Free Trial

Chapter 2 - Users & Groups

2A. Permissions Model

Permissions Model - Introduction

Aproove relies on many moving parts. The main object is a project and is composed of many sub-entities. The diagram below illustrates the overall complexity of a project's content. Not all the parts of this diagram may be relevant in some use cases, but all of them can be combined if required. This gives incredible flexibility in the project configuration depending on the expected project behavior.

This chapter of the administration guide will detail the Permissions model including options and recommendations on ways to configure it for your instance.

Permissions Model - Types & Concepts

Aproove has a very flexible and powerful permissions model. There are 3 levels of permissions:

  • System-level
  • Project-level
  • Task-level

Permissions are granted to users or guests. Users with a login require a seat license, while guests do not and access the system via invitation only.

System-level permissions

This level of permission governs the actions that a user can take outside of the boundaries of a project. Only users that can log in to the system have system-level permissions. Guests do not have system-level permissions.

System-Level Permissions

Examples of system-level permissions include:

  • Dashboard menu access: permissions to see the My Projects dashboard, use the To-Do list dashboard, or see the Home dashboard
  • Task To-Do List Admin: permission to administer tasks for all users/projects on the system.
  • Project Tree Node Management: Permission to change the structure of the project tree.

Each user has a single set of system-level permissions.

System-level permissions

These permissions specify what users can do within a project when going through the project dashboard. Each project has its own set of permissions for each user. A specific user can have a different set of permissions for each project. If a user doesn't have any permission on a project, that project will be inaccessible to that user and it won't appear in the list of projects. 

In the diagram below, User A has different permissions on Project A and B; and User B only has permissions on Project B.Project-Level Permissions

Examples of project-level permissions include:

  • Note: permission to add a note to a proof outside of a task
  • File Upload: permission to add more files to a project
  • Delete project: permission to delete a project
  • Task To-Do List Manager: permission to administer tasks for all users in that project.

Task-level Permissions

These permissions set the rights that users and guests have when performing a task from their to-do list or from an email invitation. These tasks are usually sent via a workflow step, but can also be manually sent to users via the "Instant Share" or @mention functionality.

In the diagram below, note how User B has permissions on a task in Project A even though that user doesn't have any project-level permissions on that project. Also, note that guests can also have task-level permissions. Tasks are the only way that guests can access Aproove, so those are the only set of permissions that matter for guests.

Task-Level Permissions

Examples of task-level permissions include:

  • Note tag: permission to add a tag to a note
  • Send task: permission to use the @mention functionality to invite other users and guests to a proof
  • Proof approval: allows approving or ejection of a proof
Permission Context

It's important to note that some permissions exist at more than one level. For example, the ability to reassign tasks from one user to another can be set for an individual project (Task To-Do List Manager at the project level) or for every project in the system (Task To-Do List Admin at the system level). It's important to remember the scope of each of the permission levels.


In Aproove, a "role" is simply a predefined set of permissions that can be used as a template when assigning permissions. The role itself does not provide access to a user or a guest but allows the administrator to quickly assign a set of permissions when configuring the Aproove system.

An example of a role is the default "PMA" role, which consists of the following permissions:

  • Approval permissions: Note approval, proofs approval, project approval, lock proof, lock project
  • Feature permissions: Note, download project, LR JPEG download, Colour layer tools, file upload, drive, send task, send task to everyone
  • Management permissions: Project advanced params, view tasks sent from all users, resolve note, delete proof, delete proof revision, delete project, view PRF, edit PRF, export project history, project tags, project archive, project proofs menu

Roles can also be used for assigning metadata and Tags, but that is beyond the scope of the permissions model

Assignment of Permissions

Assignment of permissions is done via various entities within Aproove, depending on the permission context. This flexibility allows administrators to set up workflows that provide just the right set of permissions to the right users at the right time. 


In Aproove, there are 3 types of groups:

  • Global
  • Schema
  • Contact

Global groups are used to grant permissions. Schema groups allow administrators to organize users within a schema but don't come into play when setting permissions on projects. Contact groups are used to send tasks and don't grant any permission themselves.

Assignment of System-level Permissions

Only users can be granted rights at the system level. Most of these system-level permissions are granted via Global Groups. Certain system-level permissions are also granted directly to users, one by one in their individual settings. A user can be a member of many Global Groups and their resulting system-level rights come from the amalgamation of the rights granted by each of the groups the user is a member of along with the permissions directly assigned to the user. 

