Permission rules
Permission label sets are generated for each user by applying Permission rules. These allow you to make statements about the rules you wish to see implemented, and the Platform uses them to build the permission label sets.
A rule applies to a group or user, and consists of:
- A statement: Can, Cannot, or Reset rules about
- a label
- and one or more operations: Read, Create, Edit, Relabel, Delete, Approve
For example,
Members of the |Confidential access| group |Can| |Read| objects which are labelled with |Confidential|
To work out the label permission sets, the Platform finds all the rules which apply, then sorts them by:
- Distance from user (ie direct memberships first, then groups which are members of those groups, and so on)
- then “Reset rules”, then “Can”, then “Cannot” statements
The permission labels sets are calculated by applying the sorted rules in reverse order.
While this may sound a little complex, it just applies rules in the order which you would expect:
- If you’re directly a member of a group, those permissions are more important.
- Cannot statements override Can statements.
- Reset rules statements clear the previous rules before Cannot or Can statements are applied.
The calculated Permission rules for a user are displayed in System management:
The rules are shown in the order they apply, and any rule which is overridden by another rule is crossed out.
Editing Permission rules
Permission rules are edited in System management.
Click all as a shortcut to set all the operations for this rule.
Permissions should be set on a group basis. Although you can set permissions on individual users, it is recommended you only do this in exceptional circumstances. Defining permissions by role, rather than by individuals, simplifies administration.
Plugins and permission rules
Plugins can add permission rules to any user in the system. These apply at the highest priority, and are displayed along with all the other rules in System management.