Permissions & Rights
Introduction
As described in Groups a record is linked with several groups. Each link, called a permission, describes which of the following 3 rights it has
Rights
Right | Ability |
|---|---|
Read right | Ability to see the metadata of the record |
Write right | Ability to edit and delete the record |
Export right | Ability to download the record |
Permissions
For example, take the example image X linked with 3 groups with the following rights
Group | Read Right | Write Right | Export Right |
|---|---|---|---|
Everyone | ✓ | ✗ | ✗ |
Marketing | ✓ | ✓ | ✗ |
Admin | ✓ | ✓ | ✓ |
We can rephrase this as
Users linked with the group “Everyone” will have the ability to see the image X.
Users linked with the group “Marketing” will be able to see and edit the image X.
Users linked with the group “Admin” will be able to see, edit and export the image X.
Minimum Requirements
When saving a record at least 1 group needs to be present with write rights. The goal is to ensure the users do not lose their write access after saving the record. Zone groups are excluded from the valid groups.
This minimum requirement is not applicable in any of the following situations
The user is a member of the administrator group (because by design this group always has all rights)
The user has the function
ADMIN_EDIT_ALL_ORGANISATIONSThe record type does not require write rights (helper records such as a generic selection)
[Internal] The user is a system user
Troubleshooting
Upload fails
This can happen when the system uses the default permissions (based on the user’s groups). Possible fixes are:
Enabling permission inheritance on the record type(s)
Making sure that users that are allowed to create/edit/upload are part of at least one group with default write rights