From dc3458b05ce12a21253e903fa07cd59df3aaa305 Mon Sep 17 00:00:00 2001
From: Allan Bowe <>
Date: Wed, 5 Feb 2020 18:54:55 +0100
Subject: [PATCH] feat: new VIEW security

---
 docs/dcc-security.md        | 23 ++++++++++++++++++++---
 docs/dci-troubleshooting.md | 11 +++++++++++
 docs/emails.md              |  2 ++
 mkdocs.yml                  |  2 +-
 4 files changed, 34 insertions(+), 4 deletions(-)

diff --git a/docs/dcc-security.md b/docs/dcc-security.md
index 68c81c2..52b153b 100644
--- a/docs/dcc-security.md
+++ b/docs/dcc-security.md
@@ -15,10 +15,25 @@ In order to surface a table to a new group, simply add a record to the `DATACTRL
 
 ![Screenshot](img/securitytable.png)
 
-## EDIT vs APPROVE
+##  ACCESS_LEVEL
 
-The `EDIT` permission determines which groups will be able to upload CSVs and submit changes via the web interface for that table.  The `APPROVE` permission determines which groups will be able to approve those changes, and hence enable the target table to be loaded.  If you wish to have members of a particular group both edit AND approve, then two lines (one for each group) must be entered, per table.
+### EDIT
 
+The `EDIT` permission determines which groups will be able to upload CSVs and submit changes via the web interface for that table.
+
+### APPROVE
+The `APPROVE` permission determines which groups will be able to approve those changes, and hence enable the target table to be loaded.  If you wish to have members of a particular group both edit AND approve, then two lines (one for each group) must be entered, per table.
+
+### VIEW
+The default behaviour when installing Data Controller is that the [viewer](dcu-tableviewer.md) lets all SAS Users see all the tables that they are authorised to view in SAS.  However there may be reasons to further restrict the tables in this component.
+
+There is a global setting that will disable ALL tables in VIEWER unless explicitly authorised - this is available in MPE_CONFIG.  Set `DC_RESTRICT_VIEWER=YES`, submit, and approve.
+
+If authorising groups without this setting, it means that tables will be restricted only in that library (the rest will still be visible).
+
+Groups can be given VIEW access for all libraries or all tables within a library by using the keyword `*ALL*` instead of the libref / tablename.
+
+It's also worth being aware of the `DC_VIEWLIB_CHECK` option in MPE_CONFIG.  When this is switched on, SAS will confirm that the library is valid and contains tables, before adding to the list.  This can sometimes be slow (depending on your library configurations), hence disabled - but as the list is actually cached on frontend (until the next hard refresh) the impact may worth it.
 
 ## Determining Group Members
 
@@ -37,4 +52,6 @@ filename mc url "https://raw.githubusercontent.com/macropeople/macrocore/master/
 /* call macro */
 %mm_getgroupmembers(YOURGROUPNAME)
 /* the above will create a dataset containing the group members */
-```
\ No newline at end of file
+```
+
+Another option is to use the custom groups feature by defining your own groups in the [MPE_GROUPS](dci-groups.md) table.
\ No newline at end of file
diff --git a/docs/dci-troubleshooting.md b/docs/dci-troubleshooting.md
index 9ca49f6..9a2942c 100644
--- a/docs/dci-troubleshooting.md
+++ b/docs/dci-troubleshooting.md
@@ -48,3 +48,14 @@ run;
 /* run the program */
 %inc tmp;
 ```
+
+## Custom Library
+
+If you wish to change the default *libref* or *libname* then there are TWO items to configure:
+
+1) The library itself
+
+2) The `mpelib` macro variable and the libname statement in the `/Admin/Data_Controller_Settings` stored process.
+
+!!! note
+    Be sure to make this change *after* running the configurator, to ensure the tables are first registered!
\ No newline at end of file
diff --git a/docs/emails.md b/docs/emails.md
index e0fc633..8510f55 100644
--- a/docs/emails.md
+++ b/docs/emails.md
@@ -11,6 +11,8 @@ Emails are sent after any post edit / post approve hooks.  They can be sent when
 
 Email addresses are looked for first in `DCXXXXXX.MPE_EMAILS`.  If they are not found there, then a metadata search is made (the first email found in metadata for that user is used).
 
+<iframe src="https://player.vimeo.com/video/343401440" width="640" height="360" frameborder="0" allow="autoplay; fullscreen" allowfullscreen></iframe>
+
 ## Setup
 As not every site has emails configured, this feature is switched OFF by default.
 To switch it on, navigate to `DCXXXXXX.MPE_CONFIG` and set the value for `DC_EMAIL_ALERTS` to be `YES` (uppercase).
diff --git a/mkdocs.yml b/mkdocs.yml
index c3b5f68..fb818c2 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -11,7 +11,7 @@ pages:
     - Selectboxes: dcc-selectbox.md
     - Dates / Datetimes: dcc-dates.md
     - Emails: emails.md
-    - Groups: groups.md
+    - Groups: dcc-groups.md
 - Installing Data Controller:
     - System Requirements: dci-requirements.md
     - Backend: dci-backend.md