Permission rules

Permission label sets are generated for each user by applying Permission rules. These allow you to make statements about the rules you wish to see implemented, and the Platform uses them to build the permission label sets.

A rule applies to a group or user, and consists of:

  • A statement: Can, Cannot, or Reset rules about
  • a label
  • and one or more operations: Read, Create, Edit, Relabel, Delete, Approve

For example,

Members of the |Confidential access| group |Can| |Read| objects which are labelled with |Confidential|

To work out the label permission sets, the Platform finds all the rules which apply, then sorts them by:

  • Distance from user (ie direct memberships first, then groups which are members of those groups, and so on)
  • then “Reset rules”, then “Can”, then “Cannot” statements

The permission labels sets are calculated by applying the sorted rules in reverse order.

While this may sound a little complex, it just applies rules in the order which you would expect:

  • If you’re directly a member of a group, those permissions are more important.
  • Cannot statements override Can statements.
  • Reset rules statements clear the previous rules before Cannot or Can statements are applied.

The calculated Permission rules for a user are displayed in System management:

Your Name » System management » User » Choose a user » Permissions

The rules are shown in the order they apply, and any rule which is overridden by another rule is crossed out.

Editing Permission rules

Permission rules are edited in System management.

Your Name » System management » Groups » Choose a group » Permissions » Edit

Click all as a shortcut to set all the operations for this rule.

Permissions should be set on a group basis. Although you can set permissions on individual users, it is recommended you only do this in exceptional circumstances. Defining permissions by role, rather than by individuals, simplifies administration.

Plugins and permission rules

Plugins can add permission rules to any user in the system. These apply at the highest priority, and are displayed along with all the other rules in System management.