Permissions
Permissions are implemented in what is called an access control list.
Permissions have a simple and an advanced edit mode. In the simple edit more permissions have 4 basic ability types.
Base Ability
| Ability | Value | Description |
|---|---|---|
| read | 0x01 | Read an instance of an object |
| interact | 0x02 | Interact with an instance of an object |
| create_edit | 0x04 | Create a new instance or edit an existing instance of an object |
| delete | 0x08 | Delete an instance of an object |
Permissions are assigned in the access control list by applying a permissions grant to a user or a role.
Grant Values
| Grant | Value | Description |
|---|---|---|
| Deny | -1 | Deny the user from using an ability |
| Inherit | 0 | Inherit the abilities from a parent object |
| Allow | 1 | Allow the user to use an ability |
Objects
| Object | Value | Description |
|---|---|---|
| organisation | 0x0001 | Organisation |
| user | 0x0002 | User |
| role | 0x0004 | Role |
| workgroup | 0x0008 | Workgroup |
| team | 0x0010 | Team |
| document | 0x0020 | Document |
| workitem | 0x0040 | Work item |
| location | 0x0080 | Location |
| fleet | 0x0100 | Fleet |
| assetgroup | 0x0200 | Asset group |
Permissions
| Permission | Ability | Description | Object |
|---|---|---|---|
| MANAGE_ORGANISATION | create_edit | Allows to manage the organisation | organisation |
| CREATE_INVITE | create_edit | Allows to create invites to the organisation | organisation |
| REVOKE_INVITE | delete | Allows to revoke active invites to the organisation | organisation |
| MANAGE_ROLES | create_edit | Allows to manage roles for the organisation | organisation |
| MANAGE_WORKGROUPS | create_edit | Allows to manage work groups for the organisation | organisation, workgroup |
| MANAGE_TEAMS | create_edit | Allows to manage teams for a work group | organisation, workgroup, team |
| CREATE_WORKITEMS | create_edit | Allows to create new work items | organisation |
| WORK_WORKITEMS | interact | Allows to work on work items | organisation |
| SCHEDULE_WORKITEMS | create_edit | Allows to add a schedule to a work item | organisation |
| INVITE_WORKITEMS | create_edit | Allows to invite people to work item schedules | organisation, workitem |
| VIEW_WORKITEMS | read | Allows to view work items | organisation, location, fleet, workitem |
| CREATE_DOCUMENTS | create_edit | Allows to create new documents | organisation |
| EDIT_DOCUMENTS | create_edit | Allows to edit documents | organisation, document |
| FORK_DOCUMENTS | create_edit | Allows to fork documents into a new document | organisation, document |
| VIEW_DOCUMENTS | read | Allows to view documents | organisation, document |
| MANAGE_SYSTEMS | create_edit | Allows to manage systems for a fleet | organisation, fleet |
| MANAGE_LOCATIONS | create_edit | Allows to manage locations for the organisation | organisation |
| VIEW_LOCATIONS | read | Allows to view locations for the organisation | organisation, location |
| MANAGE_FLEETS | create_edit | Allows to manage fleets for the organisation | organisation |
Inheritance
Permissions can be inherited from the parent object.
Permission Object
Permissions have a unique name known as a permission key.
| Field | Type | Description |
|---|---|---|
| id | snowflake | the permission's id |
| key | string | the permissions unique key (2-30 characters) |
| description | string | a description of the permissions |
| ability | base ability | The base ability the permission grants |
Permission Grant Object
| Field | Type | Description |
|---|---|---|
| object_id | snowflake | the item the permission grant is for |
| object_type | integer | The object type |
| permittee_id | snowflake | the user, role, workgroup, or team id |
| permittee_type | integer | The object type, either user, role, workgroup, or team |
| permission_id | snowflake | the permission being granted |
| grant | sbyte | The grant value |