You can create permissions manifests directly in JSON using the Permission Manifest type. This does have disadvantages. It is easy to make mistakes in JSON, and it is difficult to update manifests that are installed as parts of an application instances.
To overcome these problems, in your library code:
- Use the Permission Manifest Role type to specify user roles.
- Use the Permission Manifest Item type to specify required permissions.
- Use the Permission Manifest Specification type to group related items together.
Then, in your instance code, use a node of type Permission Manifest to action the permissions, including the permission manifest spedification from your library code.
User roles
Create user roles using the Permission Manifest Role type. The roles should identify nodes that wrap user groups or individual users. The nodes can be identified by direct link (useful for anonymous), by binding reference, or by a combination of binding reference and field.
Permission manifest items
Not to be confused with types which use the Manifest Items field, the Permission Manifest Item type specifies permissions. It specifies nodes, roles and permissions. All the users specified by the roles are granted all the permissions to all the nodes.
The nodes can be specified by link, by binding reference, or a combinatioin of binding reference and field. Use the form "bindingReference:*" to specify the package contents of a bound node.
Permissions can be selected from a drop-down list. This includes permission group items, which expand to a related set of permissions. The group items simplify permissions to a hierarchy:
- Read permissions
- Link permissions, which include read permissions
- Execute permissions, which include link permissions
- Update permissions, which include execute permissions
- Administer permissions, which include update permissions
Permissions can be granted on nodes or on all the nodes in a folder. Folder-level permissions do not grant node-level permissions, or vice versa, except for node administer permission which also granted administer permissions over the nodes in the folder.
As well as the hierarchy of permissions, there is a Use folder group which permits users to create items in a folder. This is included in the administer permissions groups.
There are also three permission groups that grant permissions on user groups wrapped as nodes.
- A Grant to user group group which provides link-level permission on the user group node and folder, plus permissions to grant to the users in the group.
- An Administer user group group which includes grant to user group permissions, plus folder and node execute permissions, plus user group permissions required to administer a normal user group.
- An Administer owning user group group which includes grant to user group permissions, plus folder and node execute permissions, plus user group permissions required to administer an owning user group.
Permission manifest specification
Use the Permission Manifest Specification type to group together related permission manifest items, using the Include link.
The permission manifest specification can then be included within a permission manifest in the instance.