One of the most fundamental and important tasks in Content Server is controlling access to the information it contains, a task known as access control. In Content Server, your access to items and Containers in the system are defined by permissions, which are simply the rules that determine what you can see and do in the system. By defining appropriate permissions for your user population, your organization can effectively manage the security of information stored in the Content Server database.

Access control is so essential to Content Server that it even defines what you see in the Content Server interface. For example:

• If you do not have the See permission to see an item, the item is hidden from you when you open a Container or view a Search Results page.

• If you do not have the Add Items permission to add items to a Container, the Add Item menu does not appear when you open that Container.

• Only the functions that you have permission to perform appear on an item's Functions menu.

For every item stored in Content Server, the system maintains an Access Control List, otherwise known as an ACL. Basically, an ACL is a list of all users and groups that have access to an item and what actions those users are permitted to perform on that item. Your permissions, as defined by an item's ACL, determine whether you can see and open the item, whether you can modify or delete it, and whether you can change the permissions on it. For detailed information about working with permissions, see Managing Permissions.

In addition to permissions, your ability to see and do things in Content Server depends on your system privileges. While permissions operate on an item-by-item basis, privileges operate on a system-wide basis. Privileges include the ability to sign in to the system, to add or modify users and groups, or to perform system administration functions. For more information, see Working with Users.

Types of Permissions

There are three distinct but related types of permissions:

• Work Item permissions, which apply to Collections, Channels, Discussions, and Task Lists.

• Document Management permissions, which apply to most item types.

• Role-Based permissions, which apply to Projects.

Most items are governed by Document-Management permissions, which is a rich set of permissions designed to control many levels of access. However, some items do not require such an elaborate permissions model. For more information about these permissions types, see Permission Types.

Because there are multiple permission types, the affected item's permissions sometimes cannot transfer precisely when items are copied or moved to different locations. In such cases, Content Server must map the item's permissions to the nearest corresponding permissions that are appropriate for its new location. For more information about how permission types are mapped, see Permissions Mapping.

Generally, if you have permission to add an item somewhere in Content Server, you also have permission to modify that item's ACL. This includes the ability to change the item's Owner or Owner Group, and to remove access to the item. However, the administrator and other privileged users can specify access-control options that prevent users from making certain changes, or even enable some users to edit a specific item's permissions.

Ownership

Every item's ACL includes records for its Owner, its Owner Group, and for Public Access.

	Note: By default, these three entries are a part of every item's ACL. However, they may be removed in some cases. For more information, contact your administrator.

Initially, the creator of an item, the user who added it, is the Owner of the item. However, this can be changed. The item's Owner Group is initially inherited from the parent container. The parent container is the location in which the item was added. The item's Owner Group can also be changed. Public Access is a designation that defines generic permissions for, in most cases, all users in the system.

When you add an item, it inherits its permissions from the parent container, or the location in which the item was added. However, while the permissions of the container's Owner are copied to the new item, the creator of the new item is assigned as Owner of that item. Therefore, the Owner permissions on a container determine the permissions that the creators of items have on the items they add to that container.

My Workspace Permissions

You are the Owner of your My Workspace and its contents. You have full permissions on your My Workspace and the items stored there, and you are responsible for administering them. You can grant other users and groups access to selected items stored in your My Workspace or to the entirety of your My Workspace. You set permissions for your My Workspace in the same way you set permissions for any other Container.

	Note: Even if you grant other users permission on your My Workspace, these users cannot reach the My Workspace directly. Other users with permissions on your My Workspace can access it by: Searching for an item contained there. A link to the item appears on the Search Results page. Clicking a Shortcut to an item in your My Workspace that you add to a publicly accessible location, such as the Enterprise Workspace. Other users can then use the Shortcut to access the item. Once they access the item, users can click the Up One Level icon, , until they reach the Overview page of your My Workspace.