...
There are now two types of roles: space-scoped and configuration area scoped
There are now two types of permissions: space-scoped and configuration area scoped
Permissions can only be added to roles of the same scope
There are 4 types of permissions: MAINTAIN (contains create, modify and delete), modify (only update, no create), READ (see explanation below) and DELETE
The association of a role to a scope (meaning a specific instance of a space or a configuration area) happens in the auth provider and works like this:
Space scoped role
Two terms: <space id>.<role key>
Configuration area scoped role
Three terms: <space id>.<configuration area id>.<role key>
<configuration area id> == “*” means all non-confidential configuration areas
Read access works like this:
there are only two levels of read access
READ Space permission (space scoped permission) → read all content of the space (where you have a role with this permission of course) except the content of confidential configuration areas
READ configuration area (configuration area scoped permission) → read content of confidential configuration areas (where you have a role with this permission of course)
Role administration: All spaces come with a built in role that has the key “roleAdmin”
space scoped role
has two permissions: READ for this space, MAINTAIN roles
this means you can give a user in the auth provider this role by giving them this role string: “<space id>.roleAdmin”
Concept type specific permissions:
for each concept type there are specific permissions to allow fine control
configuration area scoped
three permissions for each concept type:
MAINTAIN concepts with type
DELETE concepts with type
MODIFY protected state transition: state transitions can be marked as protected, this means the user needs this permission to do those transitions
...