DE EN EN (Google)


A right is identified by a name and may have additionally parameters. The call /api/right can be used to get the right descriptions, which specify how a right is used. When setting rights inside ACLs, you use a right specification.

Right description

Right descriptions are read-only JSON objects that describe a right.

Name Description
name Name of the right (string, unique)
type Type of the right (string): right or choice (see below)
group Group (string, optional): can be used by the frontend to group rights
comment Comment about the right (string, optional)
parameters Parameters for the right (array of parameter descriptions, optional): for “right” type
has_grantable Whether this right has the _grantable flag (boolean): for “right” type
rights Rights to choose from (array of right descriptions, optional): for “choice” type

The type “right” represents a normal right. Choice is a construct to group several related rights together, so that the frontend can show them as a choice and not as single rights. The idea is that a right implies other rights.

Parameter description

Name Description
name Name of the parameter (string)
type Type of the parameter (string): see below
comment Comment about the parameter (string)
required Whether the parameter is required when providing a right specification (boolean)
range_from Lower bound for the value (integer, optional)
range_to Upper bound for the value (integer, optional)
choices Valid values (array of strings, optional)

The following table provides information about the parameter types.

Type Comment
text choices may restrict the parameter value
integer range_from and range_to may restrict the parameter value
mask-select Masks per objecttype
objecttype-select Objecttype filter
pool-select Pool filter
column-select List of asset columns
string-list List of strings

Notice that rights of type choice are no “real” rights, but groups of rights. The rights inside a choice are identified by their name; the name of the “choice right” is irrelevant.

Rights specification

A rights specification is the way rights are specified for users / groups (_system_rights) and inside ACL (_acl).

A rights specification is a map containing a key for each right (its name). If the right has parameters, they are given as a map with the parameter name as key. The parameter value depends on its type:

Type JSON representation
text string
integer integer
boolean boolean
mask-select map with an objecttype ID as key and a list of mask IDs as value (schema-table.table_id ↦ mask.mask_id) (*)
objecttype-select array of objecttype IDs (schema-table.table_id)
pool-select array of pool IDs (pool.pool._id)
column-select array of column IDs (schema-column._id)
string-list array of strings

Additionally, if the right description specifies that the right has the grantable flag (has_grantable), if can be provided as _grantable (bool, optional, defaults to false);

If the right has no parameters and no grantable flag, its value will be an empty object.

(*) mask-select also allows to specify the standard mask as “standard”


    "rights": {
        "write": {},                              // no parameters
        "read": {
            "_grantable": true
        "upload_limit": {
            "max_bytes": 1024                     // parameter of type "integer"
        "mask": {
            "mask_ids": {                         // parameter of type "mask-select"
                "26": [ 8, 4, 6 ],
                "13": [ 10, "standard" ]          // - the special value "standard" points to the standard mask for the objecttype/pool combination