Permission Access Type

Official Content

The Access Type of a permission defines the permission level available: Allow, Restricted, and Deny. It's assigned at different levels:

The Access Type of a permission defined at all levels will be used to determine the final permissions for each user.

A permission Access Type at Application level is a default access type and is overridden by the Access Type of the same permission in some role the user is associated with. In turn, the Access Type of the permission which is granted directly to the user overrides the Access Type of the permission at Role level. 

In this document, we explain the meaning of permission Access Type depending on where the permission is defined.

Default Access Type of a permission at Application level

The Access type of a permission (specified at Application level) is the default value. It means that this is the access type of this permission for any user unless there is an exception which overrides this default.

Restricted:

It implies that only users who have this permission granted with Access Type = Allow or have some role where this permission is allowed, have the corresponding rights. That is to say, the user doesn't have this permission by default.

Example:

1.  In the following figure, the permission associated with the selection list for customers is restricted. The list of Application permissions can be seen using the GAM Backend.

permissionrestrictedatapplevel

Figure 1.

2. Since the user has not been granted this permission and has no roles where this permission is "allowed", the execution on the selection list for customers will fail with an Authorization error.

executionAuthError

Figure 2.


Allow:

This access type enables the permission to everyone by default. Users who have this permission granted with Access Type = restricted or denied, or have some role where the permission is restricted or denied won't have this permission.

Example:

1. In the following figure the permission associated with the selection list for products (gx0010_Execute permission) has "Default Access Type"= Allow.

DefaultAccessTypeAppLev

Figure 3.

2. This means that the user who has "RoleSample" has access rights to execute object gx0010, even though "RoleSample" doesn't have gx0010_Execute permission. See figure 4 where the user roles are shown, and figure 5 where the permissions of this role are listed.

userrolessamplepermApplevel

Figure 4.

rolepermissions1sample

Figure 5.

As a consequence of what was previously explained, the user has the permission gx0010_Execute.

Access Types of permissions at Role level

Allow:

A user who has a role with a permission of Access Type = Allow will have this permission unless he has been given this permission with Access Type = Deny, or has another role where the same permission is denied.

Deny:

A user who has a role with a permission of Access Type = Deny won't have this permission regardless if the permission is allowed at application level (by default) or if he has another role where the permission is allowed. The only way in which the user can be granted this permission is with Access Type = Allow.

Restricted:

If a permission is restricted to a user's role, he doesn't have this permission unless the user is granted this permission with Access Type = Allow or has another role where the same permission is allowed.

Access Types of permissions assigned to the user

The permissions assigned to the user have precedence over the permissions assigned through user roles. That means, for example, that if a user has a permission that has been directly assigned to him, which has Access Type = Allow, this permission overrides any permission which has Access Type = Deny at role level for any role the user is associated with.

Summary

The following figure provides a graphical explanation of how Role permissions are given to users depending on the Access Type of these permissions. In this case, we are not considering if the user has permissions directly assigned to him.

Permission

Default Access Type

Application level

Permission

Access Type

Role level

Behavior

Permission

Access Type

Role level
Behavior

Permission

Access Type

Role level
Behavior
Allow

Allow (only one role)

Has permission

Allow (at least one role)

&

Restricted (any roles)

Has permission

Deny (at least one role)

&

Restricted or Allow (any roles)

Has No permissions
 

Restricted (only one role)

Has No permission

Deny (only one role)

Has No permission  
No roles with this permission Has permission  
Restricted Allow (only one role) Has permission

Allow (at least one role)

&

Restricted (any roles)

Has permission

Deny (at least one role)

&

Restricted or Allow (any roles)

Has No permissions
  Restricted (only one role) Has No permission
Deny (only one role) Has No permission  
No roles with this permission Has No permission  

Was this page helpful?
What Is This?
Your feedback about this content is important. Let us know what you think.