User access permissions to fileshares

Note: Starting September 1, 2024, we’re streamlining our Staging boundaries to more effectively separate staging data from workspace and system data. With this change, you will no longer be able to write to or access data outside of the defined staging area. Folders that will remain within the Staging area: ARM, ProcessingSource, StructuredData, and TenantVM. Folders that will be removed: FTA, Temp, Export, and dtSearch, in addition to any other folders that you manually created. Refer to the Staging Area topic and Staging Area FAQ in Community for more details.

In the default RelativityOne setup, users can access fileshares if they're in a group that is added to a workspace that's associated with a resource pool with fileshares. In some cases, if a user has access to multiple client domains, you may only want that user to see fileshares for his own client domain in the Staging pane and not any fileshares from other client domains to which he has access. Refer to the following sections for more information on each scenario.

Default workflow in RelativityOne for user access to fileshares

The normal workflow in RelativityOne is that a group and its users will inherit access ability to any fileshares within the resource pool that is associated with the workspace to which the group has access, as shown on the Figure 1.

For example, User A is in Group A that is added to Workspace A, which is associated with a Resource Pool containing fileshares. As a result, User A can view and access all fileshares in the Staging pane via the group's access.

User able to view resource pool fileshares

Figure 1: User able to view resource pool fileshares

In this scenario:

  • User is in a group, other than ‘System Administrators,” that is added to at least one workspace that is associated with the resource pool containing the fileshares. Once the user is assigned to the group, they will have access to any fileshares associated with resource pools in the workspace to which the group is associated. For more information on adding users to groups, see Adding users to groups.
  • Instance Setting of StagingPaneOnlyPerClientDomain either does not exist or, if it exists, it’s set to False.

Granting user access to specific fileshares

If you have a user who has access to multiple client domain workspaces and you only want them to be able to access fileshares for his own client domain in the Staging pane, then you must configure the proper permissions. The process involves setting the StagingPaneOnlyPerClientDomain instance setting to True and configuring groups with item-level permissions to the resource pool that contains the fileshares to be accessed.

Based on the default workflow in RelativityOne, as described above, a group and its users will inherit access ability to any fileshares within the resource pool that is associated with the workspace to which the group has access. Therefore in this workflow, if a user has access to multiple client domain workspaces, then that user will be able to view their fileshares.

For example, User A has access to his own Client A Domain, but he can also access the workspace for Client B Domain if he’s added to Group B in Client B Domain, as shown below. As a result of being added to Group B, he’ll be able to view the fileshares associated with Workspace B in Client B Domain. In this situation, StagingPaneOnlyPerClientDomain instance setting either does not exist or it is set to False, and item-level permissions to the resource pool are not configured.

Users able to view other client domain fileshares

Figure 2: User able to view other client domain fileshares.

To ensure that User A only views and accesses fileshares from his own domain in the Staging pane and still retain access to the workspace for another client domain but not view its fileshares, you must:

  1. Set the StagingPaneOnlyPerClientDomain Instance Setting to True.
  2. Add the user to a group that has been given item-level permissions to the resource pool and its associated fileshares, as shown in Figure 3.

In this scenario, User A is added to Group A, which has been given item-level permissions to the resource pool and associated fileshares in their Client A Domain. By being added to Group B2, User A is still able to view Workspace B but cannot view its fileshares. For User B to only view her client domain’s fileshares, User B is added to Group B1, which has been given item-level permissions to Client B’s resource pool so User B can view her domain’s fileshares.

Users prevented from viewing other client domain fileshares

Figure 3: User prevented from viewing other client domain fileshares.

Note: Access to the resource pool does not automatically make the Resource Pool object visible to users. In order to see the resource pool, users must have access granted to the Resource Pool object tab in Admin Mode settings.

For more information on how security and permissions operate in RelativityOne, see Security and permissions.

To grant access to specific fileshares, the user must be in a group, other than the System Administrator group, that is given item-level permissions to the resource pool containing the associated fileshares.

 

Step 1 Configure the StagingPaneOnlyPerClientDomain Instance Setting

The default RelativityOne set up does not contain the Instance setting StagingPaneOnlyPerClientDomain. Therefore, the application will respond as described in the Default workflow in RelativityOne for user access to fileshares section. So, you must add the StagingPaneOnlyPerClientDomain instance setting and configure it as indicated below.

  1. Navigate to Instance Settings.
  2. Click New Instance Setting.
  3. Enter the following information in the fields specified:

New Instance Settings for StagingPaneOnlyPerClientDomain

  • Name—enter StagingPaneOnlyPerClientDomain.
  • Section—enter Relativity.DataTransfer.
  • Value Type—select True/False.
  • Value—select True.

Note: This value must be set to True if you want to prevent users from accessing fileshares in other client domain workspaces. If it is set to False, the opposite occurs and users will inherit access to any fileshares associated with workspaces to which they have access, as shown in Figure 2.

  1. Click Save.

Step 2 Create the Group

Although you can use any existing group, we recommend creating a new, specific group for these users so you can better manage the fileshare access permissions.

  1. Navigate to Groups.
  2. Click New Group.
  3. Enter the fields as needed. For more information on creating groups, see Creating and editing groups.
  4. Click Save. This group will be added to the resource pool in a later step.

Step 3: Add Users to the Group

Next, add users to the group who need to access the fileshares in the Staging pane of the Staging Explorer.

  1. From the Groups tab, click Add.
  2. Select one or more users to add to the group as needed and click Apply. For more information on adding users, see Adding users to groups.
  3. Click Apply.

Note: If a user belongs to more than one group with item-level access to other resource pools, they will inherit access to all fileshares associated with those resource pools. Review the item-level permissions for each resource pool to ensure only the desired groups have been granted access to the associated fileshares.

Step 4: Add the Group to the Resource Pool with Item-level Permissions

Finally, add the group to the resource pool with item-level permissions.

  1. Navigate to Resource Pools.
  2. Select the Resource Pool associated with the client domain that contains the fileshares you want to allow users to access.
  3. Click the File Repositories tab to review the available fileshares assigned to the selected resource pool and

Resource Pool Edit Permissions File Repositories tab

  1. Click the box next to the desired fileshare from the list and click Edit Permissions.
  2. Click the Add/Remove Groups button on the Groups tab of Item Security.

Note: If the Add/Remove Groups button does not display, toggle the Override Inherited Security option ON.

Item level permissions for groups

  1. Select the group that you added in the previous section and click the arrow to move it to the Groups in Workspace pane.
  1. Click Save.

The group and the users within it now have item-level permission to the resource pool and its associated fileshares. They will only be able to access the specific fileshares configured and will still retain access to workspaces for another client domain but not be able to view their fileshares. See Security and permissions for Item-level permissions for more information.

    Notes:
  • Access to the resource pool does not automatically make the Resource Pool object visible to the users. To see the resource pool, they will need to also have access granted to the Resource Pool object tab in Admin Mode settings.
  • The resource pool will not be assigned to the new workspace if you move the workspace to another client domain or delete the workspace.