Managing Permissions
A detailed guide to the permission rule system — how rules are defined, how group and user-level rules interact, and how to configure access effectively.
Permissions control what users can do on the platform. This guide explains how the rule system works and how to configure it for groups.
# How the Permission System Works
Access control is based on rules. Each rule is a statement of the form:
"For [service], the [group] is [allowed / denied] to perform [action] on [resource]."
# How a user's effective permissions are resolved
When a user tries to perform an action, the system checks:
- Does the user has a direct rule that explicitly allows or denies this action?
- Does any of the user's groups have a rule that explicitly allows or denies this action?
If a matching Allow rule is found, the action is permitted. If a matching Deny rule is found, it is blocked. If no matching rule exists at all, access depends upon Platform's default. You can check Platform Default in the Actions page.
Note: User-level rules take precedence over group rules. If a user has an explicit
Denyrule for something their groupAllows, the user is still denied.
# Rule Properties
| Property | Description |
|---|---|
| Service | The service this rule applies to. The platform may have multiple services; select the correct one from the dropdown. |
| Resource | The resource type being controlled. As of now, it can only have *, i.e., for all resources. |
| Action | The specific operation. Examples: TAG.VIEW, COURSE.VIEW, etc. Use * for all actions. More details about different Actions are found here. |
| Permission | Allow — the subject can perform this action. Deny — the subject is explicitly blocked from it. |
Next: Platform Actions