Access Rights
Access rights are permissions that a user belonging to a role can be granted to view, create, edit or delete forms, dataset items, menus etc. The permissions are granted to a role and applies to all users that have the role.
Permissions
View
View is the least of the permissions that can be granted. With view permission only, a user can view but cannot edit/modify or delete or create new.
Edit
With edit permission only, a user can edit/modify but cannot delete or create new. The view permission is granted automatically with edit permission.
Create
With create permission only, a user can create new but cannot delete. The view and edit permissions are granted automatically with create permission.
Delete
With delete permission only, a user can delete but cannot edit/modify or create new. The view permission is granted automatically with delete permission.
The table shows which permissions are bundled when granted to a role. For example, when a role is granted create permission, then the user automatically has view, create and edit permissions.
Granted permission | View | Create | Edit |
|---|---|---|---|
View | Yes |
|
|
Create | Yes | Yes | Yes |
Edit | Yes |
| Yes |
Delete | Yes |
|
|
Access rights are permissive by default. It means all roles are assumed to have all permissions unless permissions are defined.
Permission conflicts
A user can have multiple roles. Since permissions are granted to roles, conflicts can occur. A permission conflict occurs when one role of the user grants a permission to the user while the other role of the user denies it. Permission conflicts are resolved with a permissive approach, i.e. if any of the roles of the user grants a permission to the user, the user is granted the permission.
Let us consider a user has two roles: Manager and Back office. The Manager role has edit permission, but the Back office role has view permission only. The user will get edit permission because she has Manager role and the permission is granted to a Manager role.