4. Select the newly created named access control list via the drop-down menu below the check box.
  5. Click OK to close the Class Properties dialog.
  6. Optional: If an information dialog about disabled automatic permissions for certain property definitions is displayed, note down the property definitions mentioned in the Property definitions currently disabled list and click OK.
    To make sure that the permission settings are activated when the class for an employment agreement is selected as the value of any of the properties mentioned in the list, you need to explicitly allow automatic permissions to be used for these property definitions.
  7. In the dialog changed automatic permissions, select either:
    • Change Objects' Permissions to apply the new access rights to all the objects that will be created from this moment forward.
      Note: Object permissions are updated as an asynchronous background task. Object permissions may be updated when, for example, a named access control list, a user, a user group, or the value of a pseudo-user (such as a project manager) is modified. You may monitor the progress of the task in M-Files Admin in the Background Tasks section. For more information, see Monitoring Background Tasks.
      or
    • Change and Activate Objects' Permissions to apply the new access rights to all the existing objects as well as to all the objects that will be created from this moment forward.
      or
    • Cancel to return to the Class Properties dialog.

Enabling automatic permissions to be used via related properties:

  1. In the left-side tree view, under Metadata Structure (Flat View), select Property Definitions.
  2. Double-click one of the property definitions that you noted down in step 12.
  3. Select the Enable automatic permissions via this property check box and click OK.
  4. Select either Change Objects' Permissions or Change and Activate Objects' Permissions (see step 13).
  5. Repeat the steps from 15 to 17 for all the property definitions noted down in step 12.
  6. Close M-Files Admin.
Depending on what you selected in step 13, either a) only new objects or b) both new and existing objects whose class represents the employment agreements are now visible only to the user group whose members are part of the HR department. As explained in this note, this does not, however, apply to system administrators and vault users with rights to see and read all vault content.