Security in iTWOcx is handled in two key ways/

The way a document is addressed

The Basic Security Rule

If you are not named on a document you may not access it.

For example, if a document is created by user AA-AA and addressed to BB-BB, then at this time only those 2 users are named on the document, so only those 2 users may access it. If the document is then copied to CC-CC then user CC-CC may now also access this document.

You may also add 'groups' to the Info of a document. The groups are:

• Other users: Anyone that the author of this document may address (as defined in the Who2Who Matrix) may access this document.
• A role: An entire role can be added as an info item which means any company belonging to that role and any user with the sufficient access level within that company can access this document
• An entire company: Anyone in company XX may access this company
• A group: See User Groups here

Tip: If a particular user or group should always be copied in on a particular document type you can create a /wiki/spaces/cxKB/pages/23203211 to force this user or group to be automatically included on any new documents.

Private Access

As an addition to addressing security - you may opt to add the keyword Private to a document. Or set it when the document is being issued.

When the Private Keyword is added to a document - Only people named on this document may read the document. Only the Author may add a new name to the addressing of this document. This document does not display in Searches unless you are named on the document. 

The Security Options

Accessing a document even if you are not named on it.

The basic security rule is simple to understand and manage, however it does not always reflect the way documents are managed within a particular company. In some cases the basic rule is appropriate, but inothercasesoneof the following options might be better.

• No Special Access
  The basic security rule (as explained above) determines access.
  
  
• My peers or superiors may access
  Each user is given an "Access Level" in their user profile. See below for more on Access Levels.  When this option is enabled anyone in the same company at the same Access Level or higher, has permission to read the document.
  
  For example: documents created by a user who has an Access Level of Staff can be read by a user of Access Level Staff or Manager.  Documents created by a user of level Manager cannot be read by a user of level Staff.

  Note: this option is the default for Correspondence.

• Anyone in my company may access
  Anyone in the same company as someone named on the document may access the document. For example, if user AA-AA is named on the document, then user AA-BB, AA-CC, etc may also access the document, regardless of their Access Level. 
  

  Note:  this option is the default for Transmittals, and the documents on the Document Register.

The options do not apply if a document has been tagged 'PRIVATE'.

User Access Levels

The following lists the standard Access Levels:

• Guest - can only view the list of documents in a Document list.
• Staff - only users who are Staff/Manager/Director can access documents their companies are named on. 
• Manager - only users who are Manager/Director can access documents their companies are named on.
• Director - only users who are Director can access documents their companies are named on.

  Note: most users are Staff/No Special Rights.

Each user is assigned an Access Level in their user profile (go to My Details in the Contacts Module).  The Security options can be set for the whole project by Role (e.g. Consultant, Managing Contractor, Co-ordinating Consultant) and by Company.

 The Company setting overwrites the Role setting.

System-Level Access

In addition, the following System Access Levels can be set to restrict general access to the project:

• Restricted- cannot even login to the project.
• Unrestricted - can create and respond to correspondence;  can upload/send files on transmittals.
• Company Administrator - can control access for thier individual company.
• Project Administrator - default full system access

Accessing a particular revision of adocumentontheDocument Register

To determine if you have permission to download a particular revision of a file, the system checks if you were addressed on any Transmittals that included that file. Thus, the security is handled at the revision level, not at the document level. 

You are not permitted to access a particular revision of a document until there is a Transmittal that addresses this revision to you.

Company Administration have the flexibility to allow individual companies to overwrite the project-wide access as it pertains to their company.  It is possible for a company to remove control from Project Administrator(s) and/or the Project Module Administrators if their security standards require it. This gives the ability to delegate configuration amongst many people.  Company Administrators are defined on the Company Details Page.

Within the Company Admins section of the Company Detail Page, Company Administration will default to the Project Module Administrators, as defined in the Configuration Module. The Project Module Adminstrators user group is depicted as [MODULEADMIN] and looks to the Project Module Administration Configuration to determine access.  See diagram below.

The Project Adminstrators User Group is depicted as [PROJECTADMINS].  This user group looks up the Project Administrators defined on the Project Details Page. See diagram above.

1. Create new folder; view and edit folders and documents in the Transmittal and Document register (Register Module Administration).
2. Create new companies and users and edit details (Contacts Module Administration)
3. View and edit distribution rules and saved searches (Config Module Administration).
4. Receives all undeliverable emails (Postmaster Module Administration).

1. Click the for a pop up window.   
2. From this pop up window, you can select the company, the users and/or user groups already defined in the configuration module. Highlight the entity and Click OK.  
   
3. You may select any combination of these to administer each module.
4. You may delete out any users, companies, or user groups.  However, it is essential that some combination of users, companies or user groups are entered.
5. Click .

Warning!  We recommend always using the pop up window to select the users, companies, or user groups.  If there is a misspelling you could lock everyone out of the module.

Once saved the Company-wide security settings overwrite the project-wide settings for that particular company.

For more information on the rights of each Module Administrator Click Module Administration.

Individual companies can set up the visibility of their documents by document type. There is the ability to restrict people outside their company to see certain document types listed in a register.  The actual access to documents are described above however this control gives you the ability to not show documents in the register at all if you choose.

1. +ALL is the default for all documents except Contracts Administration documents. This means that all other companies in this project can see the title of the document in the register(s).
2. -ALL is the parameter if you would like no one outside of your company to see the document listed in the register
3. You may select the and select from the dropdown list(s) to tailor the visibility of the document types.  A pop up window will display, choose the entities and click OK to add.