Understanding Access Control and Permissions

import { Tabs, TabItem } from ‘@astrojs/starlight/components’;

Access control overview

Access control in Klarify ensures that team members can access the information they need for their work while protecting sensitive processes and maintaining organizational security. The system uses a layered approach combining organizational structure, user roles, and content-specific permissions.

Security principles in Klarify

Principle of least privilege: Users receive the minimum access necessary to perform their job functions effectively. This reduces security risks while ensuring productivity isn’t hindered by overly restrictive permissions.

Role-based access control: Permissions are assigned based on organizational roles rather than individual users, making it easier to manage access consistently across teams and ensuring similar roles have similar capabilities.

Content-level granularity: Access can be controlled at the individual document level, allowing for fine-grained security around sensitive processes while maintaining open collaboration for routine content.

Audit and accountability: All access and permission changes are logged, creating clear audit trails for security reviews and compliance requirements.

Role-based vs. attribute-based access

Role-based access control (RBAC):

• Permissions tied to positions - Marketing Manager, Sales Representative, etc.
• Consistent access patterns - All users in similar roles get similar permissions
• Easier administration - Manage permissions for roles rather than individuals
• Predictable access - Users understand what they can access based on their role

Attribute-based considerations:

• Department membership affects access to department-specific content
• Team assignments provide access to team projects and collaborative content
• Project participation grants temporary access to project-related materials
• Security clearance levels for organizations with formal security requirements

Tip

Start with role-based permissions that match your organizational structure, then add attribute-based refinements for special cases like cross-functional projects or sensitive content areas.

User roles and capabilities

Understanding Klarify’s three-tier permission model

Klarify uses a comprehensive three-tier permission system that separates different types of access and responsibilities:

1. Member Types (How users join the organization)

• Employee Member: Internal staff members assigned to employee records, can be assigned to positions, teams, and departments
• Guest Member: External users with limited access to specifically shared documents, cannot be assigned to organizational structure
• Partner Member: External partners with controlled access managed from Partners settings, cannot be assigned to positions or teams

2. Content Roles (What users can do with content)

• Content Viewer: Can view published content with permission, basic access level
• Content Editor: Can create and edit content with permission requirements
• Content Manager: Full content management capabilities without permission restrictions

3. Admin Roles (Organizational and system permissions)

• Account Owner: Full control over organization, billing, and all settings
• Super Admin: Inherits organizational and administrative management, excludes billing
• Account Manager: Manages organization settings, members, integrations, and API keys
• Org Admin: Manages employees, positions, teams, locations, and departments
• Personal Admin: Manages personal account settings and profile

Permission Interaction

• Member type determines how a user joins and their basic organizational relationship
• Content role controls what they can do with process models and global tasks
• Admin role (if assigned) provides additional organizational management capabilities
• Roles are cumulative - users can have multiple roles that work together

Tip

Most users need only a member type and content role. Admin roles are additional permissions for organizational management tasks.

Built-in roles (Content Viewer, Content Editor, Content Manager)

Content Viewer: The most basic access level for organization members who need to reference processes but don’t create or modify content:

• Read access to published processes and documentation with permission
• Comment capability for feedback and questions
• Search and discovery across accessible content
• Notification subscriptions for content updates
• Basic reporting on personal activity and usage

Content Editor: Mid-level access for team members who need to create and edit content with permission:

• All Content Viewer capabilities plus content creation and modification
• Process creation and editing with permission requirements
• Publishing capability when explicitly granted permission
• Version management for content they’re assigned to edit
• Collaboration on shared documents and processes

Content Manager: Full content management access for process owners and content administrators:

• All Content Editor capabilities plus unrestricted content access
• Edit any content including published and draft process models
• Publishing authority without approval requirements
• Content administration including archiving and restoration
• Full version control and content lifecycle management

Custom role creation

When to create custom roles:

• Specialized functions that don’t fit standard role patterns
• Temporary assignments like project managers or interim positions
• External collaborators who need limited but specific access
• Compliance roles with unique audit or oversight requirements