In the diagram below, User A is a member of Global Group 1 and Global Group 2. That user receives the system-level permissions associated with both of those global groups. User B receives the system-level permissions assigned to Global Group 2 as well as the system-level permissions set directly on the user. 
Assignment System-Level Permissions

Assignment of Project-level Permissions

Only users can be granted rights at the project level and each project has its own set of permissions. This means that users can potentially have different permissions on each project and that they might not even be able to see some projects. 

Projects can either store their permissions within their own settings, or use a shared set of permissions called a "Schema". The project type configuration determines where a project will get its set of permissions when it is instantiated. 

Built-in Permissions

If a project is set to use built-in permissions, these need to be defined in a project configuration. Once the project is launched, changes to the project configuration will not affect the permissions of that project since a project will make a copy of the permissions when launching. 
Built-in Permissions

Schema Permissions

A project can also use a shared set of permissions, called a schema, instead of storing the permissions locally. Within a schema, the permissions are assigned to individual users, so each user can have a different set of permissions within that schema, which allows projects that use that schema to have different permissions for each user. 
Schema Permissions

Schema Permissions via Global Groups

Using schemas can save administrators a lot of time saving them from manually adding new users to every project. But in large systems, with several schemas, adding a user to the system could require an administrator to manually add that user to several schemas and to specify the permissions of that user in each of those schemas. 

An alternative is to use global groups to assign users to schemas. When you configure a global group, you can specify that each user that is part of that global group should be added to a schema using a pre-defined set of permissions. The set of permissions, in this case, would be a role. Each global group can add users to one or many schemas. 
Schema Permissions Global Groups

Assignment of Task-Level Permissions

Tasks are sent out automatically by the workflow engine when a project moves from one step to another. Each step can contain one or many tasks, each having its own set of permissions. These are set up when building the workflows. Users and guests aren't given task-level permissions directly but are instead assigned to perform a task, which comes with its set of permissions.

Tasks can be assigned to users, guests, or contact groups. Contact groups can contain users or guests. 
Assignment Task-Level PermissionsSingle Sign-On (SSO) and Permissions

When using SSO, the group membership information can be passed from the authenticating system (like Active Directory or LDAP) to Aproove, which will then automatically look up the names of the groups from the SSO provider and add the user to the global groups and contact groups in Aproove with the same name. This approach allows administrators to grant system-level and project-level permissions, as well as add users to contact groups that assign tasks, by adding users to the correct groups in the authenticating system. Once Aproove is configured with this approach, new users can be granted all the access and tasks that are needed without having to do anything in Aproove.

Permissions Model - Rights Matrix

Rights are features made available to users. They are assigned within a user's account settings (User role rights). When the user is added to a schema or project configuration, those rights carry over. If a role is updated after it is assigned to a user, it will not update that user. The same applies to schemas and project configurations; if a role is updated after the user is added to them.

User Rights

The User Rights listed below are available when adding a new user or modifying an existing one. These same rights are also available when configuring Roles, Schemas, and Task permissions.

User Role Rights

Right Description
Note approval Notes added to previous versions can be approved
Proofs approval Ability to approve Proofs
Shared proofs approval Ability to partially approve Proofs (not yet implemented)
Project approval Ability to approve Projects
Shared project approval Ability to partially approve Projects (not yet implemented)
Lock proof Ability to lock Proofs
Lock project Ability to lock Projects
Note Notes can be added to a Proof
Download project Original Project files can be downloaded
LR JPEG download Low-resolution Project files can be downloaded
Print proof Ability to print a proof
Color layer tools Enables the color layer tools feature (Project must also be configured to generate color layers)
Chat Enables the chat feature (Deprecated)
File upload Files can be uploaded to the Project folder
Drive Enables access to the Project drive
Send task Ad-hoc Tasks can be sent out to project members
Send task to everyone (external) Ad-hoc Tasks can be sent to anyone, even contacts not currently defined in the system
LDAP users Ad-hoc Tasks can only be sent to users within an LDAP group
All LDAP Ad-hoc Tasks can only be sent to users within the company LDAP
Check before notifying Deprecated
Project advanced parameters Grants access to the project dashboard
View tasks sent from all users User can see and manage all invitations for the Project
Resolve note Ability to resolve notes
Delete proof Ability to delete proofs
Delete proof revision Ability to delete proof revisions
Delete project Ability to delete a project
View PRF (read only) The user can access the workflow tab of the project dashboard in read-only mode
Edit PRF The user can access the workflow tab of the project dashboard and change the current step as well as invitations sent out by the system
Time tracking manager Time tracking information entered by users can be viewed and edited
Time tracking user Allows the user to input data into the Time Tracking form
Task todo list manager Ability to see the Tasks for all Users in the project
Task todo list user Tasks can be viewed in the To Do list
Export project history Project history can be exported in a report
Project tags Project Tags can be added (Note: Tags need to also be defined under the Team a user is a member of)
Project archive Ability to archive Projects
Project proofs menu Enables access to the Proofs tab in the project dashboard
Allow tag Tags can be added to proofs and notes (Note: Tags need to also be defined under the Team a user is a member of)
Tag mandatory Tags are required to be added to Notes that are created on a Proof by this user
Allow multiple tags The user can add multiple tags to the same note
Tag form view Ability to view forms associated with tags
Tag form edit Ability to edit data in forms associated with tags
Redraw my note Ability for a User to redraw their own notes (If comments have not been added to the Note)
Redraw all note Ability for a User to redraw another User's Notes (If comments have not been added to the Note)



