Skip to main content

Document repository

The document repository is an service that has two main components, a UI that a user interacts with, and a service by which users or third parties can manage a user's resources through the API.

The core concept of the repository is:

There are many documents. Each document can have any number of users and each of those users may have different permissions to that document. Users will share documents and change other users’ permissions as well as create, modify, and delete documents. We’ll assume there are two services, one that stores text documents and another than stores complex binary data, text and binary.

Additionally, each account in the document repository has multiple users authorized to access it. Some of them are full Admins of the account, which access to manage users, update billing information, or change global configuration for the account. Other users are only Viewers which have only limited access to read all the documents in the repository. The rest of the users have some configurable permission on a document by document basis that provides the capability to create, update, or delete existing documents. Depending on the permission assigned to them, they might be able to also share that document with other users in the account (and users outside the account).

For further simplicity, this document repository is private per account. Documents created in one account are not available on the public. And conversely, in order to create a document, the user must have the documents:create permission.


The roles associated with the document repository might look like this:

  • Admin: Contains the permissions . When assigned to a user in an access record, that user full control over that document as well as the ability to change other users permissions to that document.
  • Editor: Contains the permissions documents:read, documents:update, documents:delete, and documents:share. They can make changes to the document as necessary
  • Viewer: Contains the permission documents:read, when given to a user for a document, they will be able to read the document only.
  • Creator Contains the permission documents:create. Usually given to all users in an account. Users with this permission can create documents. When they create a document, they are given Admin to that new document only.

Permissions: Allow, Grant, Delegate

To keep this scenario simple, we'll assume that only the Admin role has Grant and Delegate. That means that an Editor cannot assign any roles--Editor, Viewer, or Creator--to other users. To be able to assign a role to a user that user must have Grant or Delegate on all the permissions in the relevant access record. For more details on Allow, Grant, and Delete, refer to the access record permissions article.

Example implementation

An example implementation of a document repository using AWS S3 is available on GitHub: Document Library Microservice