Understanding Operations on Permissions

The table below list the operations that relate to permissions, namely:

  • Querying or changing the owner of an application element;

  • Querying the list of permission groups and the application elements that they contain;

  • Creating or deleting a permission group;

  • Adding/removing an application element to/from a permission group; or

  • Querying or changing the permission rules in a ruleset.

The control over these operations is implemented with the access requirements and permission rules introduced above. Depending on the operations, these access requirements and permission rules may involve:

  • ACCESS and MODIFY access rights on the APPLICATION_PERMISSIONS element; and

  • PERMISSIONS access rights on target application elements.

Operations on Permissions

The logic in the table above is:

  • To query components of the permission system that are not tied to application elements, you must have ACCESS on APPLICATION_PERMISSIONS. This involves: the ruleset attached to the application, the permission groups (which groups exist, not which elements they contain), the rulesets attached to permission groups.

  • To modify components of the permission system that are not tied to application elements (same as above), you must have ACCESS and MODIFY on APPLICATION_PERMISSIONS. Again, this does not involve which application elements the permission groups contain.

  • To query components of the permission system that are tied to application elements, you must have one of the following permissions which are considered to provide you sufficient access: PERMISSIONS on the application element, or ACCESS to the application element, or ACCESS to APPLICATION_PERMISSIONS. This involves: the ruleset attached to the application element, the permission groups to which the application element belongs, the owner of the application element when applicable. This also means that to prevent you from seeing this information, one must explicitly forbid the three accesses listed above.

  • To modify components of the permission system that are tied to application elements (same as above), you must have PERMISSIONS on the application element. Note that neither ACCESS nor MODIFY to the application element, nor ACCESS or MODIFY to APPLICATION_PERMISSIONS are required. This allows to control who can set permissions on an application element independently from who can see or update it.

Note:

Note that, whether a given user has the required access rights on the respective application elements or not, is determined by the permission rules. In addition, a user that carries role PERMISSIONS_ADMIN is automatically granted ACCESS and MODIFY on APPLICATION_PERMISSIONS, as well as PERMISSIONS on all application elements. This is intended to avoid deadlocks, where a user with high privileges would accidentally (or not) remove the permissions to edit permissions to one or several elements of the application to all users, her/himself included.