Permission system

Overview

The permission system provides fine-grained access control across different resources in your organization. It's built around three main concepts:

• Companies: The top-level organization unit
• Resource Groups: Collections of resources that can be managed together
• Users: Individual members with specific permissions

Available Resources

The system controls access to the following resources:

1. Datasources

   • Create, read, update, and delete datasources
   • Query datasources for information
   • Access is restricted by company and resource group

2. Users

   • Manage user accounts within your company
   • Users can always read and update their own information
   • Admin users can manage other users in their company

3. Resource Groups

   • Create and manage groups of resources
   • Organize permissions and access control
   • Restricted to company level

4. Roles

   • Define sets of permissions
   • Assign roles to users
   • Manage at company level

5. Content & Workflows

   • Create and manage content and workflows
   • Access controlled by company and resource group
   • Full CRUD operations available

6. Companies

   • View and update company information
   • Restricted to company administrators

Permission Types

Each resource supports different types of permissions:

1. Basic Operations

   • create: Create new resources
   • read: View existing resources
   • update: Modify existing resources
   • delete: Remove resources

2. Special Operations

   • access: General access to specific applications (Statistics)
   • query: Special ability to search inside datasources
   • export: Export data (for Statistics)

Access Control Rules

1. Company-Level Control

   • Users can only access resources within their company
   • Company ID is automatically checked for all operations

2. Resource Group Restrictions

   • Many resources are further restricted by resource groups
   • Users must have appropriate resource group access

3. Self-Management

   • Users can always manage their own profile
   • Special permissions exist for self-service operations

Best Practices

1. Resource Groups

   • Use resource groups to organize related resources
   • Assign users to specific resource groups based on their needs

2. Role-Based Access

   • Create roles for common permission sets
   • Assign users to roles instead of individual permissions

3. Principle of Least Privilege

   • Grant minimum necessary permissions
   • Regularly review and audit access

Security Notes

• All permissions are enforced server-side
• Access tokens are required for authentication
• Internal service communications use secure headers