NetDocuments gives you meaningful control over who can see and work with your documents. But to use that control effectively, you need to understand how the security model actually works. This post breaks it down in plain terms.
The Basic Concept: Every Document Has an Access List
Every document in NetDocuments has an Access Control List (ACL) — a list of users and groups, each assigned a specific level of access. That list completely determines who can do what with that document.
By default, a new document inherits the security of the cabinet or workspace it’s filed into. If your firm’s litigation cabinet is open to all litigation staff, a document filed there is visible to all litigation staff. No special configuration required.
When you apply custom security to a document, you replace that inherited access with a specific list you control. Only the people on that list can see the document.
The Five Access Levels
NetDocuments uses five access levels, commonly referred to by the acronym VESA (plus N for No Access).
V — View: The user can open and read the document, view its version history, and see its access list. They cannot edit the document or its profile, nor can they place items into a folder. For external users, View-only access also prevents copying or emailing the document directly from NetDocuments.
E — Edit The user can modify the document’s contents, create or modify versions, edit the document’s profile (including renaming it), add documents to folders, and remove documents from folders. Editing alone does not allow external users to rename folders, create subfolders, or view version history.
S — Share: The user can add other people to the document’s access list, up to and including their own access level. Share rights alone do not allow you to remove existing users from the list or modify their access. Edit and Share together are required to create subfolders and — for external users — to view document history.
A — Administer: The highest individual access level. The user can delete the document or its versions, force a check-in if it’s locked by another user, rename folders, and fully manage the access list — including adding users at any rights level, changing existing users’ rights, and removing users entirely.
N — No Access: An explicit designation that makes the document completely invisible to a specific user or group. This is not simply the absence of rights — it is an active block. A user listed as No Access cannot see the document at all, even if they are a member of a group that would otherwise give them access.
How Rights Work Together
Rights in NetDocuments are cumulative across groups. If you belong to one group that has View and Edit rights to a cabinet, and another group that has View and Share rights to the same cabinet, your effective access is View, Edit, and Share — you don’t lose rights by belonging to multiple groups.
No Access is the one exception to this rule. If your name appears on a document’s access list as No Access — whether directly or through a group — that designation overrides everything else. It doesn’t matter what other groups you belong to or what cabinet-level rights you have. The document becomes invisible to you.
This is called Negative Security, and it’s a precise tool. A common use: grant access to an entire group, then carve out one individual by adding them separately with No Access.
One Important Limitation: Cabinet Administrators
No Access overrides the rights of regular users — but it does not override Cabinet Administrators. Cabinet Administrators have View, Share, and Administer rights to all items in any cabinet they manage, and they cannot be locked out of a document in that cabinet, regardless of how the access list is configured.
In practical terms: if you apply custom security to a document — including setting someone to No Access — your firm’s NetDocuments administrator can still see and access it. Document-level security gives you control over your colleagues and external users, not over the people who administer your system.
What This Means in Practice
Understanding these five levels helps you make sense of what you can and can’t do in NetDocuments:
- If you can open a document but can’t edit it, you have View rights.
- If you can edit but can’t add someone else to the access list, you have Edit but not Share.
- If you can add people to the access list but can’t remove them, you have Share but not Administer.
- If you need to remove someone’s access or change their rights level, you need the Administer permission.
- If a document simply doesn’t appear in a workspace or folder where you’d expect to see it, you may have been explicitly set to No Access.