Document password key has two levels: global level key for company, and group level key for departments.
Global level salt key is used for isolating all documents from access from foreign users outside company. Each company should set its global key unique.
Each department should be given an unique group level salt key. Cross department users can be assigned to multiple groups.
There are two attribute data for document password key grouping: certbuf_writegroup and certbuf_readgroup. Document password keys themselves are not stored in CerBuf cache buffer.
certbuf_writegroup defines which group the end-user belongs for save/save-as operation for an opened document. This type of group is called write-group to the end-user. There are 8 write-groups.
An end-user can only be assigned to one specific write-group.
For end-user to open a document, groups assigned for open privilege is called read-group to the end-user. There are 8 read-groups.
An end-user can be assigned to 1 to 8 read-groups. Once 8 groups are all assigned to an end-user, he can access to all company's documents, provided that he get those document's passwords on hand.