.. _apps-acls:


====================
Access control lists
====================

Mayan EDMS uses a role based permission system
(https://en.wikipedia.org/wiki/Role-based_access_control) that provides a
mechanism to control access to the contained documents and system functions.

Besides the simpler global permissions system, Mayan EDMS also provides per
object permission granting. This feature is used to grant a permission to
a role, but this permission can only be executed for a limited number of
objects (documents, folders, tags) instead of being effective system-wide.

In this scenario only users in groups belonging to the ``Accountants`` role
would be able to view the ``2015 Payroll report.txt`` document.

Inherited access control
========================

It is also possible to grant a permission to a role for a specific
:ref:`document type<apps-documents>`. Under this scheme all users in
groups belonging to that role will inherit that permission for all documents
of that type.

The role ``Accountants`` is given the permission ``document view`` for the
document type ``Payroll reports``. Now all users in groups belonging to the
``Accountants`` role can view all documents of the type ``Payroll reports``
without needing to have that permissions granted for each particular
``Payroll reports`` type document.

If access control for the ``Payroll reports`` documents needs to be updated it
only needs to be done for the document type and not for each document of the type
``Payroll reports``.
