Access rights
This page is only accessible for admin users
Introduction: Why Access Rights matter
Access rights are a key feature for managing document permissions within the system. It empowers implementation partners and elevated tenant users to define rules that control which users or groups have access to specific documents. This functionality plays a critical role in:
Security: Ensures that sensitive documents are only accessible by authorized users, preventing unauthorized access.
Compliance: Helps maintain adherence to data protection regulations by allowing organizations to restrict access based on user roles and permissions.
Data Management: Provides precise control over document sharing and collaboration, ensuring that only the appropriate individuals or groups can view, edit, or manage documents.
By utilizing the access rights, organizations can safeguard their information and manage document access efficiently.
What are Access Rights?
Access rights define the permissions granted to users or groups to access specific documents within Routty. These rules help control who can:
View and manage documents based on predefined conditions.
Each access right applies to a specific set of documents, either in test or production environments, ensuring that only the right people can access certain information.
Components of Access Rights
An access right is made up of four key components:
Name: The title or description of the access right.
Status: Indicates whether the access right is active or inactive.
Environment: Identifies whether the access right applies to test or production documents.
Assignees: Specifies the users or groups assigned to the access right. Assignees can be either a group of users, an individual user or a combination of both!
Conditions: Defines to what documents this access right applies, two types are currently available:
Company: Used to allow access for branches of a company, e.g. Belgium entity or Dutch entity.
Document Type: Used to allow access for document types, e.g. Purchase Invoice or Sales Invoices.
How Access Rights work: The basics
Activating access rights
Access rights are either enabled or disabled for a tenant.
When no access rights are created, all users have access to all documents.
When at least one access right is created, all users are restricted from accessing documents, unless they are explicitly granted access.
NB: This is still the case if all access rights have been disabled.
AND OR relations
The conditions within an Access Right maintain an AND relation. This means that all conditions must be met for the assignees to be able to access a document.
In order to create an OR relation, multiple Access Rights can be used.
In order to assign a user to an access right this user needs to have logged in at least once
Full access Access Right
An access right without any conditions will grant the assigned users/groups access to all documents in the system. Keep in mind, this will still only be applicable to test OR production.
Example scenario: Access Rights in a multi-national company
Company structure
Multi-national Company:
The company has branches in two countries Belgium (BE) and Netherlands (NL). Each branch has its own local invoices.
The company is divided into two departments: Accounts Receivable (AR) and Accounts Payable (AP).
Roles: Users are assigned to specific branches and departments. Additionally, certain higher-level roles, such as the Managers, need access to documents beyond their local branch or department.
Objective
Users should only be able to view invoices from their local branch.
AR (Accounts Receivable) users should only see Sales Invoices
AP (Accounts Payable) users should only see Purchase Invoices
Managers (such as a Branch Manager or CEO) need access to all invoices in their region or company-wide, regardless of branch or department.
Setting up access rights
Four specific access rights are configured for the AP and AR departments in both the BE and NL entities.
Required Access Rights
BE AP Access Right (AND condition)
Conditions: Users can only access documents from the BE branch that are Purchase Invoices.
Example: An AP user in the BE can only access Purchase Invoices from the BE branch.
BE AR Access Right (AND condition)
Conditions: Users can only access documents from the BE branch that are Sales Invoices.
Example: An AR user in the BE can only access Sales Invoices from the BE branch.
NL AP Access Right (AND condition)
Conditions: Users can only access documents from the NL branch that are Purchase Invoices.
Example: An AP user in NL can only access Purchase Invoices from the NL branch.
NL AR Access Right (AND condition)
Conditions: Users can only access documents from the NL branch that are Sales Invoices.
Example: An AR user in NL can only access Sales Invoices from the NL branch.
Higher-Level access for managers
A Manager might need access to both the BE AR and BE AP documents, allowing them to view both Sales and Purchase Invoices from the BE branch.
Branch Manager in the BE (OR condition) :
Assigned Access Rights:
BE AR Access Right (Sales Invoices from BE)
BE AP Access Right (Purchase Invoices from BE)
Result: The BE Branch Manager can access both Sales Invoices and Purchase Invoices from the BE branch.
CEO (Company-Wide Access) (OR condition):
Assigned Access Rights:
BE AR Access Right
BE AP Access Right
NL AR Access Right
NL AP Access Right
Result: The CEO has access to all invoices across both the BE and NL branches, for both Sales and Purchase Invoices.
Summary of Access Rights using AND/OR relations
In this example, access rights are configured using both AND and OR relations to manage what documents users can access based on their department, branch, and role.
AND condition: Access is restricted based on multiple criteria being true at the same time. For example, an AP user in Belgium (BE) can only access Purchase Invoices that belong to the BE branch. This ensures that the user only sees the relevant documents from their local branch and department (e.g., Purchase Invoices in BE).
OR condition: This allows a user to access multiple document types or sources if one or more conditions are met. For instance, a Branch Manager in BE can access both Sales Invoices and Purchase Invoices from the BE branch, as both the BE AR and BE AP access rights are assigned (i.e., the OR relation allows access to either set of invoices).
In higher-level roles, such as a CEO, the OR condition ensures broad access. The CEO, for example, is assigned rights to both AR and AP in both branches, allowing access to all invoices (Sales and Purchase) across Belgium and the Netherlands, regardless of the branch or department.
Best practices
Assign access rights based on groups (e.g., AP, AR) to avoid unnecessary administrative work.
Review and update access rights regularly to ensure that only the necessary users have access.
Avoid broad access rules unless absolutely necessary. For example, a "view all" rule should only be used when needed to avoid security risks.
Troubleshooting common issues
If you encounter issues with access rights, check the following:
User can't see a document: Verify that the user has been assigned the correct access rights and that the access right is active.
When all access rights have been disabled no documents will be visible. To completely disable access rights all access rights need to be deleted.
Access Right not working as expected: Check if the access right's conditions (e.g., document type, company, environment) are correctly configured.
If issues persist, contact support for further assistance.