Vault 2021 – Download Permissions

Written by Fadi Matti on June 20, 2020. Posted in Knowledge Base.

One of my favourite features of Vault 2021 is the new Download permission – allowing administrators to differentiate those users/groups who can view a file, and those that can download a file.

Previous versions of Vault allowed you to define the Access Control List (ACL) along three main permissions: Read, Modify, and Delete. As soon as a user had the capability to Read the file, they could also download it, which in some situations, presented security risks. Take for example a DWG file which you would need to give company-wide access to. General users would run a search according to specific parameters, and the DWG would appear as one of the search results. As soon as the user sees the DWG, they could then download it to their local workspace (via the Vault thick client). That effectively produces what can end up as an uncontrolled DWG file.

In Vault 2021, there is an additional permission called Download – which means you can now allow users to see the DWG, but not actually download it to the local drive. This can be applied both to state-based and object-based ACL’s.

Note though that certain Vault operations actually need to download the file to the local drive. The table below shows which Vault operations need to have the file downloaded locally to work properly.

What about the Preview function of Vault? When you look at a preview of a file via the Preview tab, it actually downloads the DWF visualisation file attached to that file you are previewing. In cases like this, you would set different ACL’s for the actual file and the DWF visualisation file. So in the example of DWG’s, you could set Download permission for the DWG file to Deny (via Lifecycle State security), and the Download permission for the DWF file to Allow. The out-of-the-box behaviour of Vault is not to apply a Lifecycle State to DWF visualisation files anyway, so you likely don’t need to worry about this. However, be careful when applying the Download=Deny ACL at the Object-level (for example: folder security) – because you can then potentially Deny downloading of the DWF visualisation files inside that folder, thereby breaking the Preview functionality.

If you’re upgrading from a previous version of Vault to 2021, the Download permission in the ACL will automatically be set to Allow for those users/groups that have Read = Allow. If however you’re restoring a previous version backup (e.g. 2019, 2020) of Vault to the 2021 ADMS, these Download ACL’s will be blank, so you’ll need to set this manually once the restore is complete.