Skip to main content

The access model

Access in Nobly Insight is controlled in layers, each answering a different question. Together they decide who can run the platform, who can work with which documents, and who can see individual sensitive records.
LayerAnswersWhere it’s configured
Application permissionsWhich admin and configuration capabilities can this user use? — managing document types, keywords, permissions, retention, and so on.Admin settings → Access → Permissions — covered in this section.
Document access rightsWhat can this user do with documents of a given type? — view, create, modify, delete, print, mail.Admin settings → Documents → Access rights — see Document access rights.
Security keywordsCan this user see this particular record? — record-level access driven by a keyword value.Part of keyword configuration and governance.
A quick rule of thumb: application permissions are for administrators configuring the system; document access rights are for everyday users doing their work; security keywords narrow access to individual records on top of both.
This section focuses on the first layer — application permissions. Document access rights are documented with the document types they apply to, and security keywords are part of the wider governance model described in Administration & governance.

Permissions are granted to user groups

Application permissions are always granted to user groups, never to individuals directly. A user’s effective permissions are the combination of everything granted to every group they belong to. To give one person a capability, add them to a group that has it — or grant the capability to a group they’re already in. This keeps access manageable: you reason about a handful of groups instead of every individual user, and membership changes take effect immediately.

Permission tiers

Most permission areas come in tiers that build on each other:
TierGrants
ViewRead-only access to the area — see the configuration without changing it.
ManageCreate and update within the area. Includes everything View grants.
AdminFull control of the area, including deleting. Includes everything Manage and View grant.
Because the tiers are cumulative, you grant one tier per group for an area — granting Manage automatically gives that group View, and Admin gives both. Deleting is deliberately reserved for the Admin tier, so a group can be allowed to create and edit configuration without being able to delete it.

Application permissions

The full catalogue of permissions, grouped by area, and exactly what each tier grants.

Managing permissions

Grant and revoke permissions for user groups on the Permissions screen.