Account management Enables the account password to be reset
Use project creation wizard The Project creation wizard is shown when creating a new Project
Discard tasks on completion When a task is completed, it will be automatically discarded and moved to the Late task category
ICS task Includes a calendar invite attachment in the task email notification
Advanced project filter

Turning this setting on will make Advanced Filters visible in the user's dashboard interface


Global Project Settings

Production view Enables Flat Plan View
Versions display Displays previous proof versions
Comparison view Enables comparison tool for comparing proofs and versions
LR PDF download Low-resolution project files can be downloaded
Team time tracking admin Time tracking information entered by users can be viewed and edited
Team time tracking user Allows User to input data into the Time Tracking form
Task todo list admin Ability to see the Tasks for all Users in the Projects that the User is a member of




Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis ac lorem vel lectus finibus placerat. Vivamus nec elementum orci, a sagittis libero. Fusce egestas augue ante, eu luctus magna convallis eu. Donec eget nibh ut orci lobortis imperdiet. Donec pellentesque quam a nulla eleifend tempus. Quisque facilisis iaculis nibh in elementum. Mauris porta cursus ante in dictum.

Orci varius natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Quisque dolor magna, fringilla congue tempor eget, tempus ut ipsum. Maecenas feugiat erat at velit tempor commodo. Donec iaculis pharetra ligula eu pellentesque. Suspendisse venenatis nulla leo, eu porttitor leo aliquet eu. Praesent luctus mi a imperdiet egestas. Phasellus bibendum tincidunt ultricies. Sed vestibulum eros turpis, ac venenatis orci lacinia ac. Aliquam semper scelerisque libero, nec lobortis mi tristique quis. Quisque eget blandit purus.

Praesent ultricies felis ac molestie dignissim. Sed eu ornare ante, id pellentesque lectus. Nullam dapibus dapibus nisl, et volutpat justo mattis vitae. Sed placerat laoreet nisi. Proin mollis lorem felis, sed consequat felis cursus eget. Proin aliquam augue porta diam dictum, a porta ipsum consectetur. Sed eget cursus erat. Phasellus id imperdiet tortor, eget semper purus. Donec sagittis elit in rutrum eleifend. Etiam laoreet, dui eleifend fringilla cursus, magna eros dignissim dui, in lacinia arcu erat nec enim. Donec in est id eros imperdiet dictum nec in sapien. Fusce pretium ligula magna, sed pulvinar tellus dignissim in.

Maecenas sodales interdum augue eu convallis. Maecenas molestie auctor velit. Ut id venenatis lacus, eget vestibulum magna. Fusce in sollicitudin nisi. Ut placerat sapien non quam facilisis, ac aliquam felis pharetra. Donec sapien dui, interdum rutrum risus sit amet, pellentesque euismod augue. Ut fermentum erat nibh, nec suscipit lorem dapibus ut. Sed nec volutpat ligula.

In magna ligula, convallis id consectetur in, rutrum vel sapien. Aliquam id fermentum nibh. Cras dictum sapien sit amet molestie suscipit. Vestibulum vitae leo ac mi placerat vestibulum. Donec posuere, est in fermentum ultricies, est purus varius lacus, euismod convallis ex mauris eget lectus. Proin eget nunc vitae urna auctor euismod. Morbi sed ex vel ligula tempor vestibulum. Maecenas bibendum varius augue a rutrum. Pellentesque id felis ut felis rutrum viverra. Etiam bibendum suscipit dictum. Sed leo lacus, porta aliquet quam in, mattis feugiat arcu.