Document permissions
Not every document should be visible to every employee. The Vault has fine-grained permissions per document, per folder and per category.
Visibility levels
When uploading or editing a document, pick a visibility:
| Level | Who sees it |
|---|---|
| Public | Everyone in the organization |
| Department | Only members of a chosen department |
| Role | Only users with a specific role (e.g. HR) |
| Owner + named | Just the owner plus a named list |
| Private | Only the owner |
Default visibility per category
Set a sensible default per category:
- HR documents → HR role only
- Contracts → Owner + named (the employee's manager + HR)
- Policies → Public
- Vendor contracts → Procurement + Finance roles
Configured under Admin → Document Categories → [Category] → Default visibility.
Folder-level permissions
Folders inherit permissions to their contents. If you set a folder to "HR only", every document inside (current and future) is HR-only.
Auditing access
Want to know who has read a sensitive document?
- Open the document.
- Click the Access log tab.
- See every view, with timestamp and user.
This is enabled by default for documents in the Restricted and Confidential categories.
When permissions change
If you change a document's visibility:
- Users who previously had access lose it immediately.
- The change is logged in the audit log.
- A notification is sent to people who lost access (configurable).
GDPR considerations
Personal documents (employee IDs, medical certificates) should always be set to Owner + named at minimum. The platform won't enforce this by default — it's your responsibility as the data controller. The activity log helps you audit compliance.