Custom role definition process:

1. Identify unique requirements that existing roles don’t address
2. Define specific capabilities needed for the custom role
3. Set access boundaries to maintain security principles
4. Test role functionality with representative users
5. Document role purpose for future reference and consistency

Custom role examples:

Compliance Officer role:

• Read-only access to all organizational content
• Audit trail access to track content changes and user activity
• Reporting capabilities for compliance documentation
• Alert configuration for policy violations or unusual activity
• No content modification to maintain audit independence
• Based on Content Viewer with enhanced audit permissions

External Consultant role:

• Guest member type with limited organizational access
• Content Editor permissions for assigned projects only
• Comment and suggestion capabilities without broad editing rights
• Time-limited access that expires automatically
• Restricted visibility of organizational structure and member information

Process Champion role:

• Employee member with enhanced Content Manager capabilities
• Cross-departmental collaboration permissions
• Template and standard creation authority
• Training content development permissions
• Knowledge sharing across organizational boundaries

Role inheritance and hierarchy

Hierarchical permissions: Higher-level roles automatically include all capabilities of lower-level roles:

• Content Manager includes all Content Editor and Content Viewer capabilities
• Content Editor includes all Content Viewer capabilities
• Custom roles can inherit from any base level

Permission escalation:

• Temporary elevation for specific tasks or emergency situations
• Approval workflows for permission increases beyond normal role
• Time-limited access that automatically reverts to base level
• Audit logging for all permission escalations and temporary changes

Content-level permissions

Document ownership

Content ownership model: Every document has clear ownership that determines who can modify permissions and make major changes:

Primary owner:

• Full control over document content and sharing settings
• Permission management for who can access and edit
• Publication authority for moving drafts to published status
• Archiving decisions when content becomes obsolete

Shared ownership:

• Co-owners with equivalent control and responsibility
• Delegation authority to assign temporary ownership
• Consensus requirements for major changes or archiving
• Succession planning for ownership transfer

Sharing and collaboration settings

Document-level sharing options:

Private (Owner Only):

• Only document owner and designated editors can access
• Useful for sensitive processes or early-stage development
• Can be temporarily shared for specific review purposes
• Maintains strict control over information distribution

Team Sharing:

• Accessible to all members of specified teams
• Appropriate for team-specific processes and procedures
• Automatic access for new team members
• Team leader can manage sharing settings

Departmental Sharing:

• Available to all department members with appropriate role level
• Good for department-wide policies and procedures
• Respects role-based access controls within sharing scope
• Department head oversight of content and access

Organization-wide:

• Visible to all organization members based on their access level
• Appropriate for company-wide policies and procedures
• Maximum discoverability through search and browsing
• Administrative oversight for content quality and consistency

Department and team access

Automatic access assignment:

• Department membership provides default access to departmental content
• Team assignment grants access to team-specific processes and projects
• Role requirements must still be met for modification permissions
• Security exceptions can override automatic access when needed

Cross-departmental access:

• Process relevance - Access to processes that affect multiple departments
• Project participation - Temporary access for cross-functional initiatives
• Subject matter expertise - Access based on knowledge and skills rather than organizational position
• Approval workflows - Access needed for review and approval responsibilities

Advanced security features

Single sign-on (SSO) integration

SSO benefits:

• Unified authentication across organizational systems
• Reduced password fatigue for users
• Centralized access control through existing identity management
• Enhanced security through enterprise authentication systems

Implementation considerations:

• Identity provider compatibility with major SSO systems (Active Directory, Okta, etc.)
• User attribute mapping for automatic role assignment
• Group synchronization for team and department membership
• Fallback authentication for system maintenance or SSO outages

Multi-factor authentication

MFA requirements:

• Admin roles always require MFA for security
• Sensitive content access may require MFA based on content classification
• Remote access can require MFA for additional security
• Role-based requirements where certain positions mandate MFA

