Issues with Automatic Permissions and Related Documents with varying permissions needs

I'm having difficulty with the automatic permissions of document classes that are getting automatic permissions from an object called Case.


  • I have a Case Object that tracks
    • reviewers,
    • uploaders, and
    • supervisors.
  • A given case can have many "Case Documents" and "Reporting Documents" associated to it. (Case is a property definition picklist of the case object on each document class with automatic permissions enabled)
  • Case Documents and Reporting Documents take on the permissions of the Case, as expected, due to automatic permissions being enabled on the property definition related to a case.
  • Uploaders have read access to the case throughout the lifecycle of the case.

My Problem:

I need to remove read rights on the Reporting Documents from the uploader while still allowing the uploader to see the Case object in the picklist in the event that they need to provide additional "Case Documents". 

My question is the following:

How do hide Reporting Documents from the Uploaders while still allowing uploaders to see the original case object? When I attempt to use automatic permissions on the "Reporting Document Class" it "overwrites" the Case Permissions and is only performing the deny. 

Another layer of complexity is that the permissions of the case fluctuate as the workflow progresses. It looks like I cannot dynamically set a deny for the Reporting Document class while maintaining the allow provided by the "Case". I thought about setting up a workflow on the Reporting Document to automatically switch between Locked and Unlocked but seems that I cannot setup an automatic transition between two statuses due to the issue of possible infinite loop.

My only thought is to control permissions through vbscript in the case workflow steps but trying to avoid that for now. 

Thanks in advance!

  • Hi Carter,

    First of all, you should avoid using Deny and simply remove the Allow option. Deny overrules everything else and therefor cannot be conditional or used in combination with other settings. But you do not get access unless you have Allow. So removing Allow will do the trick for you. You should be able to set up a Named Access Control List based on dynamic properties such as your Reviewers, Uploaders and Supervisors. You may need to add one or two additional properties depending on your requirements. Then you simply add or remove users to those properties as the document passes through your workflow and user access requirements change.

    If you need a loop in the workflow it can be done using a simple script. You add a third WorkFlow State and place the script in there. Your automatic transition from step 2 shall not return the object to state 1 but rather pass it on to state 3 from where the script then will return it to state 1.

    Workflow with loop

    You can create your script along these lines:

    'General script for changing workflow and or state as State Action
    '2021.07.09 Karl Lausten
    Option Explicit
    'clear State
    Dim oStProperty : set oStProperty = CreateObject("MFilesAPI.PropertyValue")
    oStProperty.PropertyDef = 39
    oStProperty.TypedValue.SetValue MFDataTypeLookup, Null
    Vault.ObjectPropertyOperations.SetProperty ObjVer, oStProperty
    'prepare WF
    Dim oWFProperty : set oWFProperty = CreateObject("MFilesAPI.PropertyValue")
    oWFProperty.PropertyDef = 38
    'determine future workflow and state (if conditions are required, insert relevant "if" statements)
    Dim iWFnew : iWFnew = Vault.WorkflowOperations.GetWorkflowIDbyAlias("<Your Workflow>")
    Dim iWFnewState : iWFnewState = Vault.WorkflowOperations.GetWorkflowStateIDbyAlias("<Your WF Sate>")
    'set new workflow and state
    oWFProperty.TypedValue.SetValue MFDataTypeLookup, iWFnew
    Vault.ObjectPropertyOperations.SetProperty ObjVer, oWFProperty
    oStProperty.TypedValue.SetValue MFDataTypeLookup, iWFnewState
    Vault.ObjectPropertyOperations.SetProperty ObjVer, oStProperty

  • Thanks for the response and providing the script for the workflow loop!

    I am using Named Access Control Lists in the "Case Workflow" and everything with dynamic permissions works when the Case and all related documents all share the same set of permissions.

    I've got a new requirement that one of the related documents called "Reporting Document" should not be visible to "Uploaders" until the case is closed.

    This is problematic because I am pushing automatic permissions from the Case Object to all related documents. The permissions dynamically change as the Case changes workflow states.

    I need to continue doing this with the added level of security that Uploaders should not be able to see the related "Reporting Document".  

    I was hoping to find a way to "Stack" permission sets so that the "Reporting Documents" would inherit permissions from the case object PLUS "not allow" uploaders to see the reporting document. I cannot apply the "not allow" at the case level as this would hide the case from the uploader when they are adding documents to the case. 

    I may be able to achieve this by introducing a workflow on the "Reporting Document" that automatically changes based on the case workflow steps.

    Thanks again for your response and for providing the example.