DE EN EN (Google)

System rights

System rights are a bit different than the other rights. They are attached to users using the _system_rights parameter, either of the user itself or a group it belongs to. Therefore, no ACL is involved. All system rights begin with “system”.

Rights

The system rights are classified into groups. This is just a classification that can be used in the frontend to group related rights.

Group main

Right Description Parameters
system.root User is allowed to do anything, rights management does not apply -
The system user “root” always has this right. Only users with this right may pass it on to other users -
system.datamodel Datamodel permissions level, one of the following:
- “current”: view the current datamodel; this is a frontend-only right, as the server needs to publish the datamodel to every user
- “development”: update the development branch of the datamodel and maks definitions
- “commit”: commit the development branch of the datamodel and make it current
system.server.error.self_uuid_detail User is allowed to retrieve detailed information about a server error caused by him/herself -
system.server.error.uuid_detail User is allowed to retrieve detailed information about any server error -
system.config Access /api/config -
system.profile Modify profiles with /api/xmlmapping -
system.message Access /api/message and frontend app -
system.objecttypemanager Access objecttype manager -
system.poolmanager Access pool manager -
system.tagmanager Access tags and transitions manager -
system.rightpresetmanager Access right presets manager -
system.objectadmineditor only used by frontend -
system.ignore_columnfilters only used by frontend -
system.server.status Access APIs provided by server plugin -
system.api.publish.get Allow GET requests to publish API -
system.api.publish.post Allow POST requests to publish API -
system.api.publish.delete Allow DELETE requests to publish API -
system.api.event.get Allow GET requests to event API (event/poll is allowed for every authenticated session) -
system.api.event.delete Allow DELETE requests to event API -
system.search Access frontend “Search” show_fixed_searches (bool, defaults to false): show fixed searches
has_own_collections (bool, defaults to false): user can have own collections
system.search_collection_only Access frontend “Search”, but only for collections -
system.allow_custom_in_right_with_preset User is allowed to set custom rights in an ACL entry that also works with presets (only frontend) -
system.frontend_features Frontend features (on/off) changelog
(when not explicitly noted, parameters are bool and default to false) download
export
editor_bulk
editor_bulk_delete
deep_link_sharing
print
export
csv_importer
json_importer
asset_browser_metadata_tool
stored_searches
collection_presentation
script_runner
enable_ignore_linked_objects_filter
metadata_export: list of none or one of standard_only, standard, keep or remove
metadata_upload: list of none or one of standard_only, standard
collection: list of none or more of sharing
acl_manager: list of none or more of create_email_user

Group user

This group covers user and group management related rights

Right Description Parameters
system.user Access frontend “User Management”, GET /api/user create (bool, defaults to false): creation of users is allowed
create_acl (bool, defaults to false): allow to add ACL when creating a user
create_system_rights (bool, defaults to false): allow to add system rights when creating a user
edit_acl (bool, defaults to false): allow to modify ACL when updating a user
edit_system_rights (bool, defaults to false): allow to modify system rights when updating a user
hide_frontend_app (bool, defaults to false): don’t show user management app in frontend
system.group Access frontend “Group Management”, GET /api/group create (bool, defaults to false): creation of groups is allowed
create_acl (bool, defaults to false): allow to add ACL when creating a group
create_system_rights (bool, defaults to false): allow to add system rights when creating a group
edit_acl (bool, defaults to false): allow to modify ACL when updating a group
edit_system_rights (bool, defaults to false): allow to modify system rights when updating a group
hide_frontend_app (bool, defaults to false): don’t show group management app in frontend
global_custom_bag_read (bool, defaults to false): bag_read right is granted for all custom groups
system.user.write_self User is allowed to edit some of its own configuration see below
system.user.change_password User is allowed to change its password -
system.user.create_new User is allowed to create a new user (used for registration) see below

system.user.write_self and system.user.create_new

These rights have several parameters of type bool. All of them are optional and default to false. Each parameter set to true allows a user to:

Parameter Field
first_name user.first_name
last_name user.last_name
displayname user.displayname
company user.company
department user.department
phone user.phone
street user.street
house_number user.house_number
address_supplement user.address_supplement
postal_code user.postal_code
town user.town
country user.country
picture user.picture
mail_schedule user.mail_schedule
_new_primary_email _new_primary_email

The right system.user.create_new has additional parameters:

type Type for the new user: choice between easydb, easydb_self_register or custom_type
custom_type Custom type for the new user: see below
require_group Whether a group is required when creating the user (bool): defaults to false
_password Password of the new user
login Login of the new user
default_send_email Default value for send_email for the new user (bool): defaults to false. See User full format (as well for the following parameters)
default_send_email_include_password Default value for send_email_include_password for the new user (bool): defaults to false
default_send_welcome_new_user Default value for send_welcome_new_user for the new user (bool): defaults to false
default_needs_confirmation Default value for needs_confirmation for the new user (bool): defaults to false
default_use_for_login Default value for use_for_login for the new user (bool): defaults to false
default_use_for_email Default value for use_for_email for the new user (bool): defaults to false

If the right parameter type is set to “custom_type”, a custom_type has to be provided. Newly created users using this right will have the type “custom-<custom_type>”.

Comments

The management of the system rights and ACL itself is divided in two parts:

  1. The system rights management, granted through the system right system.rightsmanagement. This right allows a user to:

    • manage the ACL of objecttypes, users, groups
    • manage the ACL of the root pool and the root collection
    • manage the system rights of users and groups
    • edit tags and transitions
  2. The regular rights management, granted through the acl and bag_acl rights discussed in the previous sections:

    • acl right for objects at objecttype, tag and pool levels
    • bag_acl right for pools and collections, other than root