Introduction

Permissions ensure that users can't access restricted data, and can only change data that they have access to in the system.

The "actions" property defines whether the model can be used for BIUD - Browse, Insert, Update, or Delete.

The "roles" property further restricts the capabilities of the model per user.

Actions / Roles Example

{
  "table":"cust",
  "layout":"grid",
  "title":"All Customers",
  "caption":["Customer","Customers"],
  "actions":"BI",
  "roles": {
    "main": { "*":"B" },
    "client": { "C_B":"B","C_X":"*" },
  }
}

Actions

The "actions" parameter defines what operations the model can perform. Actions can be any combination of the following characters.

B - Browse
I - Insert
U - Update
D - Delete

{
  "actions":"BIUD"
}

Automatic model.actions

If model.actions is not defined, it will be defaulted based on the model layout and properties.

If you come across a situation where the automatic action is incorrect, and could be improved by adjusting the default model.actions algorithm, please submit a suggested rule change via a support ticket on jsHarmony's GitHub page.

Roles

The "roles" parameter is used to restrict actions by user role and site. Roles can be defined as follows:

B - Browse
I - Insert
U - Update
D - Delete
* - All roles - equivalent to BIUD

{
  "roles":{
    "SITE1": { "ROLE":"PERM", "ROLE":"PERM" },
    "SITE2": { "ROLE":"PERM", "ROLE":"PERM" }
  }
}

Alternatively, when roles are defined without the site, permissions are applied to the "main" site:

{
  "roles":{ "ROLE":"PERM", "ROLE":"PERM" }
}

The role ID can be set to "*" to signify all users in that site:

{
  "roles":{ "*":"B" }
}

By default, only the SYSADMIN and DEV roles have access to a model. Permissions for users who are not SYSADMINs or DEVs must be explicity defined using the "role" parameter.

In order for a model to be visible on a site, the model must have roles assigned for that site. If a model definition has no roles defined, the model will only be accessible on the "main" site to SYSADMIN and DEV users.

Effective Permissions

Role permissions are added to each other, however they can never exceed the "actions" parameter. For example:

"actions":"BIU",
"roles":{ 
  "SYSADMIN":"*",
  "EDITOR":"BU",
  "READER":"B" 
}

Will result in the following permissions:
A user with only the "READER" role will have "B" access
A user with "EDITOR" and "READER" roles will have "BU" access
A user with "SYSADMIN", "EDITOR" and "READER" roles will have "BIU" access