System rights
System rights are a bit different than the other rights. They are attached to users using the _system_rights parameter,
either of the user itself or a group it belongs to. Therefore, no ACL is involved. All system rights begin with “system”.
Rights
The system rights are classified into groups. This is just a classification that can be used in the frontend to group related rights.
Group main
| Right | Description | Parameters |
|---|---|---|
system.root |
User is allowed to do anything, rights management does not apply | - |
| The system user “root” always has this right. Only users with this right may pass it on to other users | - | |
system.datamodel |
Datamodel permissions | level, one of the following: |
| - “current”: view the current datamodel; this is a frontend-only right, as the server needs to publish the datamodel to every user | ||
| - “development”: update the development branch of the datamodel and maks definitions | ||
| - “commit”: commit the development branch of the datamodel and make it current | ||
system.server.error.self_uuid_detail |
User is allowed to retrieve detailed information about a server error caused by him/herself | - |
system.server.error.uuid_detail |
User is allowed to retrieve detailed information about any server error | - |
system.config |
Access /api/config | - |
system.profile |
Modify profiles with /api/xmlmapping | - |
system.message |
Access /api/message and frontend app | - |
system.objecttypemanager |
Access objecttype manager | - |
system.poolmanager |
Access pool manager | - |
system.tagmanager |
Access tags and transitions manager | - |
system.rightpresetmanager |
Access right presets manager | - |
system.objectadmineditor |
only used by frontend | - |
system.ignore_columnfilters |
only used by frontend | - |
system.server.status |
Access APIs provided by server plugin |
- |
system.api.publish.get |
Allow GET requests to publish API |
- |
system.api.publish.post |
Allow POST requests to publish API |
- |
system.api.publish.delete |
Allow DELETE requests to publish API |
- |
system.api.event.get |
Allow GET requests to event API (event/poll is allowed for every authenticated session) |
- |
system.api.event.delete |
Allow DELETE requests to event API |
- |
system.search |
Access frontend “Search” | show_fixed_searches (bool, defaults to false): show fixed searches |
has_own_collections (bool, defaults to false): user can have own collections |
||
system.search_collection_only |
Access frontend “Search”, but only for collections | - |
system.allow_custom_in_right_with_preset |
User is allowed to set custom rights in an ACL entry that also works with presets (only frontend) | - |
system.frontend_features |
Frontend features (on/off) | changelog |
| (when not explicitly noted, parameters are bool and default to false) | download |
|
export |
||
editor_bulk |
||
editor_bulk_delete |
||
deep_link_sharing |
||
print |
||
export |
||
csv_importer |
||
json_importer |
||
asset_browser_metadata_tool |
||
stored_searches |
||
collection_presentation |
||
script_runner |
||
enable_ignore_linked_objects_filter |
||
metadata_export: list of none or one of standard_only, standard, keep or remove |
||
metadata_upload: list of none or one of standard_only, standard |
||
collection: list of none or more of sharing |
||
acl_manager: list of none or more of create_email_user |
Group user
This group covers user and group management related rights
| Right | Description | Parameters |
|---|---|---|
system.user |
Access frontend “User Management”, GET /api/user | create (bool, defaults to false): creation of users is allowed |
create_acl (bool, defaults to false): allow to add ACL when creating a user |
||
create_system_rights (bool, defaults to false): allow to add system rights when creating a user |
||
edit_acl (bool, defaults to false): allow to modify ACL when updating a user |
||
edit_system_rights (bool, defaults to false): allow to modify system rights when updating a user |
||
hide_frontend_app (bool, defaults to false): don’t show user management app in frontend |
||
system.group |
Access frontend “Group Management”, GET /api/group | create (bool, defaults to false): creation of groups is allowed |
create_acl (bool, defaults to false): allow to add ACL when creating a group |
||
create_system_rights (bool, defaults to false): allow to add system rights when creating a group |
||
edit_acl (bool, defaults to false): allow to modify ACL when updating a group |
||
edit_system_rights (bool, defaults to false): allow to modify system rights when updating a group |
||
hide_frontend_app (bool, defaults to false): don’t show group management app in frontend |
||
global_custom_bag_read (bool, defaults to false): bag_read right is granted for all custom groups |
||
system.user.write_self |
User is allowed to edit some of its own configuration | see below |
system.user.change_password |
User is allowed to change its password | - |
system.user.create_new |
User is allowed to create a new user (used for registration) | see below |
system.user.write_self and system.user.create_new
These rights have several parameters of type bool. All of them are optional and default to false. Each parameter set to true allows a user to:
- modify the value of a certain field of its own user record (for system.user.write_self)
- set the value of a certain field when creating a new user (for system.user.create_new)
| Parameter | Field |
|---|---|
first_name |
user.first_name |
last_name |
user.last_name |
displayname |
user.displayname |
company |
user.company |
department |
user.department |
phone |
user.phone |
street |
user.street |
house_number |
user.house_number |
address_supplement |
user.address_supplement |
postal_code |
user.postal_code |
town |
user.town |
country |
user.country |
picture |
user.picture |
mail_schedule |
user.mail_schedule |
_new_primary_email |
_new_primary_email |
The right system.user.create_new has additional parameters:
type |
Type for the new user: choice between easydb, easydb_self_register or custom_type |
custom_type |
Custom type for the new user: see below |
require_group |
Whether a group is required when creating the user (bool): defaults to false |
_password |
Password of the new user |
login |
Login of the new user |
default_send_email |
Default value for send_email for the new user (bool): defaults to false. See User full format (as well for the following parameters) |
default_send_email_include_password |
Default value for send_email_include_password for the new user (bool): defaults to false |
default_send_welcome_new_user |
Default value for send_welcome_new_user for the new user (bool): defaults to false |
default_needs_confirmation |
Default value for needs_confirmation for the new user (bool): defaults to false |
default_use_for_login |
Default value for use_for_login for the new user (bool): defaults to false |
default_use_for_email |
Default value for use_for_email for the new user (bool): defaults to false |
If the right parameter type is set to “custom_type”, a custom_type has to be provided. Newly created users using this right will have the
type “custom-<custom_type>”.
Comments
The management of the system rights and ACL itself is divided in two parts:
-
The system rights management, granted through the system right
system.rightsmanagement. This right allows a user to:- manage the ACL of objecttypes, users, groups
- manage the ACL of the root pool and the root collection
- manage the system rights of users and groups
- edit tags and transitions
-
The regular rights management, granted through the
aclandbag_aclrights discussed in the previous sections:aclright for objects at objecttype, tag and pool levelsbag_aclright for pools and collections, other than root