Skip to main content

Understanding Paradigm’s Access Control Architecture

Paradigm’s security model is built on a three-tier hierarchy that controls who can access what content:
This architecture ensures that access control is:
  • Scalable: Manage hundreds of users through group memberships
  • Secure: Clear boundaries between different content scopes
  • Flexible: Fine-grained control from company-wide to private access
  • Auditable: Track who has access to what and when

The Three Core Components

1. Users - Your Identity Layer

Users are individual accounts in Paradigm. Each user:
  • Has a unique email and authentication
  • Belongs to exactly one company
  • Can be assigned multiple roles that define their permissions
  • Automatically gets a Private Group for personal workspace access
Key Concept: Users never directly access documents. Access is always mediated through group membership and workspace associations.
Learn more: User Management →

2. Groups - Your Grouping Layer

Groups are the central mechanism for organizing users and controlling access. There are three types:

Company Group (Automatic)

  • Automatically created for each company
  • All users in the company are automatically members
  • Controls access to company-wide workspaces
  • Cannot be deleted or modified

Custom Groups

  • Manually created by administrators
  • Used for departments, projects, or any grouping you need
  • Members are explicitly assigned
  • Example: “Engineering Group”, “Sales EMEA”, “Project Phoenix”

Private Groups (Automatic)

  • Automatically created for each user
  • Only that user is a member
  • Controls access to that user’s private workspace
  • Cannot be deleted or modified
Critical Understanding: Groups are how you control workspace access. When you add a group to a workspace, all group members get access to that workspace’s documents.
Learn more: Group Management →

3. Workspaces - Your Content Scope Layer

Workspaces are containers that organize documents and control access through group membership. Each workspace:
  • Contains a Collection of documents
  • Has one or more Groups as members
  • Defines the scope of document accessibility
  • Can be linked to external data sources
There are three workspace types that mirror the three group types:
Workspace TypeLinked GroupAccess LevelUse Case
CompanyCompany GroupAll company usersHR policies, general docs
CustomCustom Group(s)Specific group membersProjects, departments
PrivatePrivate GroupIndividual user onlyPersonal notes, drafts
The Key Relationship: Workspace access is determined by group membership. If you’re a member of a group that’s associated with a workspace, you can access that workspace’s documents.
Learn more: Workspace Fundamentals →

How Access Control Works in Practice

Example 1: Department Access

Example 2: Project-Based Access

Example 3: Company-Wide Policy


Permission Model

User Roles Define Actions

User roles control what actions a user can perform:
RoleCreate WorkspacesUpload DocumentsManage MembersView All Docs
Admin✅ All companies✅ All Workspaces✅ All companies✅ All companies
SysAdmin✅ All companies✅ All companies✅ Where member
Account Manager✅ All companies✅ All companies✅ Where member
Company Admin✅ Own company✅ Own company✅ Where member
Document Manager✅ Where member
Standard User

Group Membership Defines Scope

Group membership controls what content a user can access:
Important: All roles can only see documents in workspaces where they’re a member (directly or through groups), unless they explicitly have cross-company access.

Security Principles

1. Principle of Least Privilege

Users should only have access to:
  • The minimum role needed to perform their job
  • The minimum group memberships needed for their work
  • The minimum workspaces needed for their projects

2. Segregation of Duties

Different roles have different capabilities:
  • Admins manage structure (users, groups, workspaces)
  • Document Managers manage content (upload, delete documents)
  • Users consume content (read, query documents)

3. Audit Trail

All access-related events are logged:
  • User creation and role changes
  • Group membership changes
  • Workspace access attempts
  • Document uploads and deletions

Common Access Patterns

Pattern 1: Departmental Structure

Pattern 2: Project-Based Structure


Decision Framework

When to Create a New Group

✅ Create a new custom group when:
  • A distinct group needs access to specific content
  • The group will persist over time
  • Members need to collaborate on shared documents
❌ Don’t create a group if:
  • It’s for a one-time document share (use existing group)
  • Only one person needs access (use private workspace)
  • Everyone in company needs access (use company group)

When to Create a New Workspace

✅ Create a new workspace when:
  • Content has different access requirements
  • Documents form a coherent knowledge domain
  • You need to isolate sensitive information
❌ Don’t create a workspace if:
  • Documents can fit in existing workspace
  • Same group needs access
  • It’s just for organization (use folders instead)

Next Steps

Now that you understand the architecture, dive into each component:

User Management

Create users, assign roles, and manage permissions

Group Management

Organize users into groups for access control

Workspace Management

Create and manage content containers

Document Access Control

Understand how documents are secured

Quick Reference

Access Control Flow

Key Relationships

  • 1 User1 Company (fixed)
  • 1 UserMany Groups (flexible)
  • 1 GroupMany Workspaces (flexible)
  • 1 WorkspaceMany Groups (flexible)
  • 1 Workspace1 Collection (fixed)
  • 1 CollectionMany Documents (flexible)