A permission permits:
- The members of one user group
- To perform one type of action
- Over one resource
Permissions are maintained using the Create Permission and Delete Permission services, which are accessed through the Permissions option on the pull-down menu. See the main Permissions topic for details of the different types of permission.
Internally, each permission is represented by a single row on the permission table. This holds a number of fields:
- The user group identifier field holds the identifier of the user group to which permissions are granted.
- The permission type identifier identifies the type of permission. There are a set of permission types for nodes (such as node administrer, node use package, etc). There are a set of permission types for user groups (such as administer user group, administer owning user group, etc). Each permission type has a reference, which is used in the service calls.
- Node resources are identified by the permission on node identifier field on the permission table. Thus holds the identifier of the node over which permissions are being granted.
- User group resources are identified by the permission on user group identifier field, which holds the identifier of the user group over which permissions are being granted. Do not confuse this with the "user group identifier", field which holds the identifier of the user group to which permissions are granted.
A permission can only be created by a user who has appropriate permission over both the user group and the resource. User group grant permissions are fixed within the code. Permissions on resources are controiled by the permission on permission table, which identifies what permission type is required to grant other permission types.
This restriction on who can grant what permissions to whom is the basis of the account separation within Metrici. A person in Account A cannot grant permissions to a person in Account B.