Group Class and Class Permissions - Hide Class Name on object creation but display on specific permission

In the class permissions you can define who can create new documents in the class, so remove this permission from the all internal users group and give it only to those groups who should be able to create (e.g. HR users).

This doesn't affect the actual object permissions (e.g. who can see and edit these documents once they are created).

Joonas - here's a question - what if we are applying permissions via a Named Access Control List on the Automatic Permissions tab in your screen shot?  Can we still have those permissions and then uncheck "Attach objects to this class" on the permissions tab to prevent someone from adding new docs with this particular document class?

Yes, automatic permissions are applied on the document when it is created. You can still decide who can create documents in this class in the first place with the settings described above. In some cases the creator may even lose access to the document after its creation if the automatic permission NACL doesn't give them at least read access.

Yes, automatic permissions are applied on the document when it is created. You can still decide who can create documents in this class in the first place with the settings described above. In some cases the creator may even lose access to the document after its creation if the automatic permission NACL doesn't give them at least read access.

The situation I'm having, is that we want documents of a certain class, to be only created by a process in another system.  Our developer had a process what was creating these documents in the vault and it was working fine.  Then I attempted to restrict create of the form from users manually creating them by going to the Permissions tab of the document class and for all internal and external users, for the option "Attach objects to this class" I selected Deny.  Then on the same tab, I added the same user that will be running the process in the other system to create the docs and I set the "Attach objects to this class" to Allow.  But the developer continues to get "Access denied" errors like the following:

{"ErrorCode":"2020","Status":500,"URL":"/objects/0","Method":"POST","Exception":{"Name":"COMException","Message":"Access denied.\r\nYou are not allowed to attach objects to the \"FNOL Temporary2\" class.","InnerException":{"Name":"MFilesException","Message":"Access denied.\r\nYou are not allowed to attach objects to the \"FNOL Temporary2\" class.","StackText":"Error reference ID: 5616dffe-201e-4b29-aff2-1fef07a3bed5","ErrorCode":"2020"}},"Stack":"Error reference ID: 5616dffe-201e-4b29-aff2-1fef07a3bed5","Message":"Access denied.\r\nYou are not allowed to attach objects to the \"FNOL Temporary2\" class.","IsLoggedToVault":true,"IsLoggedToApplication":true,"ExceptionName":"COMException"}

You should let the checkboxes for attach, unchecked, and not deny.

Thanks Radu, that fixed it!  I guess I'm unclear though on why it worked.  What's the difference between checking "Deny" and not checking "Allow?"

the deny is enforced on users or groups, so any other permission is ignored.

"Deny" is the strongest option which overrides any other permission granted, so it should mostly be used for exceptions. For instance: allow access to all users in this user group ("Allow" for the user group) except for this particular user ("Deny" for the specific user). In most cases you should just leave "Allow" unchecked if you don't want to give access.