Atomic Security allows more granular control for various actions. Atomic Security for Documents is available for active workflow actions and for configured document lifecycle actions. With Atomic Security for Documents, Admins can define access to actions by document lifecycle state and document lifecycle role. For example, users in the Editor role may be able to access Cancel Workflow while a document is in Review state, but not in other states.
Active workflow actions are options for workflow instances that are in progress, for example, Add Participants and Cancel Workflow.
Configured document lifecycle actions allow users to start a workflow and change a document’s state. Some Vaults include custom document actions as well. With or without Atomic Security, this access is controlled by document role and document lifecycle state. When using Atomic Security, however, Vault provides access control at the action level. For example, there may be two user actions to start workflows for a document in Review state: Start Review and Start Rush Approval. A user in the Editor role could have access to Start Review, but not Start Rush Approval. Without Atomic Security, the user role permissions would allow access to all configured start workflow actions.
Changes to Document Security
Atomic Security for Documents: Active Workflow Actions and Atomic Security: Document Lifecycle Actions is enabled in all Vaults. The enablement of this feature includes the following changes on document lifecycle and security pages:
- The Atomic Security tab appears in the lifecycle state configuration.
- Start Workflow permission disappears from the security matrix.
- Change State permission disappears from the security matrix.
- Multi-Channel Actions permission appears in the security matrix.
Migration (Document Lifecycle Actions)
There should be no changes to user access in your Vault. To make this possible, Vault performed the following migration actions:
- For all configured user actions (previously controlled by Start Workflow and Change State permissions), Vault set the State Behavior to Execute.
- Vault applied overrides to hide these actions for any role that did not include the controlling permission before enablement.
- Vault granted access to the new Multi-channel Actions permission for any roles which included Start Workflow permission.
Multi-Channel Actions Permission (Document Lifecycle Actions)
In previous releases, access to certain Multichannel functionality was controlled by the Start Workflow permission. Atomic Security for Documents introduced the new Multi-Channel Actions permission to control these actions:
- Create Presentation
- Send to CLM
- Preview CLM
Document Workflow (Formerly Multi-Document Workflow) Actions
The enablement of Atomic Security for Documents results in the following changes to document workflow (formerly multi-document workflow) action access:
- By default, the Atomic Security behavior option for user actions that start document workflows is Execute. Previously, these actions were hidden in individual document action menus if the role did not have Start Workflow permission in its security configuration, but with this change, the actions are now visible without this permission. Even before this change, users could start these workflows from bulk views such as Cart, Favorites, or Recent Documents.
- Atomic security now brings consistent access enforcement. Admins can prevent users from starting document workflows in both individual document action menus and bulk views via Atomic Security configuration.
- Previously, only workflow initiators could perform the Remove Content action. With this Atomic Security enablement, the default behavior for all roles for the Remove Content action is now Execute. This is an active workflow action only applicable for document workflows with multiple documents. This behavior allows participants to remove content. This behavior can be overridden by state and role-based Atomic Security.
To access Atomic Security settings for a lifecycle state, navigate to Admin > Configuration > Document Lifecycles > [Lifecycle] > States > [State] > Atomic Security.
When configuring Atomic Security for document lifecycle states, you first set the default behavior and then overrides for specific roles. The default behavior will apply to any new roles created, and to any roles where an override is not set. If access to an action should be more restrictive, you would set the State Behavior to Hide or (for document lifecycle actions only) View, which ensures that only roles explicitly given access can execute the action. If access to an action should be less restrictive, you would set the State Behavior to Execute, which ensures that all roles have access unless explicitly prevented.
Remember that Atomic Security configuration happens within a single lifecycle state, so access to an action may be more or less restrictive based on the document’s state.
Note that access to the Cancel Task and Reassign Task actions in single-document workflows depends on the options selected in the task configuration, rather than Atomic Security.
To set default and override behavior for workflow actions:
- From the Atomic Security tab, click Edit.
- Select a default State Behavior for each action.
- Create overrides by clicking + Role Override.
- Within the Search: Lifecycle Role window, click the green + icon for one or more roles. Click OK when finished.
- In the grid, select an override behavior for each role.
- Click Save. Changes to Atomic Security go into effect immediately.
When setting a default and override behavior, you see the following options:
- Hide will hide the action from users, preventing it from appearing in the workflow Actions menu.
- View (only available for document lifecycle actions) will allow users to see the option in the document Actions menu, but it will be grayed out and not clickable to prevent them from executing the action on a document.
- Execute will allow users to execute the action on a document.
The following permissions control access to Atomic Security configuration:
Document Lifecycles: Edit
Ability to modify settings in the Atomic Security tab for document lifecycle states
Note: Workflow Initiators and Coordinators have access to workflow actions regardless of permissions or Atomic Security Settings. Vault also bypasses Atomic Security for users with the standard Vault Owner security profile.