Controlling Direct Access to Content

The direct access content model is based on responsibilities and permissions. A responsibility defines a group of permissions for a specific object, starting with the ability to view it. The permissions and responsibilities available for a type of object are defined by the app that creates it. Since some apps manage more than one type of object, there might be different responsibilities and permissions defined for each type of object in the app. The Owner responsibility is automatically assigned to the user who creates a specific object. Only the Owner can view and work with a newly created object. Ownership of one specific object does not grant you responsibilities and permissions for any other object of that same type.

In apps that use direct access to content, the ability to view and work with each object is granted to users by sharing it with them and assigning them a specific responsibility for the object. The ability to share the object is a permission associated with one or more responsibilities. It is a permission that is automatically part of the Owner responsibility and it might also be a permission in one or more other responsibilities.

Any user who is assigned a responsibility that permits it can share the object with other users. The Owner, and other users with a relevant assigned responsibility, can change or remove a user's assigned responsibility.

The Owner can assign ownership of the object to another user. An object can have only one Owner at a time, so it cannot be owned by a user group. Once the Owner changes the ownership of the object, that user’s permissions to the object are then defined by any other assigned responsibility that the user has for the object.

In apps that use baseline behavior, the ability to view and work with an object is implicitly defined through a combination of:

• The user's collaborative space and organization membership (that is, whether the user is a member of the containers that own the content)
• The object’s maturity state
• The object's content category
• Possibly by inherited permissions from a parent object in a structure

In direct access apps, the ability to view and work with an object is only determined by a user's assigned responsibility. A responsibility is directly assigned by either the content's Owner or by any other users who are granted a responsibility that allows them to do so. Some direct access apps choose to further limit the ability to use certain commands on an object based on its maturity state. This limitation is defined by the app, instead of being defined by baseline behavior.

Important: The Owner responsibility in direct access apps is distinct from the Owner responsibility in baseline behavior apps. Any behavior that is enabled by the Owner responsibility in baseline behavior apps does not apply to the Owner responsibility in direct access apps, and the opposite way. This is also true for any other responsibility in any direct access apps that happens to have the same name as a baseline behavior responsibility.

In direct access apps, if you attach other content to an object that you own, access to that content is controlled by the permissions from the app that created the content.

For example, if you attach a document to a portfolio version (which is created in Portfolio Definition—a direct access app), the ability to view and work with the portfolio is controlled by the user's responsibility assigned in Portfolio Definition. The ability to view and work with the attached document is controlled by the user’s credentials, responsibility, and the document’s maturity state, because it was created in Document Management—which is a baseline behavior app.

Every app that uses direct access defines its own responsibilities. Access to content created in a direct access app is always controlled by that app's responsibilities, even if that object is associated with or attached to content from a different app.