Skip to content

Visibility & Privacy⚓︎

This document defines how visibility, participation, and privacy work in DMS.

DMS separates access and privacy into four layers:

Layer Purpose Controls Answers
Scope Eligibility Auto-assignment policy Who can join this Topic?
Role Participation Presence in the Topic Am I part of this Topic?
Permissions Authority Action capabilities What can I do here?
Sensitive Exposure Content-level override What can I see here?

:material-flowchart: Access Evaluation Flow⚓︎

flowchart TD User["User requests a Topic"] Scope["Scope<br/>Defines who may receive an automatic role"] Role{"Has an explicit Role<br/>for this Topic?"} Permissions["Permissions<br/>Determine allowed actions"] Sensitive{"Is the requested record<br/>marked Sensitive?"} Owner{"Is the user an Owner?"} Hidden["Hide Topic<br/>Return 404 / no metadata"] Full["Show Topic or record"] Redacted["Show Topic with redacted record"] User --> Scope --> Role Role -->|No| Hidden Role -->|Yes| Permissions --> Sensitive Sensitive -->|No| Full Sensitive -->|Yes| Owner Owner -->|Yes| Full Owner -->|No| Redacted classDef control fill:#E3F2FD,stroke:#90CAF9,color:#123,stroke-width:1px; classDef allow fill:#E8F5E9,stroke:#81C784,color:#333,stroke-width:1px; classDef limited fill:#FFF3E0,stroke:#FFB74D,color:#333,stroke-width:1px; classDef deny fill:#FFEBEE,stroke:#E57373,color:#333,stroke-width:1px; class User,Scope,Permissions control; class Full allow; class Redacted limited; class Hidden deny;

Scope — Default Role Assignment⚓︎

Scope defines the default visibility boundary of a Topic and who is eligible to receive an automatic role.

Scope Rules⚓︎

Scope Default Role Assignment
Private Creator → Owner
Team Team members → Observer
Organization Organization members → Observer
Public Everyone → Observer
  • Only Owners may change the Scope of a Topic.
  • All Scope changes are logged in the Topic history to prevent "silent" exposure.
  • Scope changes only affect future automatic assignments; they do not revoke manually assigned roles.

Role — The Participation Gateway⚓︎

A user can see and participate in a Topic only if they hold an explicit role. Without a role, the Topic is effectively non-existent to that user.

Without a role:

The Topic is hidden from search, dashboards, and global feeds.
Direct links will return a "Not Found" error to prevent metadata leakage.
The User does not appear in the participant list or historical audit trail.

Sensitive — Content Exposure Override⚓︎

Individual entries (Choices, Reasons, Reviews, Lessons) may be flagged as Sensitive. This is a surgical content-level control that layers over the Role-based permissions.

Sensitive entries:

Are hidden from all Roles except Owners.
Remain part of the permanent immutable record for audit purposes.
Do not affect the overall visibility of the Topic itself.

Typical uses:

  • Protecting Personal Identifiable Information (PII) or legal data.
  • Maintaining "Safe Spaces" for raw thinking or controversial rationale.
  • Redacting internal reasoning from external or client-level observers.