.. _apps-acls:


====================
Access control lists
====================

Mayan EDMS uses a role based permission system
(https://en.wikipedia.org/wiki/Role-based_access_control) that provides a
mechanism to control access to the contained documents and system functions.

Besides the permissions system explained in the
:ref:`permissions app<apps-permissions>`, Mayan EDMS provides per object
permission granting. This feature is used to grant a permission to a role,
but this permission can only be executed for a limited number of objects
(documents, folders, tags) instead of being effective system-wide.

In this scenario only users in groups belonging to the ``Accountants`` role
would be able to view the ``2015 Payroll report.txt`` document.

Inherited access control
========================

It is also possible to grant a permission to a role for a specific
:ref:`document type<apps-documents>`. Under this scheme all users in
groups belonging to that role will inherit that permission for all documents
of that type.

The role ``Accountants`` is given the permission ``document view`` for the
document type ``Payroll reports``. Now all users in groups belonging to the
``Accountants`` role can view all documents of the type ``Payroll reports``
without needing to have that permissions granted for each particular
``Payroll reports`` type document.

If access control for the ``Payroll reports`` documents needs to be updated it
only needs to be done for the document type and not for each document of the type
``Payroll reports``.