MFA options:

• SMS verification for basic additional security
• Authenticator apps for stronger security without SMS dependence
• Hardware tokens for highest security environments
• Biometric authentication where supported by devices and policies

Audit logging and monitoring

Comprehensive activity logging:

• User access patterns - When and what users access
• Content modifications - Who changed what and when
• Permission changes - Role modifications and access grants
• System administration - Configuration changes and administrative actions

Security monitoring:

• Unusual access patterns - Access attempts from unusual locations or times
• Permission escalation - Requests for higher access levels
• Failed authentication - Repeated login failures or suspicious activity
• Content export - Downloads or sharing of sensitive information

Audit reporting:

• Compliance reports for regulatory requirements
• Security assessments for organizational security reviews
• User activity summaries for performance and usage analysis
• Risk assessments based on access patterns and content sensitivity

Permission troubleshooting

Common access issues

User can’t access expected content:

1. Verify role assignment - Does user have appropriate role level?
2. Check team membership - Is user assigned to relevant teams?
3. Review content sharing - Is content shared at appropriate level?
4. Confirm publication status - Is content published or still in draft?
5. Check for conflicts - Do any restrictions override expected access?

User has too much access:

1. Review role assignments - Is user assigned to overly broad role?
2. Check inherited permissions - Are team or department permissions too broad?
3. Verify content sharing - Is content shared more widely than intended?
4. Audit recent changes - Have permissions been recently modified?

Permission conflicts

Resolving conflicting permissions:

• Most restrictive wins - When permissions conflict, most restrictive takes precedence
• Explicit permissions override inherited permissions
• Owner permissions always take precedence over sharing permissions
• Admin role override available for resolving complex conflicts

Prevention strategies:

• Clear role definitions with non-overlapping responsibilities
• Regular access reviews to catch growing permission complexity
• Documentation standards for why specific permissions were granted
• Training for admin role users on permission interaction principles

Escalation procedures

When users need additional access:

1. Self-service requests through user interface for routine access needs
2. Manager approval for access related to job responsibilities
3. Admin role review for access outside normal role parameters
4. Security review for access to sensitive or restricted content

Emergency access procedures:

• Temporary elevation for urgent business needs
• Emergency contacts for after-hours access issues
• Approval documentation for emergency access grants
• Automatic reversion to normal access levels after specified time

Security best practices

Regular access reviews

Review schedule and process:

• Quarterly user reviews - Verify users have appropriate access for current roles
• Annual comprehensive audit - Review all permissions and role assignments
• Event-triggered reviews - When users change roles or responsibilities
• System migration reviews - Verify permissions after system changes

Review checklist:

• Users have minimum necessary access for their current role
• No orphaned accounts with access but no active user
• Role assignments match current organizational structure
• Content sharing settings are appropriate for content sensitivity
• Admin role access is limited to appropriate personnel

Principle of least privilege

Implementation strategies:

• Start restrictive and add access as needed rather than starting broad
• Time-limited access for temporary needs like projects or training
• Regular re-verification that access is still needed for current responsibilities
• Clear documentation of why specific access was granted

Balancing security and productivity:

• User feedback on access barriers that hinder work effectiveness
• Business impact assessment of restrictive permissions
• Alternative solutions like approval workflows for occasional access needs
• Training and communication to help users understand security measures

Compliance considerations

Regulatory requirements:

• Data protection requirements for personal or sensitive information
• Industry standards like SOX, HIPAA, or ISO compliance
• International regulations like GDPR for organizations with global presence
• Audit documentation requirements for demonstrating compliance

Documentation requirements:

• Access justification - Why specific users need specific access
• Change documentation - Records of all permission modifications
• Review evidence - Documentation of regular access reviews
• Incident response - Records of security incidents and responses

Caution

Security and usability must be balanced carefully. Overly restrictive permissions can hinder productivity and lead to workarounds that actually reduce security. Regular feedback from users helps maintain effective security that supports business objectives.