With the staged rollout of new DocuWare — our next-generation web and mobile clients, first introduced at DocuWorld — many of you are already testing it and sharing your feedback. And there is one recurring topic that deserves a clear statement from us.
New DocuWare introduces a revamped multi-file-cabinet search and Aura for AI-driven insights. These solutions query documents wherever a user has permissions, independent of search or result dialogs. That's by design, and it's foundational to the solutions we're building next. But it also brings to light an important issue: Where access has effectively been managed through dialogs rather than file cabinet permissions, users may now find documents they couldn't access before — even though the permission model itself hasn't changed.
This is not a breaking change and the permission system has not been touched. It does, however, make the distinction between the two concepts more consequential than ever. Our new blog article explains what file cabinet permissions and dialogs are each meant for, where the limits of dialogs lie, and what to verify in your customers' setups.
Have a real-world concern? If you rely on dialog-based setups and want to provide feedback, take our short survey.
Two tools, two jobs — and why mixing them up can undermine document security.
DocuWare gives you two ways to control how people work with documents: file cabinet permissions and dialogs. They often work side by side, so it's easy to assume they do the same thing. But actually, they don't — and one of the most common configuration pitfalls is asking a dialog to do a job it was never built for.
In short: permissions secure documents. Dialogs shape how users see and work with them. A dialog is not a permission layer. That has always been true in DocuWare, and it's crucial to do it right in every setup.
Permissions: The security layer
File cabinet permissions decide what a user is actually allowed to access — which documents, which index fields, and which operations (search, view, edit, delete, export, and so on). They're enforced by the platform itself, at the data level, no matter how a user reaches the file cabinet.
This is the layer that secures your documents and index data. No permission, no access — whether the user comes in through a client, the API, or an integration.
More about File cabinet permissions
Dialogs: Views for faster, focused work
Dialogs are views. They tailor how users search, display results, store, and interact with documents: the right fields, in the right order, pre-filtered for a department, simplified to the essentials. They make everyday work quicker and more efficient.
But a dialog only filters what's shown. It doesn't change what a user is allowed to access. For example, if a search dialog hard-codes a field as filter, or a result list leaves out a field, matching documents and data are still permitted — they just don't appear in that view.
More about File cabinet dialogs
Why a dialog can't secure documents
A setup that relies on hidden or narrowed dialogs to keep certain documents out of reach is practicing security by obscurity — and obscurity isn't security.
Because a dialog only filters the presentation, the data underneath stays accessible to anyone who holds the permission. A document hidden from a dialog can still be reached:
- through the DocuWare Platform / API,
- by inspecting browser traffic, or
- through any other client or integration on the same file cabinet.
If the permission allows it, the data is reachable. The dialog was simply not showing it.
How to set it up right
The reliable pattern is simple: control access with file cabinet permissions — not with dialogs.
- Identify the dialogs doing security work. Wherever a setup relies on a missing field or a hidden search dialog to keep documents out of view, treat it as a permission gap.
- Move the rule down to the permission layer. Use file cabinet permissions to define what each user or role is truly permitted to access. That rule then holds everywhere — client, API, and integrations alike.
- Keep dialogs for what they're great at: tailored views, simpler masks, department-specific result lists. That's where dialogs shine. Just don't ask them to lock anything down.
- Review proactively. A quick look at file cabinet permission profiles confirms that what's hidden is also genuinely restricted, leaving your customers with a cleaner, more secure setup.
The bottom line
- Permissions secure documents. Dialogs shape how users work with them.
- Dialogs filter what is shown, not what is accessible.
- Relying on hidden dialogs is not true security — the data is still reachable via the API, browser traffic, or other clients.
- So: keep file cabinet permissions properly set and replace any dialog-based "hiding" with real controls at the permission level.