The purpose of Full Control permissions is to group permissions in a hierarchy. Note that Full Control Permissions are a particular case of Groups of permissions.

They are permissions automatically created by GeneXus for each Transaction or Business Component exposed as REST web service  (the name of the permission is based on the Permission Prefix Property).

Permissions who are children of the Full Control permission are in general related to the different Modes of the Transaction or BC (Insert, Update, Delete) and Execute.

The main idea is to facilitate the administration of those permissions.

When you add any Full Control permission to a Role, by default all the children permissions of this Full Control are added to the Role also, unless the inheritance has been lost.

See figure 1. where we add "Product_FullControl" permission to "RoleSample" Role.

FullControlpermissionsample

Figure 1.

When we add this permission to the role all the children permissions are incorporated to the role also. Note in figure 2, that this is because the children permissions inherit from their parent.

ChildrenPermissionsAdded

Figure 2.

If you uncheck the "Inherited" check box of Product_delete permission, as shown in figure 3, the inheritance is lost. That is to say that the behavior of the parent permission is not reflected in the child.

PermissionInheritanceLost

Figure 3.

See in Figure 4 that after deleting Product_FullControl Permission, Product_Delete remains in the role.

PermissionInheritance2

See Also

GAM - Permissions
GAM - Grouping of permissions
GAM - Roles