Skip to main content
Z
ZbigniewK12-Amethyst
12-Amethyst
December 18, 2023
Solved

Permisions for users and groups

  • December 18, 2023
  • 1 reply
  • 3351 views

I have Thing, where I keep services and properties for my application.

I want this services to be available for every user, so for this Thing I've set Permissions for group Users, with Property Write Allow, Service Executable Allow, but Property Write Deny.

I have also some additional user A*, who is allowed to change properties, so for him  I've set Property Write Allow, Service Executable Allow, and Property Write Allow.
Finally, settings for User groups are treated as higher priority and this user is treated like Property Write set to Deny.

How to cope it without creating extra group of users, including All the users, but not A?

Or is there a way to create a group, that I will create today and all existing users except A, but will in future included all users added later? 


*this is virtual user to be used via timers, so datas are refreshed. 

Best answer by Rocko

Permissions setting is complex and tricky. You can use Permissions->Access Reports to query which access privileges a user has on an object. This might help you tracking it down. Some other privilege are giving access, maybe also check Collection Permissions.

 

When you set the properties through a service, it could also be the service is executed with System privileges (see "System User Example").

The spec I quoted was directly from the product help.

1 reply

Rocko
Rocko19-Tanzanite
19-Tanzanite
December 18, 2023

It's a bit hard to understand what you did because you mention "Property Write" twice for each line.

 

But A, like any user, is always in group Users automatically.

Also, documentation states "An explicit denial of a privilege always overrides a privilege grant."

Therefore, when you allow access to the group Users, but deny it to User A it should be denied to A if there are no other privileges in effect.

But if there is no explicit denial of the access the access for A should be working, and group Users would not have access, because documentation says "Note that security checks default to not allow an operation. If no specific grant has been given to a user, then that operation will be denied."

Z
ZbigniewK12-AmethystAuthor
12-Amethyst
December 19, 2023

Yes, that's my mistake, first Property allowance is for Property Read, not property write. But reading your answer I see you understood this case well.
Ok, let's forget about Property Read & Service Executable, here is easy case, because it must be always Allowed, that's simple case.
But what about Property Write? It should be Denied for all Users except UserA. And it should be allowed for UserA only.

Can I create group which include all users except UserA? Group, where every new user will be added every time user created? Group that does not need to be administrated manually? 
Or somehow set permissions that UserA will have higher permissions than standard User? 

Rocko
Rocko19-Tanzanite
19-Tanzanite
December 19, 2023

I haven't tried this scenario myself, but what I'm saying is:

User A is always in group Users. Security checks default to not allow an operation, i.e per default Prop Write should be denied for everyone (including group Users), without explicitly setting it.

When giving User A Prop Write privilege, A has Prop Write access because it is the only explicit privilege assigned.

So if you just set the privileges for group Users on Prop Write back to "inherit" (or better, delete the whole entry for the group), you should be fine.

 

On your other idea, a group where every new user will be added, you would probably have to use a Scheduler or Timer to check the user list regularly, or have the groups assigned via Active Directory.

Terms & ConditionsCookie settingsAccessibility statement