Document Access Management
Who sees which documents — visibility rules, approval-line access, and role-based restrictions
Document access control is a critical security topic that is verified during security audits. Ensure your configuration matches your organisation's data separation requirements.
Core Principle: Approval-Line Visibility
A user sees a document only if they are part of the document's approval chain — either as a current or past approver, the original submitter, or an Administrator.
This means:
- User A uploads a document → it goes to User B (step 1 approver) then User C (step 2 approver).
- User B can see the document while it is at step 1 (and afterwards as a historical record).
- User C can see the document from step 2 onwards.
- User D, who is not in the chain, cannot see the document at all, even if they belong to the same organisational unit.
This is intentional — it enforces a strict need-to-know access model.
Visibility Rules Summary
| Who | What they can see |
|---|---|
| Document submitter | All documents they have submitted, in any state |
| Current step approver | Documents currently awaiting their approval action |
| Past step approver | Documents where they have previously acted (approved or rejected) |
| Administrator | All documents in the company |
| Accountant | All documents in states: Approved, Export, Published |
| Viewer | Only documents explicitly shared with them via the share function |
Role-Based Access
Administrator
Administrators have unrestricted read access to all documents. They can also:
- Override the approval chain
- Move a document back to a previous state
- Assign or reassign an approval step
Accountant
Accountants see all documents that have reached the Approved state or later (Export, Published). They do not see documents still in processing or pending approval unless they are also an approver in the chain.
Approver
An approver sees only documents where they are an active or past participant in the approval chain. They do not see documents routed to other approvers, even within the same department.
Viewer
A Viewer has no automatic document visibility. Documents must be explicitly shared with them by the submitter or an Administrator.
Organisational Unit Scoping
Approval workflows can be scoped to specific Organizational Units. A user who is an approver in unit A will only see documents that originated from unit A, not from unit B, even if both units use the same approval rule.
Sharing a Document
To grant access to a user who is not in the approval chain:
- Open the document detail page.
- Click Share.
- Select the user(s) to share with.
- Click Confirm.
Shared access is recorded in the audit log.
Audit Trail
Every access event (view, download, approval action, share) is logged in the document's Audit Log, accessible from the document detail page. The audit log is immutable and cannot be edited or deleted.
Common Questions
Q: Can a user in the same department see documents submitted by a colleague? A: No — unless they are an approver in the document's chain, or the document is explicitly shared with them.
Q: Can an approver at step 2 see documents before they reach step 2? A: No — they are notified and gain visibility only when the document reaches their step.
Q: Does an Administrator always see all documents? A: Yes. Administrator access is global within the company and cannot be restricted further.