Site Overlay

Restrict document access for users in Mayan EDMS

1. Situation / Problem

  • There are two (or more) organizational units.
  • Each org unit uses Mayan to manage its documents.
  • Each unit should only see and work on its own documents in Mayan. Any document resources from other org units should neither be visible nor alterable.

The easiest approach to achieve this goal would be to set up two separate Mayan instances. This could be achieved with two separate virtual Mayan environments on one machine (which could then at least share a single database server running two separate databases). Or separating things further, we could even set up two completely different (virtual, Docker containers or even physical) machines which each contain the whole suite of services (PostgreSQL server, Redis, Venv and all the other stuff) on a standalone basis.

The main disadvantage of such an approach would be duplication. This is particularly inconvenient, when it comes to keeping all separate systems updated. Mayan releases an upgrade about each fortnight on average, and the process is quite cumbersome. If you run a separate system for each org unit, this means having to go through the same tedious upgrade procedure each and every time. And the same might go for the operating systems of each virtual or physical machine.

2. Sharing Mayan EDMS over multiple organizations

Mayan prides itself for its highly granular and customizable access control. Not only does it allow an unlimited number of users, but it can also define an unlimited amount of groups which users can be added to and roles which determine the privileges granted to each group. User groups can than be awarded one or more roles through which member users obtain these privileges indirectly.

On top of that, each resource – be it a single document, a document type or even a cabinet comes with individual access control lists which can fine-tune the access privileges at the object level.

With all these instruments, it should be possible to keep separate org units on the same Mayan installation from messing around with each other’s documents.

The downside is that controlling access privileges with all these settings to toggle is not trivial at all. Worse still, the documentation is limited to rudimentary descriptions. Even the book only offers advice of the “in order to add a user to a group click the ‘Add user to group’ button” style. It elaborates in great detail on things that you would have known anyway but offers few instructions on conceptual matters. No worked examples worth mentioning which would have helped with our problem.

There were a couple of hints in the Mayan user forum, which helped a little and a worked example on users, roles and ACLS from a blog unrelated to the Mayan EDMS developers. After a lot of trial and error, here’s how to set up a single Mayan instance to deal with completely different org units…