Smart rules only for administrators?


is it possible to allow the creation of smart rules for administrators only?


On one machine?

One or more… Smart rules can also be dangerous if, for example, an inexperienced employee creates a bad smart rule and thus makes a large number of automatic changes to objects in shared databases (synchronized across several machines). As a precaution, it would make sense to only allow administrators to create smart rules.

@tjur Your question is an interesting one - as I do use DT3 within my small company and have pondered related issues.

The truth is - as much as I am a terrific DT3 fan, it seems to mostly be intended for and used by individuals or perhaps small family units or very small work teams.

While DT3 shines in automation power, it lacks the auditing and granular security features present in most corporate databases. Frankly I think it would be very hard to implement that security without losing automation capability.

I think the most practical solution in a work environment is to give DT3 Desktop capability only to a few extremely trusted employees (“trusted” not only in an ethical sense but also in a technologically-sophisticated sense). For the rest, DT3 Server provides access to essential data with most of the ability to wreak automation havoc removed.

Beyond that - you can do as I have chosen and create some web apps for targeted DT3 tasks which do not offer access to the rest of DT3:


I agree with you. We are in a similar situation. DT Server is great, but unfortunately very limited. Among other things, the processing of custom metadata is important for us, but also the classification, naming or annotating / stamping PDF files. In DT Server, we also lack the ability to simply copy (and use) the references of objects.

The API is very interesting and we will look into it…

Thanks for your help!

The API may well help in that regard.

Or a simpler approach would be to write freestanding scripts to do the targeted tasks you mention rather than to have staff use DT Desktop.

1 Like

This had me wondering, what are the big software packages that do what DevonThink does for large orgs?
I know that the first follow up question would be, which features of DevonThink are you thinking about? The PDF and image metadata tracking? The note creation and tagging? The AI organization tools? The indexing vs importing? The general Swiss Army knife that is the DevonThink universe?

I would imagine that at the big company level the document management software would be very specific to each industry (legal, medical, sci-tech etc).

I have one use case that I’ve never fully investigated that would entail me organizing all the documents for a company and having them available via web browser to a small group of people with a very wide range of computer skills (i.e. from nil to tolerable).

The short version of this question is what do people use when their companies or organizations grow too big for DevonThink?

1 Like

I think the main options are -

  • Build a custom app based on a traditional database; or
  • Use enterprise-grade software specific to the niche of the company’s business
  • Possibly install “enterprise content management” software - for which there are many competitors and at a price point dramatically higher than DT3
  • Build a custom FIlemaker app
  • Build a Microsoft Access app

That is actually exactly the problem that we will soon have to face and are therefore looking for solutions to our needs. We really want to keep DT, but with fewer workarounds it would be somehow easier …

What is missing in DT for small / medium-sized companies is a simple rights management with users, as it is already implemented with DT Server. This does not have to be unmanipulable in the backend. It should be enough if the functions in the frontend are password-protected. For example, the administrator could define the user (with a unique ID) for each DT instance and then create a table with the desired rights for the frontend for the individual databases. It would be ok, if one could manipulate the files in the Finder.

Both are definitely good, but very costly for the current licenses and because of the administration…

… but then we will miss this wonderful features (Automation, AI, …) of DT :cry:

As far as I know, and I’ve searched the “DEVONthink Handbook”, there is no role for “administrators” in DEVONthink. Are you referring to DEVONthink Server? Or some internally designed/developed configuration that has the role “administrator”? Or macOS “administrator” role?

If DEVONthink Server, probably should @BLUEFROG move this thread to the appropriate category?

I don’t mean DT Server. There are also no smart rules for the server version.

It doesn’t matter if this would be just a password restriction. I originally thought of other apps in comparison, where part of settings were only accessible by entering the administrator password.

Well, as nothing in documentation, then nothing available.

If you want to try to bend DEVONthink to your will, you might if you can can define precisely what an “administrator” is, write some sort of script (calling the shell, Python, or whatever) callable from the first line of a smart rule “action” to test for that. Return “true” if rule says it’s ok to proceed, otherwise, stop the rule at that point. Clearly would be what I call a kludge, may or may not be possible, and may or may not meet your control measures sufficiently to control the risk(s) you have identified. Would also require a substantial security review to look for how your non-administrators or other bad actors might be able to overcome this (start by editing the rule on their desktop copy of DEVONthink).

The aim is to prevent the creation of smart rules … I cannot monitor that an employee is always dutifully installing a script :sweat_smile:

@BLUEFROG: I wonder if i could set the plist file „SmartRules.plist“ to read only to achieve that…

Could you set a Hazel rule which notifies you of any change to the Smart Rules folder or .plist?

That is a great idea, but notification could be too late in the worst case, when the rule has already been applied…

@BLUEFROG: Maybe the DEVONthink team could add a hidden preference with which one can disable the menu items (add/import smart rule)…

can you please describe the risk(s) in the following way

Because of [event with probability], [ ? ] might happen, leading to [positive or negative result]. List more than one of applicable.

then explain how DEVONthink, compared to alternatives, is best and/or only control measure to reduce or increase probability of the event or affect the result (wanted or unwanted).

understanding this may help others how much effort and £$€ to put into doing something to help or fix.

The horror scenario looks like this:

An employee creates a smart rule for his own database. For example, this smart rule names all PDF files in a folder every hour according to a certain scheme and then moves them to another folder. Let us assume that the employee makes an incorrect setting (e.g. selects ALL databases in the smart rule). Then ALL 150,000 PDF files in a shared database are renamed and moved. For us this means that we would have to restore a backup and maybe that data may have been irretrievably removed if a backup has not yet been made.

It would be best if one could deactivate/hide the menu items in relation to smart rules AND also the section in the sidebar with the smart rules themselves, so that existing rules cannot be changed, but are still functional.

Not really what I expected, but there you go. Probability?What if they only change 75,000 items? Or 1 item? Matter? Automate the backup and restore so that the impact of this risk is minimal? Other ways for bad, incompetent, or unscrupulous/lazy employee(s) to do the same destruction?

Maybe a more effect control measure (and less expensive for DEVONTechnologies to develop and support) is for you to tell employees such actions are logged (somehow you figure out how to detect), and if they do they get fired.

I think you may wish to consider a different application to do this stuff. Clearly, the risk tolerance by your organisation is insufficient for the ability to DEVONthink to help you control these “horrors”.

The requests are noted though I can’t speak for development.

However, speaking from many years of corporate experience, including management and IT, your horror scenario is an administrative one, not a technical one IMHO. Employees should be trained and warned that smart rules are only created and administered by whatever tech management is in place. To do otherwise is to jeopardize their employment. Period. (And yes, I’ve had to do that in mre than one place I worked.) This should be clearly stated in the security policy for the company.

PS: If you have a user capable and taking the initiative to make smart rules, it’s likely they’d figure out how to reset permissions on the plist file as well. Someone like that should be moved into IT or summarily dismissed if they violate a written security policy. (And yes, I have been moved into IT in more than one job - haha!)

PPS: If you don’t have a security policy, you should.

PPPS: I also think you’ll find most people don’t want to do things like automate. They want to follow in the narrow path you’ve defined - and yes, you should have a narrowly defined path for uniformity of outcome.

Go to work, push the buttons, eat some lunch, answer the phones, push some more buttons, go for a drink after work, go home is the path of least resistance for millions of people (with no offense to anyone in that cycle. We need all kinds of people :slight_smile: )