Paperless workflow with employees: configure permissions

Configure permissions for employees in Paperless-ngx intelligently. All permissions at a glance! User configuration explained with examples.

Last updated: Apr 6, 2024

6 mins read


In Paperless-ngx, you can create users and groups for your team and configure permissions intelligently. You can define roles and grant access rights based on responsibilities. This is important to prevent data loss or unauthorized changes to the system. Paperless allows fine-tuning to your requirements.

In this article, you will learn about possible roles and examples. You will also get an overview of all available permissions in Paperless and how you can control them.

Typical roles

Before you start configuring permissions, you should first assign a role to your team members. The roles presented are typical in small and medium-sized enterprises (SMEs). It is helpful if you define the roles in your company in advance.

The Admin

The admin has full access to all functionalities and settings. They manage users, configure the system, and handle administrative tasks. This job is undertaken by an IT employee or the head of the company, depending on who is responsible for managing the Paperless-ngx instance.

The Manager

The manager has access to most functionalities but does not have full admin rights. They can view, edit, and delete documents. They can also assign documents to other users. Additionally, they can manage workflows and add tags.

However, the manager cannot manipulate system settings. In smaller teams, the admin and manager can be the same person.

The Employee

The employee uploads documents and adds missing details. They cannot delete documents. The editing of documents may be restricted. The employee can search for documents and share them with another team member.

The Viewer

The viewer has read-only rights to selected documents. They cannot upload, edit, or delete documents. This role is suitable, for example, for external persons (e.g., tax advisors, notaries, etc.). They usually need access to documents or information as a reference, but do not need to modify them.

The Auditor

The auditor is only relevant in some cases. For example, they could be an accountant. The role is similar to that of the viewer. For compliance purposes, the auditor can also track access to documents and changes to documents.

All permissions in Paperless-ngx explained

In Paperless, there are two types of permissions: global permissions and object-level permissions.

Global permissions regulate which parts of the app the user has access to (e.g., documents, tags, settings).

Object-level permissions regulate which documents are visible and editable. Each document has an owner, view, and edit permissions. These permissions can be granted to a user or a group.

Global permissions do not change object-level permissions.

Global permissions

In Paperless, the toggle for superuser can be set in the Edit user account dialog. Superusers receive all available permissions and can access all parts of the app (frontend, backend, all documents).

Set the superuser permission for a user in paperless-ngx

Set the superuser permission for the admin

All: Grants all listed permissions (Add, Change, Delete, View). If this is marked, the user has full control over the associated feature or area.

All permissions toggle in paperless-ngx

All permissions toggle

Add: Allows the user to create or upload new items within the category (e.g., adding a new document).

Change: Allows the user to make changes to existing items (e.g., editing the metadata of a document).

Delete: Allows the user to remove items from the system (e.g., deleting a document).

View: Allows the user to see the items but not to edit, add, or delete them.

All global permissions explained in paperless-ngx

Explanation of all global permissions

Click HERE to copy this overview.

Object-level permissions

In Paperless, you can set permissions individually for each document.

All object-level permissions explained

Explanation of all object-level permissions

Click HERE to copy this overview.

Control Paperless permissions through workflows

When a document is uploaded via the web interface, the current user is the default owner of the document. You can change these rules under SettingsPermissions.

When a document lands in the Paperless consume folder (e.g., through a scanner import), the document has no owner or additional permissions by default. This means the document may be visible to all users! You can control this rule through a workflow.

Automatically assign an owner to a document upon processing

Select Workflows in the sidebar and open the dialog by clicking on Add Workflow.

Choose Consumption Started as the trigger and Consume Folder as the source. This means the automation will start as soon as a document is loaded from the consume folder.

Trigger automation on import from consume folder

Trigger automation on import from consume folder

Next, you add an action. For the action type, choose Assignment. Then assign an owner. In our example, we choose the Admin. In your case, it could be the Manager or a specific employee responsible for the imported documents.

If you wish, you can directly grant view or edit permissions to specific users or groups / roles.

Automation to assign owner to imported documents

Assign owner to imported documents

Example user configuration in Paperless

Based on the roles initially presented, we give you an example configuration of the permissions. You are free to adapt these to your requirements.

Admin permissions

The admin gets the Superuser role. With this, he gets all possible permissions. After installing Paperless, a Superuser already exists. This is the user with whom you log in for the very first time.

Manager permissions

The manager gets the following permissions:

  • Add, Change, Delete, View: Document, Correspondent, CustomField, DocumentType, Note, SavedView, Tag
  • View: MailAccount, MailRule, PaperlessTask, ShareLink, Workflow
  • Change, View: UISettings
Setting permissions of the manager role

Setting permissions of the manager role

Employee permissions

The employee gets the following permissions:

  • Add, Change, View: Document, Note, Tag (you can restrict deletion to prevent accidental loss of documents)
  • View: Correspondent, CustomField, DocumentType, SavedView
Setting permissions for the employee role

Setting permissions for the employee role

Viewer permissions

The viewer gets the following permissions:

  • View: Document, Correspondent, CustomField, DocumentType, Note, SavedView, Tag
Setting permissions for the viewer role

Setting permissions for the viewer role

Auditor permissions

The auditor gets the following permissions:

  • View: Document, Correspondent, CustomField, DocumentType, Note, PaperlessTask, SavedView, Tag, MailAccount, MailRule, ShareLink, Workflow
  • Edit: Some editing permissions may be required if they need to add or update annotations or markings related to compliance.
Setting permissions for the auditor role

Setting permissions for the auditor role


We hope this article gave you an overview of the types of permissions available in Paperless-ngx. You can now design access management for your team.

It is important that you adapt the roles based on the requirements of your organization and your security criteria. You might need more roles or define more granular access rights, depending on the complexity of your workflows and the sensitivity of your documents.

Tip: In Paperless-ngx, you could create a group for each role and then only need to assign a user to a group. This automatically gives them the permissions of the group.

Paperless-ngx permissions overview

🛠️ Paperless-ngx IT Support 🛠️

Need help with the installation or configuration of Paperless-ngx? I'm happy to assist! Just send me an email at:

Leave a Comment

Your email address won't be published.