Like the title how do you manage users permissions inside your vault?
I have inherited a mess and I am cleaning it up little by little.
First thing was to basically delete all administrative permissions that were just given randomly to the whole vault and likely nobody knew it.
Then I explicitly set the vault root folders permissions for every user group.
And that is a problem as we have too many user groups: one for engineers, a couple to manage columns, another couple to add special permissions to some managers, a group for browsing with edrawings, a couple for administrators etc
too many and too confusing!
my understanding is that if a member of multiple groups has one of those groups with a loose permission on some subfolder it supersedes the most stringent permissions.
If my understanding is correct I think it would be better to explicitly set the most stringent permissions on folders within all groups or do not set folder permissions at all for groups that are meant to manage columns, boms or other “additions” to main groups.
For state and transitions I had to comb them a couple of times, and I catched one scary thing that gave delete permissions after a file was approved once: you had to put in a under revision once to be able to delete it, which is a big NO for me.
Most of our groups are either a “Department” or “Role”. Some of the groups have multiple levels that increase permissions levels so I do layer them.
Simple example of the engineering folder where models and drawings are stored:
R&D - Read, Checkout (general documents) [All engineers are added here] R&D, Mech Engineering - Add checkout to SolidWorks models and drawings. R&D, Elec Engineering - Add checkout for electrical owned documents. R&D, Manager - Has approval transition
Obviously its more complex as there are other things like search card, column, template access. But generally I try to not to repeat permissions, each level adds.
Once a file as entered a state that takes away “Delete” rights, moving back to a state that has Delete will not work unless you checked “Ignore permissions in previous states”
I inherited the whole thing in a “sub optimal” setup and trying to figure out how to fix it without making it implode.
If I understand your user setup correctly. You have one basic user with all the restrictions in place and build over it adding only the strictly necessary settings.
As for transition we have multiple (highly flawned) workflows with the ignore previous state flagged almost everywhere afaik. So to work around that I have explicitly disabled the delete permission for all states after the first approval.
I am still trying to figure out how to sort it properly.